Hello,

I just installed XOOPS on my server a few weeks ago, built my site, and officially launched it a few days ago. I went out of town for the weekend and came back to a site that's apparently been hacked (today, I believe).

All the ftp files appear to be okay. The problem is with the MySQL database. The hacker messed around with 3 tables (2 tables associated with newbb and 1 table associated with smartfaq). I basically lost all my postings and forums for those two modules. Whoever did this also installed almost 100 databases that's not accounted for in my cpanel summary. All my MySQL usernames have been deleted, and I'm unable to create any new usernames (it says it's been created, but it doesn't show up in the MySQL admin afterwards).

Did I leave something open for this to happen? How can I prevent this in the future? I have an IP address associated with this and have placed it on the banned users list, but I'm not sure if this will prevent it from happening again. I'm new to this, so any help would be much appreciated.

Also, I've written to my host and am awaiting a reply.

Thanks!

Hi,

Sorry to hear about your database being hacked. If you used standard modules and an updated core installation, you probably did nothing wrong.

In order to create database a hacker needs a username and password that is not stored anywhere in the XOOPS configuration.

I hope your host will have a clue to what happened, so they can patch the leak.

Thanks for the reply.

I have XOOPS 2.0.10 installed, the latest version of smartfaq, and the version of newbb that came with the 2.0.10 installation.

So, this may have been a security flaw on the host/server side of things? I suppose that may explain why only the database was hacked and not the files on the site itself.

I remember having to enter a username and password for the XOOPS database when installing Xoops. If it's not stored anywhere in Xoops, where is it stored?

The XOOPS database username and password are stored in the XOOPS configuration, but with that account you cannot create new databases.

How did you find out that are 100 databases? Did you find them in phpMyAdmin?

Okay. So the username and password you're referring to would have to be the cpanel username and password (since it's what you'd need to create a database). That's a little scary. Someone has way too much time on their hands.

Yes, I found it through phpmyadmin. It's strange, though, because it's not reflected (the 100 databases that were added) in the MySQL admin summary page. I only see those databases when I'm in phpmyadmin.

Yes, it could very well be that this person has your cpanel username & password, but perhaps your host could give you better answers on that. I hope that you can recover your data.

This unfortunate incident has not been caused by the XOOPS system or it's configuration. As mentioned, you should contact your host for further details and log information.

For the time being, if you are still able to log into your main cpanel account, all is not lost. All you need to do is delete the extra DB's, and restore your existing DB's to what they were before.

A word of advice on creating DB's. Always create a new username and password and DB name for every DB you use, so that you have more control over your environment.

Start using the site backup tools provided for you in cpanel. CRON jobs can do the task quite simply once you get more familiar with web environments and how they can be worked.

Good luck.

My host has replied and said that the errors I was experiencing was due to MySQL server issues. I was able to get my tables restored, and all is well with the site now. I wonder if these "server issues" is a different way of saying that the site was hacked through the host/server end.

Glad to hear, though, that it wasn't XOOPS or anything I may have done.