XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. Q and A 
  4.  / Help Needed ASAP, looks like ive been hacked? but how?
Register
1
martyboy
Help Needed ASAP, looks like ive been hacked? but how?

  • 2005/9/23 17:24

  • martyboy

  • Quite a regular

  • Posts: 256

  • Since: 2004/5/25


Hi,

I am looking for some help, if you visit my site MJTKOP.COM you will see that all the content seems to be pushed over to the left and if you view mjtkop.com/home/index.php with i.e then there seems to be some syntax error on line 74(bottom left of i.e window).

Also when I log in i get a blank page at admin.php, have I been hacked? I have no idea what has happened my site was wroking fine last night?

Anyone got any suggestions on how I should proceed, I really need to get into admin menu so I can close the site down till i've figured out what's went wrong.

Thanks for your help.

*Please read the third post*
Michael Jackson = King Of Pop

Xoops = King Of CMS
2
martyboy
Re: Help Needed ASAP, looks like ive been hacked? but how?

  • 2005/9/23 17:28

  • martyboy

  • Quite a regular

  • Posts: 256

  • Since: 2004/5/25


Hi,

I also have another XOOPS site hosted on the same shared hosting account as an addon domain,http://www.michaeljosephjackson.net/main/ if you go there theres also a blank page going tohttp://www.michaeljosephjackson.net/main/user.php reveals the same thing as before everything seems pushed over to the left.

Could this have been some sort of issue with my host or server that could have caused this?

Thanks for your help
Michael Jackson = King Of Pop

Xoops = King Of CMS
3
martyboy
Re: Help Needed ASAP, looks like ive been hacked? but how?

  • 2005/9/23 17:50

  • martyboy

  • Quite a regular

  • Posts: 256

  • Since: 2004/5/25


On checking my index.php page again I noticed this link added onto one of the links in the partners block Quote:
oxygen 2.21 nokia crack


It now appears that somehow I have been hacked, but how? I thought XOOPS was secure, I am the only admin of the site and no one else has any admin or module admin rights?

I wil contact my host to see if they can shed any light.

In the meantime is there away I might get back into admin.php(blank page) I have a backup of my XOOPS db made using backup module but I dont know how to go about installing the backup throuhg phpmyadmin or anything, if any one can help it would be greatly appreciated.

*****

Ive allerted my webhost, ive also password protected the XOOPS install incase you try and visit the site and wonder whats going on

Cheers.
Michael Jackson = King Of Pop

Xoops = King Of CMS
4
kaotik
Re: Help Needed ASAP, site gone a bit wrong?

  • 2005/9/23 18:05

  • kaotik

  • Just can't stay away

  • Posts: 861

  • Since: 2004/2/19


There is a known vuln in XOOPS below 2.0.13 that involves xml-rpc. There is exploit code floating arount the net that alows any script kiddy to easily compromise your server.
If you were running a version below 2.0.13 then you were probably hit with this.

For everyone reading this:
If your running XOOPS version below 2.0.13UPDATE NOW!!!!
www.kaotik.biz
5
martyboy
Re: Help Needed ASAP, site gone a bit wrong?

  • 2005/9/23 18:07

  • martyboy

  • Quite a regular

  • Posts: 256

  • Since: 2004/5/25


Hi, Im running XOOPS 2.0.13.1, I think thats the updated version that patched that vulnrability. There must be something else maybe?

Thanks for your help
Michael Jackson = King Of Pop

Xoops = King Of CMS
6
kaotik
Re: Help Needed ASAP, looks like ive been hacked? but how?

  • 2005/9/23 18:08

  • kaotik

  • Just can't stay away

  • Posts: 861

  • Since: 2004/2/19


are you running protector? you could check it's log file.
www.kaotik.biz
7
martyboy
Re: Help Needed ASAP, looks like ive been hacked? but how?

  • 2005/9/23 18:17

  • martyboy

  • Quite a regular

  • Posts: 256

  • Since: 2004/5/25


Hi Kaotic,

Yes I have protector installed but I can not access admin area I just get a blank page when I try to goto the admin area, is there any other way to view protector logs?

For your information this is the code that seems to have been inserted into the partners block, I have no idea how they manage to mess my site up that bad though.

<a href="http://simplykrissyoriginals.com/oxygen%2B2.21%2Bnokia%2Bcrack.php" class=giepoaytr target=_blank>oxygen 2.21 nokia crack</a>


I'm hoping that my host will go throuhg the logs and find the culprit and ban them from the entire server.

Until then I have no idea how to fix my site, Im waiting toi see if my host has a recent backup they will install, I have db backups but the newest is 3 days old and I dont know how to install it.

Thanks.
Michael Jackson = King Of Pop

Xoops = King Of CMS
8
davidl2
Re: Help Needed ASAP, looks like ive been hacked? but how?

  • 2005/9/23 18:20

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


It may be a hole somewhere else - and not on Xoops...
9
martyboy
Re: Help Needed ASAP, looks like ive been hacked? but how?

  • 2005/9/23 18:27

  • martyboy

  • Quite a regular

  • Posts: 256

  • Since: 2004/5/25


Quote:
by davidl2
by davidl2 on 2005/9/23 19:20:40

It may be a hole somewhere else - and not on Xoops...


True, but I have another XOOPS install on the server that has been affected the same way, the only other php thing I have on the server is one of these mobile content kits from www.mediaplazza.com its all php pages but it requires no sql database, however this does not seem to be affected, you can see it herehttp://mobileworld.mjtkop.com

Thanks.
Michael Jackson = King Of Pop

Xoops = King Of CMS
10
martyboy
Re: Help Needed ASAP, looks like ive been hacked? but how?

  • 2005/9/23 19:34

  • martyboy

  • Quite a regular

  • Posts: 256

  • Since: 2004/5/25


Hi,

I managed to get back into the admin area by deleting adminmenu.php in /cache.

What seems to have happened is this, the ugly, greasy hackers seem to have added there code <a href links to various crackz, warez sites into the partners block and into 2 custom html blocks I had on the from page, as soon as I updated the module html in admin the front page went back to normal and this also removed the links to these sites fropm the blocks. So everything seems fine now and was pretty easy to fix.

The big question is and I'm hoping someone here will have some sort of answer because im really curious, How did they manage to do this? A hole in xoops?(doubtful) a hole in the shared server? maybe but would i get my host to admit to this? maybe not, I would love to know how they did this atleast so I can make sure it wont happen again.

I would like to state also that this little incident in no way makes me doubtfull of xoops, XOOPS is an excellent CMS I have been using it for along time now and I will continue to use it, XOOPS kicks ass, even if this does turn out to be a hole in XOOPS I will still use it because its the best, unfortunatley these script kiddies have no life whatsoever and are constanlty coming up with new stuff to attack sites with. Sad Gits.
Michael Jackson = King Of Pop

Xoops = King Of CMS
(1) 2 »

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

92 user(s) are online (49 user(s) are browsing Support Forums)

Members: 0

Guests: 92

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: May 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits