I am administering a XOOPS 1.3.10 page on the address www.legalis.hr

Problems started couple of days ago when page refused to load and every time blocked an Internet Explorer.

First I thought that there are some problems with hosting firm. I conntacted tech support and they notified me that I have a virus in httpdocs folder that is overwriting a index.php file of a page and is spreading to the visitors computers that way. I have checked there and found several new files there: help.zip (probably the source of virus), new Index.php (80 kb instead of 3kb), and files named: a.php, a.pl and a.asp. Same thing happend in the httpdocs => class folder with the small difference that here an Index.html file was changed same way.

Page works again after I delete those files and overwrite index.php with the original file, but within couple of hours same thing happens again. Last time (fifth time) couple of other folders and all their subfolders become infected too.

Tech support notified me that that way I am spreading virus to all the visitors of the page that do not posses an adequate antivirus protection.

I tried to search more information about that type of virus and infection on the web but found nothing useful.


Please help.

Are you on a shared server? Are there other accounts on that server? Then it's a big possibility that the whole server is compromised. The malicious script is probably infecting other websites on that server too.

Have your tech support look into this! They need to find the point of entry, where the malicious script resides and how it got there.

Herko

Thanks Herko,

that is a shared server. See what tech support says:

Message 1:
The file /home/httpd/vhosts/legalis.hr/httpdocs/index.php contains or is trying to load a virus. Our anti-virus system picked it up immediately when trying to load your site. A few files and folders on your site were modified on 01/02/2006 and I see old files from 2003. I believe you are using an old version of xoops. If so, it probably has security vulnerabilities which someone exploited to gain access and modify files on your domain. Please always keep your scripts up to date to avoid situations like this.

Any visitors to your site over the past couple of days, who are not running any anti-virus software, will have been infected with the virus.


Message 2:

Unfortunately we cannot trace how the script was exploited. I suggest either upgrading the XOOPS installation or stop using it as it will more than likely occur again now that hackers are aware of your vulnerable installation.


I do not know what to think anymore. Originally that was 1.3.8 instalation upgraded to 1.3.9. When that happend I patched it to 1.3.10 but same thing is happening again.

Site is Hosted with a preety high tech US hosting company and I beleive that they posess quite good virus protection.

Thanks for any suggestion.

Why aren't you using XOOPS 2.0.x at least?

Quite simple reason. Site was built at 1.3.
And worked fine for couple of years.