Re: Hacked twice today - help. [XOOPS general usage questions]

1

Hacked twice today - help.

2006/8/19 21:09
dwhitten
Just popping in
Posts: 54
Since: 2005/6/22

Hi guys,

www.horseshowsrus.ca was finally hacked. The first time I found the XSS refresh tags in the xoops_config table. I removed them and installed protector. I got hacked again.

Before I waste my time, what should I do? I am running 2.0.13.

Thanks,
Deb

2

Re: Hacked twice today - help.

2006/8/19 21:19
zyspec
Module Developer
Posts: 1095
Since: 2004/9/21

Here's what I think I'd do as a start:

1) Upgrade to 2.0.14. There were some security fixes in addition to other things.

2) Check directory and file rights to make sure they're what they should be.

3) Check the users in the database to make sure there isn't a user with administrator rights that you aren't expecting.

4) Check the forums for information on the modules you have installed to see if there are vulnerabilities that have been identified. You might want to post the modules you use here (along with their versions) so the community can help you do some of the research.

5) Check your web logs to see if you can see where the attack came from and ban the IP.

6) Contact your web host to see if they can help you identify how the attack occurred (to make sure it wasn't through the server instead of through Xoops).

3

Re: Hacked twice today - help.

2006/8/19 21:22
Cuidiu
Quite a regular
Posts: 358
Since: 2006/4/23

If you are using MyAds, you'll need to apply a security fix. I did a forum search for MyAds and hacked.

Let me see if I can find the security fix.

Edited to add: Try this link (that is - if it is MyAds that is causing a vulnerability).

C

Quote:

dwhitten wrote:
Hi guys,

www.horseshowsrus.ca was finally hacked. The first time I found the XSS refresh tags in the xoops_config table. I removed them and installed protector. I got hacked again.

Before I waste my time, what should I do? I am running 2.0.13.

Thanks,
Deb

[size=x-small]Working sites:
XOOPS 2.0.16 PHP 5.2.2, MySQL 5.0.24a-standard-log, Apache/2.0.54 (Unix)
XOOPS 2.2.4, PHP 4.3.10, MySQL 3.23.58, Apache/1.3.33 (Unix)[/size]

4

Re: Hacked twice today - help.

2006/8/22 12:56
dwhitten
Just popping in
Posts: 54
Since: 2005/6/22

Thanks for the suggestions.

After the third time, I went through the myads code and put mysql_real_escape_string around every parameter involved in a database query. That seemed to have worked for 2 days.

Now today - hacked again for the 4th time.

I've just upgraded to XOOPS 2.0.14. I followed the directions herehttp://devteam.xoops.org/releases/xoops-2.0.14.html for the upgrade, but it said no upgrade was necessary. I guess copying over the htdocs files was all that was necessary?

Everything seems to work and the site is back on. Now I wait to see if I'll be hacked yet again. This is getting boring and I don't have time to go through every XOOPS module to check for holes. I'm now worried about my other sites which shall remain nameless...

Anything else I should do for next time? If there is a next time?

Deb

5

Re: Hacked twice today - help.

2006/8/22 12:59
davidl2
XOOPS is my life!
Posts: 4843
Since: 2003/5/26

Have you also installed Protector?

Definately worth doing.

6

Re: Hacked twice today - help.

2006/8/22 13:27
Herko
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1

Ehm David:
Quote:

by dwhitten on 2006/8/19 23:09:53
<snip>I removed them and installed protector.

So she did that.

I's also notify the hosting provider, it may be a server vulnerability, for all we know. Then fixing up your XOOPS sites will help nothing.

Herko

7

Re: Hacked twice today - help.

2006/8/22 20:25
dwhitten
Just popping in
Posts: 54
Since: 2005/6/22

So now is the 5th time. I've installed protector and upgraded xoops. I don't have time at the moment to notify the web host or look at the MySQL logs, but I will later.

God this is tiring.

Deb

8

Re: Hacked twice today - help.

2006/8/22 20:26
dwhitten
Just popping in
Posts: 54
Since: 2005/6/22

Make that 6 times.

9

Re: Hacked twice today - help.

2006/8/22 20:28
zyspec
Module Developer
Posts: 1095
Since: 2004/9/21

How about posting a list of the modules you use (and their versions). We may be able to help you track it down.

10

Re: Hacked twice today - help.

2006/8/22 21:07
Cuidiu
Quite a regular
Posts: 358
Since: 2006/4/23

So sorry you are having such trouble, Deb. I wouldn't mind knowing what IP(s) this maniac is coming from if you get the chance to check your logs.

[size=x-small]Working sites:
XOOPS 2.0.16 PHP 5.2.2, MySQL 5.0.24a-standard-log, Apache/2.0.54 (Unix)
XOOPS 2.2.4, PHP 4.3.10, MySQL 3.23.58, Apache/1.3.33 (Unix)[/size]

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Hacked twice today - help.

Re: Hacked twice today - help.

Re: Hacked twice today - help.

Re: Hacked twice today - help.

Re: Hacked twice today - help.

Re: Hacked twice today - help.

Re: Hacked twice today - help.

Re: Hacked twice today - help.

Re: Hacked twice today - help.

Re: Hacked twice today - help.

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}