1
mongrel
HaCKeD By OSMANLI KARTALI
  • 2006/8/26 1:17

  • mongrel

  • Just popping in

  • Posts: 62

  • Since: 2005/1/15


That is the message I got when I went to my site this evening. An animated .gif of an eagle flying replaces my page while something LARGE is loading and then a redirect that I did NOT allow to occur.

I can no longer get anywhere on my site, and know that I have to look for some unauthorized scripts. Any help as to where I should start? Please?

Thanks!

Mongrel
Improve the time.

2
tom
Re: HaCKeD By OSMANLI KARTALI
  • 2006/8/26 1:33

  • tom

  • Friend of XOOPS

  • Posts: 1359

  • Since: 2002/9/21


I've seen a lot of these hacks, where they have some how just uploaded an index.html page could try looking for that, being the simplest thing first.

You should also contact your hosting company, as they would be interested in knowing of any potential weakness's

If all your XOOPS files have been deleted you could re-upload the XOOPS files again, remember to configure a mainfile.php to direct XOOPS to the right database.

Chances are your database is still intact, fingers crossed ehh.

3
tom
Re: HaCKeD By OSMANLI KARTALI
  • 2006/8/26 1:34

  • tom

  • Friend of XOOPS

  • Posts: 1359

  • Since: 2002/9/21


Sorry, also what modules are you running, and have you checked for any bugs.

There are numerous sites out there which list bugs and potential threats in scripts, you could google some and see if any of your modules are listed.

What version of XOOPS do you have, maybe using the latest version could prevent this problem.

Just a thought, hope it is of some help.

4
jensclas
Re: HaCKeD By OSMANLI KARTALI

Check these two threads

here and here
HTH

5
JMorris
Re: HaCKeD By OSMANLI KARTALI
  • 2006/8/26 1:48

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Here's what I would do/Have done...

1. Upload an index.html file stating that your site will be back soon and rename index.php to something like bak.index.php.

2. Download any non-xoops files that may need to be cleaned or restored. If your site uses altered XOOPS core files or modules, I hope you documented your changes.

3. Backup your database, being sure to use the "Drop table if exists" option in phpMyAdmin so you can restore your database later.

4. Delete all XOOPS files off of your web space, leaving only your temporary index.html.

5. Install a fresh copy of XOOPS just like a brand new site. Make sure you chmod your files and folders correctly after install! Also, to avoid incompatabilities, use the same version of XOOPS and all modules that was previously installed. You can always upgrade them after your initial restoration.

Folders: chmod 755
Exceptions: chmod 777* (may be able to use 755 or 775 on some hosting accounts)
cache/
templates_c/
uploads/

Files: chmod 644
Exceptions: chmod 444
mainfile.php
(I would also recommend ading an index.html with the following code in every directory that does not already have a index.html or index.php
<script>history.go(-1);</script>


6. Using a good editor, like Dreamweaver, vi, or Notepad+, search for any unusual javascript codes in your backed up database. A simple search for "javascript" should be sufficient.

7. After successfully reinstalling the base XOOPS system and uploading all the modules you had installed, restore your database from your cleaned backup.

8a. If all didn't go well, refer to the FAQ and Forum of this site to troubleshoot why your site didn't restore, then move onto 8b.

8b. If all went well, you can move onto verification. Before removing your temporary index.html, log into your site and immediately close it in your control panel and go through and thoroughly verify that your site has restored successfully, without any malicious code.

9. Once you've verified that your site has restored accurately and without malicious code, make a fallback backup of your database and files and upgrade your XOOPS install and modules to the latest stable versions. Then immediately perform a backup after everything has been verified to work properly.

10. Have 2 or three trusted members/friends log into the site and perform a final verification. If all is well, remove the temporary index.html and reopen your site.

HTH.

James
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

6
jensclas
Re: HaCKeD By OSMANLI KARTALI

James - would you have the time to put this either on the xoopsdocs site or an FAQ? (if you use xoopsdocs you or a helper can ad images for newbies and clarification)

What to do when hacked is not currently addressed in either place.

7
JMorris
Re: HaCKeD By OSMANLI KARTALI
  • 2006/8/26 2:11

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


I'd be happy to submit the above to the FAQ, but I'm afraid I don't have the time to put together a pictorial for XOOPSDocs. Sorry.

Best Regards,

James
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

8
jensclas
Re: HaCKeD By OSMANLI KARTALI

FAQ will be better than nothing - thanks heaps!

9
mongrel
Re: HaCKeD By OSMANLI KARTALI
  • 2006/8/26 2:16

  • mongrel

  • Just popping in

  • Posts: 62

  • Since: 2005/1/15


You are all VERY KIND. Thank you.

Tom, I'm running 2.2.4, and I do wonder whether that's a good idea or not, but I haven't had any probs so far.

Jensclas, I think, based on the facts that myAds has a hole that I didn't know about (and a patch that I obviously didn't know about) I can guess that might be a suspect.

But given that my host tells me that I am no longer allowed to use htaccess as described in the README in the Protector module, I needed to figure out how to configure PhP.ini. Each time I tried, I got a blank screen problem and so shut Protector off. I guess that was a mistake.

I am usually careful to CHMOD folders properly and to use the index.html with the -1 thing, but I must have missed something.


I so didn't need this right now. I will attempt the fixes suggested by James (thanks!) and see where that leaves me.

One question...why would the hacker leave his e-mail address? Do you think it's just bait for mor nefarious deeds?
Improve the time.

10
JMorris
Re: HaCKeD By OSMANLI KARTALI
  • 2006/8/26 2:31

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Truth be told, it could have been a situation that was completely out of your control. I recently had three client sites wiped out that were very well secured. If a hacker manages to gain adequate permissions on the server, there's nothing you can do to stop them. The best you can do is configure XOOPS to be as secure as your environment will allow.

My best suggestion is to coordinate with your hosting provider to determine whether the hacker gained access through XOOPS or a module or whether it was through a hole in the server. If it ws through XOOPS or a module, patch or upgrade as needed, if possible. If it was through the server, either be a squeeky wheel until the hole is patched, or move to a more secure host.

Best of luck with the restoration. I know from experience that it's a real pain, but what doesn't kill you makes you stronger and wiser.

To answer your question about the hacker's email...

Often, this is done to recrute new members in the hacking team. Sometimes, it's just a matter of the hacker getting kicks out of the hate mail. Each hacker has their reasons and none make sense to me.

Best Regards,

James

Edit: Just as a matter of cross reference, here's the link to the FAQ post related to restoring from a site hacking.

https://xoops.org/modules/smartfaq/faq.php?faqid=621
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

Login

Username:
Password:

Lost Password? Register now!

Who's Online

77 user(s) are online (41 user(s) are browsing Support Forums)


Members: 0


Guests: 77


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jan 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits