xoops forums

irmtfan

Module Developer
Posted on: 2006/9/22 6:55
irmtfan
irmtfan (Show more)
Module Developer
Posts: 3419
Since: 2003/12/7
#1

xoops use python?

after saw some 403 errors in my site i send a ticket about issue to server support and they reply this:

Quote:
Hello,

When we checked the log files, we found that the mod security rules set in the server were throwing errors and its because you were trying to upload/post something with "python".
[Wed Sep 20 12:32:11 2006] [error] [client XXXXX] mod_security: Access denied with code 403. Pattern match "python\\x20" at POST_PAYLOAD. [hostname "www.DOMAIN"] [uri "/modules/system/admin.php?fct=preferences"]

We have now disabled mod_security for the domains XXXX and YYYYYY.
If you have any further issues,please get back to us with the details,we shall check it out from our end.



is this from xoops?

bleu_

Just popping in
Posted on: 2006/9/22 7:07
bleu_
bleu_ (Show more)
Just popping in
Posts: 32
Since: 2006/8/1 2
#2

Re: xoops use python?

I really don't think so

McNaz

Just can't stay away
Posted on: 2006/9/22 8:33
McNaz
McNaz (Show more)
Just can't stay away
Posts: 574
Since: 2003/4/21
#3

Re: xoops use python?

This is someone trying to hack your XOOPS but not succeeding. This is normal and best described as normal "background radiation" of the web (ie there are lots of script kiddies that have scripts that check websites for vulnerabilities).

If you server software is upto date as is your XOOPS then you have little to worry about.

Jan304

Official Support Member
Posted on: 2006/9/22 8:39
Jan304
Jan304 (Show more)
Official Support Member
Posts: 520
Since: 2002/3/31
#4

Re: xoops use python?

This sounds more like a hacker that is trying to use a (un)known leak in the system admin to upload a python script. Your server was behaving correctly by blocking it, it is strange however that you are experiencing this blockade...

Are you using the latest version of XOOPS? If not try to upgrade and see if that fixes it. Also check your templates_c, cache and uploads map for unknown files and delete if necessary...

Personally I don't think you are hacked because your site still works just fine .

@McNaz: I think I will have to learn to type faster
Oracle: I'd ask you to sit down, but, you're not going to anyway. And don't worry about the vase.
Neo: What vase?
[Neo turns to look for a vase, and as he does, he knocks over a vase of flowers, which shatters on the floor.]
Oracle: That vase.
Neo:...

irmtfan

Module Developer
Posted on: 2006/9/22 8:56
irmtfan
irmtfan (Show more)
Module Developer
Posts: 3419
Since: 2003/12/7
#5

Re: xoops use python?

huum
i want to know what is the solution for that?
disable mod_security in the sever is not Dangerous?
i just have two account in my small dedicate server:
domain 1: xoops.ir with XOOPS 2.0.15
domain 2: jadoogaran.org with XOOPS 2.2.4

Protector is installed in both.

i saw forbidden page in preferences of xcgal in xoops.ir

also i see some forbidden pages in xfsection.

so you think someone try to POST some Malicious script?

irmtfan

Module Developer
Posted on: 2006/10/3 17:19
irmtfan
irmtfan (Show more)
Module Developer
Posts: 3419
Since: 2003/12/7
#6

Re: xoops use python?

someone attack xoops.ir and removed me from webmaster group.
i back myself from database.
also i removed all other admins until i found the problem.

it is XOOPS 2.0.14 and protector is installed.

i now manage to upgrade to XOOPS 2.0.15 but it seems someone hi jacked my sessions.

how can i found it?

i just see these in protector logs about attacker:

82.99.232.94
Firefox/2.0Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20060918 Firefox/2.0 UPLOAD Attempt to upload icon2.php.

irmtfan

Module Developer
Posted on: 2006/10/5 2:17
irmtfan
irmtfan (Show more)
Module Developer
Posts: 3419
Since: 2003/12/7
#7

Re: xoops use python?

server support back to me with this suspicious activitie in logs:

213.207.245.16 - - [03/Oct/2006:07:35:06 -0400] "GET /modules/system/style.css HTTP/1.1" 200 4317 "http://www.xoops.ir/modules/system/ad ... id=57&op=modifyUser" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7"

so i want to know what this means?

McNaz

Just can't stay away
Posted on: 2006/10/5 6:42
McNaz
McNaz (Show more)
Just can't stay away
Posts: 574
Since: 2003/4/21
#8

Re: xoops use python?

Quote:

This is the standard url to access the admin area that modifies a user (uid 57 in this case).

Since your log copy/paste is incomplete I cannot tell you more.

Quote:
213.207.245.16 - - [03/Oct/2006:07:35:06 -0400] "GET /modules/system/style.css HTTP/1.1" 200 4317


Complete.

Quote:
"http://www.xoops.ir/modules/system/ad ... id=57&op=modifyUser" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7"


Incomplete as the GET/POST detail is missing and so is the IP address and time stamp.