xoops forums

dizzymarkus

Not too shy to talk
Posted on: 2007/6/1 1:50
dizzymarkus
dizzymarkus (Show more)
Not too shy to talk
Posts: 108
Since: 2006/1/18
#1

Open holes and hacked

Two times in three weeks someone or some people have hacked into my XOOPS site and actually uploaded files to my server. Phishing for Wachovia Bank info.

The first time they uloaded a folder named "module" -- I saw it that morning and thought that was wierd, that shouldnt be there -- off to work I went -- account was suspended by the time I got home.I removed the folder in question and they turned me back on.

The second time (3 weeks later and an account password change) whoever uploaded approx. 12 files to the "uploads" directory. Mostly php files and 2 text files -- again phishing for bank info. I searched all my files and folders for stuff that didnt belong. How are they getting in?

Is there any known holes or backdoors for people to get in ? I cannot access my raw logs as the unRAR as a msdos file and I cannot get it to open correcly.

So once to the main directory tree and once to the uploads directory. Thank for anyhelp given for this as its getting very frustrating.


Markus








www.ocqmc.com

irmtfan

Module Developer
Posted on: 2007/6/1 3:22
irmtfan
irmtfan (Show more)
Module Developer
Posts: 3419
Since: 2003/12/7
#2

Re: Open holes and hacked

it seems a server side security issue to me.
also if you install "Protector" module it can help you to secure your site even if your server doesnt be secure enough.

dizzymarkus

Not too shy to talk
Posted on: 2007/6/1 9:30
dizzymarkus
dizzymarkus (Show more)
Not too shy to talk
Posts: 108
Since: 2006/1/18
#3

Re: Open holes and hacked

I thought so also (SS issue) but as hosting goes lol they say there must be a hole or backdoor into the script. I have run this (xoops) for 3 years now with this addy and server with no problems. Thanks for the heads up on protector-- I will be looking inot it tonite.

Thank you ,
Markus
Posted on: 2007/6/1 10:01
wtravel
wtravel (Show more)
Posts: 987
Since: 2003/8/27
#4

Re: Open holes and hacked

Can you summarize which version of XOOPS you use and which modules are installed?
Posted on: 2007/6/1 10:07
wtravel
wtravel (Show more)
Posts: 987
Since: 2003/8/27
#5

Re: Open holes and hacked

It could be useful to add a .htaccess file in the uploads folder that makes sure only .jpg .gif and .zip files are accessible from the web. In order to upload a php file there must be either a leak in one of the modules or someone who has an account an the same server and knows how to exploit directories chmodded 777.

skenow

Home away from home
Posted on: 2007/6/1 11:13
skenow
skenow (Show more)
Home away from home
Posts: 993
Since: 2004/11/17
#6

Re: Open holes and hacked

Quote:

dizzymarkus wrote:
I thought so also (SS issue) but as hosting goes lol they say there must be a hole or backdoor into the script. I have run this (xoops) for 3 years now with this addy and server with no problems. Thanks for the heads up on protector-- I will be looking inot it tonite.

Thank you ,
Markus


The web server logs will shed more light on this if they used http to gain access to your site. If they used ftp, your logs will not show anything

dizzymarkus

Not too shy to talk
Posted on: 2007/6/2 11:09
dizzymarkus
dizzymarkus (Show more)
Not too shy to talk
Posts: 108
Since: 2006/1/18
#7

Re: Open holes and hacked

<QUOTE>
" Can you summarize which version of XOOPS you use and which modules are installed? "

Xoops Version ---- 2.0.16
pical
XOOPS stats
even news
XOOPS polls
xc gallery
my iframe
XOOPS links
tiny d
tiny content
content
classified ads (P'tites annonces)
xt conteudo
2 other instances of my iframe also
world weather

Thank you


Good idea on the htaccess -- I will add one tonite. Thank you

The web server logs are a nightmare :0( I go into my control panel and dload the raw access logs -- unRAR them and they unzip as a msdos application (looks like an exe icon but properities says "msdos application". Hosting says right click and choose notepad or wordpad -- no "open with" option for this when right clicking on the file. I am unsure what to do here with trying to view them.

Thanks greatly for all the responses. I have since changed chmod on the upload directory and informed the members it is temporaly disabled due to the fradulant activity.


Markus

McDonald

Home away from home
Posted on: 2007/6/2 11:33
McDonald
McDonald (Show more)
Home away from home
Posts: 1072
Since: 2005/8/15
#8

Re: Open holes and hacked

You should add Protector to your modules, this will give more security.
Posted on: 2007/6/2 11:41
wtravel
wtravel (Show more)
Posts: 987
Since: 2003/8/27
#9

Re: Open holes and hacked

xt conteudo is not safe for sure... it has security issues with its editor. It is best to uninstall it and remove it from your server.

Does anyone know of security issues with the other modules?

vaughan

Friend of XOOPS
Posted on: 2007/6/2 11:43
vaughan
vaughan (Show more)
Friend of XOOPS
Posts: 684
Since: 2005/11/26
#10

Re: Open holes and hacked

if your webserver is running under phpsuexec and is configured properly by the host, you should be able to use chmod 755 on all the folders that need write access (templates_c, uploads, cache & any folders in modules that need it).

I run my website with chmod 755 without problems because the scripts write to those folders using the assigned group/user id's for the account instead of running as user: nobody. in short, there's many things a web host can do to improve security for itself & it's clients.