1
musashi74
Xoops site hacked - beware!
  • 2008/3/26 23:55

  • musashi74

  • Just popping in

  • Posts: 18

  • Since: 2005/2/15


My Xoops-based site was recently hacked - it took me a minute to figure out what had happened, but just in case you run across it...

Opening my site I noticed a warning - something about:

""remote data services data control", and prompting me to allow it.

Well F**K that - after poking around I found this code appended to a number of my blocks and banner ads:



Which would run a remote .php script ("out.php"). Took a few minutes to edit out all the malicious code, but if you have a similar problem, hopefully this will help you out.

2
McDonald
Re: Xoops site hacked - beware!
  • 2008/3/27 0:37

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


Can you give us some details about your installation like XOOPS version and modules + versions?

It might be that you are using a module or modules containing some vulnerabilities.

3
musashi74
Re: Xoops site hacked - beware!
  • 2008/3/27 0:58

  • musashi74

  • Just popping in

  • Posts: 18

  • Since: 2005/2/15


Sure - here's what I've got installed:

XOOPS 2.0.18.1
ForumEX 1.4
News 1.53
XCGallery 2.03
Tiny Event 1.01
Mastop Go2 1.00
Smartsection 2.13
AM Contact .05
Xoops Protector 2.56
RSS Fit 1.1

If anyone can give me hints to secure my site, it'd be greatly appreciated. I did find out the attacks were originating in the Ukraine, so I added an .htaccess file in my main directory to block all IP's originating in the Ukraine, and Turkey to boot (I had some previous issues with hackers in Turkey).

4
McDonald
Re: Xoops site hacked - beware!
  • 2008/3/27 8:38

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


Tiny Event is not safe because it uses Spaw editor, see Secunia Advisory here.
You also should consider to upgrade to a more up-to-date version of Protector.

5
blueteen
Re: Xoops site hacked - beware!
  • 2008/3/27 9:27

  • blueteen

  • Quite a regular

  • Posts: 379

  • Since: 2004/7/16


You can update your news module too
v1.56 : http://xoops.instant-zero.com/modules/pages/index.php?pagenum=2

6
wishcraft
Re: Xoops site hacked - beware!

Thats no good? Anyway I noticed you don't have 'Protector' which is the automated security drone module for XOOPS that prevents introduced security vulnerabilities by other authors, if you are wondering what causes this it is general an unsanitized module from a 3rd party..

Protector is an Website Security software.. for xoops, by GIJO, for example I recently download wfDownload 2.xx and it had an open SQL vulnerabilities from he input of the $_GET not being sanitized, this was for my xTorrent, module which now in version 2.31 doesn't have these as I have checked all the calls to the database.

Protector alot of people assumption and it does work does heaps of stuff... Prevents DOS, Front Doors, Bad Crawls, and heaps of other stuff.
Resized Image
http://www.ohloh.net/accounts/226400

Follow, Like & Read:-

twitter.com/RegaltyFamily
github.com/Chronolabs-Cooperative
facebook.com/DrAntonyRoberts

7
McDonald
Re: Xoops site hacked - beware!
  • 2008/3/27 22:36

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


According to the list XOOPS Protector 2.56 is installed.

I also have my doubts about XCGallery...

8
Anonymous
Re: Xoops site hacked - beware!
  • 2008/3/28 9:38

  • Anonymous

  • Posts: 0

  • Since:


Quote:
McDonald wrote:

According to the list XOOPS Protector 2.56 is installed.


Yeah, but as said earlier it would be best upgraded. I'm advising folks to go for 3.16beta rather than the (stable) v3.04a

Quote:
McDonald wrote:

I also have my doubts about XCGallery...


Can you be more specific as to your doubts?

Lots of us use it and I'm not aware of any attempts to get into my site via this module.

The module doesn't seem to be under active development but it is already fully featured, hence why it's so well used. I'd be willing to consider taking on myself for bug-fixes but my coding knowledge isn't the best.

9
propaed
Re: Xoops site hacked - beware!
  • 2008/3/28 10:13

  • propaed

  • Just popping in

  • Posts: 3

  • Since: 2008/3/28


Identical problem, also yesterday.

Run an earlier backup, which is clear of infection.
Could find no malicious code in blocks, but in banner and footnote.

Xoops version 2.0.13.2

My modules were

tiny event 1.01
addresses 1
formulaire 3.23
pd-downloads 1.2
dh-info 2
c-html 1.01
pĀ“tites annonces 1.4

and
xoops

forum 1
news 1.1
contact us 1
links 1.1


Guess, besides the hacker, tiny event is the culprit.

10
propaed
Re: Xoops site hacked - beware!
  • 2008/3/28 10:24

  • propaed

  • Just popping in

  • Posts: 3

  • Since: 2008/3/28


Here is whois of attacker for your consideration

http://www.who.is/whois-ua/ip-address/od.ua/

Login

Who's Online

344 user(s) are online (297 user(s) are browsing Support Forums)


Members: 0


Guests: 344


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits