Recently someone began targeting my XOOPS sites and I am lost as to how they are getting in. I am running XOOPS 2.0.18.2, have installed Protector on all sites, have register_globals and allow_url_fopen both turned OFF.

The attacker injected an iframe with a malicious site link at the end of the file in every index.html file in every subdirectory of the site. This happened on a total of 9 of my sites. If I can't find a solution soon I will have no option but to abandon XOOPS. I hate the thought of leaving but the recovery is consuming all of my time.

2.3 probably has the solution, it takes the cache and template_c folders out of the web directory. Unfortunately with most hosts, these folders have to be 777 or wold writable in the web directory and can allow for malicious files placed in them.

This is not the fault of xoops, but the host server settings.

I didn't mean to sound like I was placing blame or pointing fingers. I apologize if it sounded that way.

I searched the directories you mentioned and could find nothing that looked suspicious reviewing the dates of all files for anything that recently changed.

The only thing I could find is all of my index.html files have been changed.

I have heard of such results on frxoops.org. There it was a site running an older version 2.0.13.2 , but yet unclear what was the vector of attack.

Which modules and versions are you using?
Avoid old notorious modules as contuedo or editors as spaw.

Check your Protector and Apache loggings for suspicious actions. Try to relate loggings with date of modified files. Follow the trail by the IP, the browser signatures and typical accesses.
Try to identify the module or script that provided entry to the malicious hacker and let us know.
Take backups and compare them to identify changed files and database tables.

Block suspected IP's their net from within Apache (.htaccess). (There is no need or benefit that the whole world should have access to your sites!)

Change all your admin passwords for XOOPS, Site admin access and MySQL and check all admin users and groups for these.

Apart from XOOPS, there can be some server vulnarabilities as well: Is directory listing switched off? Is your MySQL port closed on the servers? Is your hosting company using updated software for the servers?

I know you are a bit disappointed in XOOPS right now, but other CMS have also their share: eg to mention one: for Joomla was a major security warning just a few weeks ago.

Problem with open source is that everyone can read the source and exploit its weakness. The good news is that everyone can improve the code and learn from mistakes and we (the good guys) are with more.

Quote:

This is the first place to look, and as jdseymour says, ask your hosting company for help in securing the server

Thanks guys for the advice. I was tired and frustrated last night. Venting is over now I am ready to knuckle down and figure out what's going on.

The one thing I found interesting is I have one site running XOOPS 2.2.6 that was not affected.

I am inclined to believe the problem is in one of the modules I am using so I am going to systematically repair and upgrade each site to XOOPS 2.3.0.

I do have one more question. I have a couple of protector log entries that indicate the user was using DOS and nothing appears in the description column. Could this be the offender?

Quote:2.2.X rules! I have them too!
Quote:You have to relate the times in the Protector logs with the Apache logs. Also that you have an overview to several sites may help to pinpoint the attack vector.

I have located the offender, according to whois the IP is out of russia

91.151.195.102

The avenue of attack began with my sites that were still on XOOPS 2.0.16 and as the attacks progressed somehow the perpetrator gained access to ftp.

I do believe the issue of vulnerability has now been solved with upgrading to XOOPS 2.3 and I should add that I found Protector and the logging it provides to be an immense help in sorting this all out.

I also want to thank everyone for their advice and putting up with my frustration.

A little more work cleaning things up and I can get back to module development which is what I really enjoy.

Quote:The FTP is server related. How could they have access to it trough XOOPS?

This attack is nothing to do xoops.

I had it on 30 sites which i had.

This is how it was done.

I down loaded a nulled programme to have a look at and unknowingly injected my ftp connection with a virus which did the following.

1) Once i loaded up the ftp programme either using a software or through windows the virus became active.
2) The virus then had access to each and every site that had a user name and password stored in the memory of my local machine.

3) It then proceeded to attatch a <script> to each and every file on the servers no matter even if they were on different servers.
4) It affected all index.html, login.php, admin.php files.

Easiest solution is scan your computer because it was you that actually infected all your sites by using this so called free software.

A very timeous lesson learned by me.

Even when I checked each file and deleted the problem piece of script. When I uploaded a clean file the virus simply attached its self to the clean up load.