1
limecity
User account hacked 2.0.18.1
  • 2008/12/23 13:06

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


one of my unupgraded site got hacked
using XOOPS 2.0.18.1

I have no idea how.
but the hacker has been using existing user accounts to post nonsense stuff.

what should I do now?

I have the protector version running for 2.0.18.1 .
hhttp://www.mounthiking.com
all your hiking gears and gadgets


2
abinsblaue
Re: User account hacked 2.0.18.1
  • 2008/12/23 13:28

  • abinsblaue

  • Just popping in

  • Posts: 27

  • Since: 2008/10/15


upgrade to xoops-2.0.18.2 or XOOPS 2.3.2 ...

3
limecity
Re: User account hacked 2.0.18.1
  • 2008/12/23 13:42

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


is it advisable to upgrade at this point ?

like I should install a antivirus when the virus is in the bootsector or something?

please advice. thanks
hhttp://www.mounthiking.com
all your hiking gears and gadgets


4
ghia
Re: User account hacked 2.0.18.1
  • 2008/12/23 16:39

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
is it advisable to upgrade at this point ?

Before you can answer this question, you need to find out in which way the hacker has found access to your site.
If eg he found a security hole in a module, then it will not help you to upgrade XOOPS. If he found access to your site trough some malware on the PC, you are using to manage the site, it is obvious that you have to cure on your local PC.
Normal, you can say the more up to date the modules and XOOPS are, the better (altough in the new 2.3.x series heve been found two additional security holes during the last months).
At least go to 2.0.18.2, which is a less impacting upgrade then 2.3.2b and check your modules (at least Protector) for the latest versions.

To find out how the hacker has breach the system security, you have to examine the log files of Apache.
Start eg with the posting time of a spam message.
Follow the trail by using the IP number and browser ID. If a user id is known follow also the same trails for requests where this id was used.
Look also in the Protector log for incidents and use the IP and time to trail other requests.

By examining unusual (eg with a http address other then your server) or suspicious requests or unusual request patterns (eg no image requests), you can maybe find out which module was targeted and in which way database and user information was leaked.
Check also the byte count of the data transferred to the browser. Compare this count with legitimate requests.

If the hackers IP is not from a country, where you expect users or traffic from, block their net with .htaccess.

Login

Who's Online

689 user(s) are online (86 user(s) are browsing Support Forums)


Members: 0


Guests: 689


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits