Posted on: 2008/12/23 16:39
Re: User account hacked 18.104.22.168
is it advisable to upgrade at this point ?
Before you can answer this question, you need to find out in which way the hacker has found access to your site.
If eg he found a security hole in a module, then it will not help you to upgrade XOOPS. If he found access to your site trough some malware on the PC, you are using to manage the site, it is obvious that you have to cure on your local PC.
Normal, you can say the more up to date the modules and XOOPS are, the better (altough in the new 2.3.x series heve been found two additional security holes during the last months).
At least go to 22.214.171.124, which is a less impacting upgrade then 2.3.2b and check your modules (at least Protector) for the latest versions.
To find out how the hacker has breach the system security, you have to examine the log files of Apache.
Start eg with the posting time of a spam message.
Follow the trail by using the IP number and browser ID. If a user id is known follow also the same trails for requests where this id was used.
Look also in the Protector log for incidents and use the IP and time to trail other requests.
By examining unusual (eg with a http address other then your server) or suspicious requests or unusual request patterns (eg no image requests), you can maybe find out which module was targeted and in which way database and user information was leaked.
Check also the byte count of the data transferred to the browser. Compare this count with legitimate requests.
If the hackers IP is not from a country, where you expect users or traffic from, block their net with .htaccess.