xoops forums

kevcar

Not too shy to talk
Posted on: 2009/1/12 18:48
kevcar
kevcar (Show more)
Not too shy to talk
Posts: 127
Since: 2007/6/2 1
#1

a phishing site has been uploaded to your

Received an email regarding this

Your 1&1 webspace has been attacked via a security leak in the software you
> installed. As a result of this attack, a phishing site has been uploaded to your
> 1&1 webspace. These sites are used to steal login information for eBay,
> PayPal, bank accounts etc. The site was to be found at:
>
> http:\\********\xoops_lib\modules\wachovia\index.htm
After having analyzed the attack and disabled the files related to the phishing
> site, we will unlock your webspace.
>
> The intrusion was processed via your script:
> ./xoops_lib/modules/protector/notification.php
>
>
> These files were used to upload the malicious content or send spam:
> ./themes/zetagenesis/img/questions.php
> ./themes/zetagenesis/img/verification2.php
> ./themes/zetagenesis/img/verification3.php
> ./themes/zetagenesis/img/verification.php
> ./themes/zetagenesis/img/verify.php
> ./themes/zetagenesis/img/wellsfargo.php
> ./themes/zetagenesis/img/wellsfargo-online.php
> ./uploads/tmx.php
> ./xoops_lib/modules/protector/library/HTMLPurifier/update.htm
> ./xoops_lib/modules/protector/library/HTMLPurifier/update.php
> ./xoops_lib/modules/protector/library/get.php
> ./xoops_lib/modules/protector/library/index.html
> ./xoops_lib/modules/protector/library/thankyou.htm
> ./xoops_lib/modules/protector/library/notes.txt
> ./xoops_lib/modules/protector/library/webpay/get.php
> ./xoops_lib/modules/protector/library/webpay/thankyou.htm
> ./xoops_lib/modules/protector/library/webpay/index.html
> ./xoops_lib/modules/protector/library/webpay/notes.txt
> ./xoops_lib/modules/protector/language/german/wuse.php
> ./xoops_lib/modules/protector/language/russian/gate.php
> ./xoops_lib/modules/protector/main/index.php
> ./xoops_lib/modules/protector/main/wellsfargo-online.php
> ./xoops_lib/modules/protector/main/questions.php
> ./xoops_lib/modules/protector/main/verification.php
> ./xoops_lib/modules/protector/main/verify.php
> ./xoops_lib/modules/protector/main/mail11[1]..php
> ./xoops_lib/modules/protector/wuse.php
> ./xoops_lib/modules/protector/code.php
> ./xoops_lib/modules/protector/admin_page.php
> ./xoops_lib/modules/protector/notification.php
> ./xoops_lib/modules/wachovia/index.htm
> ./xoops_lib/modules/wachovia/index2.htm
> ./xoops_lib/modules/wachovia/login2.php
> ./xoops_lib/modules/wachovia/wachovia.php
> ./xoops_lib/plain.php
>


noo-b

Just can't stay away
Posted on: 2009/1/12 22:35
noo-b
noo-b (Show more)
Just can't stay away
Posts: 456
Since: 2007/10/23
#2

Re: a phishing site has been uploaded to your

sorry to hear this..

i think this is related

https://xoops.org/modules/news/article.php?storyid=4601

1. make sure there's an index.html file in every folder with the following code inside:
<script>history.go(-1);</script>



2. put xoops_lib outside document root or put htaccess in xoops_lib

Quote:

order deny,allow
deny from all
I Love Xoops

Anonymous

Posted on: 2009/1/13 9:58
Anonymous
Anonymous (Show more)
Posts: 0
Since:
#3

Re: a phishing site has been uploaded to your

Quote:
noo-b wrote:

2. put xoops_lib outside document root or put htaccess in xoops_lib


Good idea to rename the folder too (you'll need to change the reference to it in mainfile.php too).

kevcar

Not too shy to talk
Posted on: 2009/1/23 18:25
kevcar
kevcar (Show more)
Not too shy to talk
Posts: 127
Since: 2007/6/2 1
#4

Re: a phishing site has been uploaded to your

Thanks for all the help, all infected files are now deleted.

Thanks Guys

Parafal

Just popping in
Posted on: 2009/1/23 19:54
Parafal
Parafal (Show more)
Just popping in
Posts: 98
Since: 2003/6/7 2
#5

Re: a phishing site has been uploaded to your

Quote:

noo-b wrote:
sorry to hear this..

i think this is related

https://xoops.org/modules/news/article.php?storyid=4601

1. make sure there's an index.html file in every folder with the following code inside:
<script>history.go(-1);</script>




Hi, just a question.

I can only put this code in a empty html file? that's it? Or I need to put another code like <body></body> etc?

And I must put this index.html file in every folder, no exceptions?

Thanks
-|Parafal|-

ghia

Community Support Member
Posted on: 2009/1/23 22:45
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#6

Re: a phishing site has been uploaded to your

Yes, only the text as showed. If you look around on your site, there should be plenty examples, which you can copy.
In principle, every directory should have this file.

You can also add this to your .htaccess:
Options All -Indexes


Read also some threads and articles for advice about hacked sites.

If files have been altered, change all your administration passwords on all levels (XOOPS admin, MySQL, site, FTP, ...).