这是在sourceforge.net上XOOPS.org Project Manager Herko Coomans对这次总站被黑的详细描述.
大意是由于不注意留下了install文件夹,导致hacker重新安装,获得系统权限,进入了数据库,进行了极大的破坏.第2次攻击是第2天,通过数据库中的admin用户在此进入系统,对数据库有一次进行了破坏.
根据线索,hacker是ducth人.不是鬼子.呵呵
以下是原文.
From: Herko Coomans [XOOPS.org] <herko@xo...>
Status update on XOOPS.org server hack
2005-10-25 03:44
As most of you might know, the XOOPS.org webserver has fallen victim of
a malicious and destructive hack attack. To prevent new attacks and to
assess and restore the damage done to the website we have closed the
website for the public. In this message I'll try and answer the most
pressing questions.

_What happened?_
The hacker gained access to our webserver through a series of
unfortunate events, circumstances and configurations of which the hacker
took full and deadly advantage. We were setting up a new subsite on one
of the xoops.org subdomains, and inadvertently left the install/ folder
on the server. This gave the hacker the possibility to reinstall the
website and gain webmaster access to that unused website. He used his
webmaster privileges to create a custom PHP block that loaded a
malicious script into the website's cache/ folder, thus gaining access
to the server and the database. That's how he gained database access to
the main website, and started his destructive and disruptive work.
JMorris -the lead moderator, and Ackbarr -our serveradmin acted quickly
and closed the site for the public, and restored the database and files
from the backups that are made regularly. Thus, we were able to reopen
the site after about 40 hours.
The hacker wasn't done yet, and early the next day (GMT) he had hijacked
an account using a brute-force attack on a copy of the database he
stole. Using that, he started changing posts and comments, and filling
the database with all kinds of nonsense. We closed the website again,
changed all our passwords, and decided to give the webserver a full
security audit. JMorris and Ackbarr have been working very hard to make
the server much more secure, and to close any routes the hacker might
have used.

_Are our own sites safe?_
The hacker used the installer script to gain first entry to the server.
The system warns you after you have installed your XOOPS site to remove
that folder. This is not an empty warning! If you have removed your
install/ folder from the server, your site is safe. We have checked the
webserver logs carefully, and (so far) haven't found any security holes
in the XOOPS system. It was more a matter of the admin's security policy
and server configuration that was the security hole in this case.

_What are you going to do about the hacker?_
We know who he is. He left a clear trail and many hints on the internet
about his true identity. We have collected a lot of evidence and have
reported the hacker to the Ducth police (the XOOPS Foundation, who owns
the server is based in The Netherlands), as well as to the authorities
of the hackers home country. Both are looking into the evidence and will
do their best to help us catch the hacker.

_The hacker left all kinds of messages referring to XOOPSCube. Are they
behind this?_
No. XOOPSCube is the project Onokazu started after he stepped out of the
XOOPS Development Team a few months ago. He is taking the code into a
slightly different direction. The XOOPS Cube project is in no way
involved in this hacking.
XOOPSCube recently released a patch closing a few holes, they did this
in good communication with the XOOPS.org project. This is what Skalpa
announced on the 16th on this mailinglist. We have verified that the
hacker did not use this hole to hack our site.
As soon as we have restored the website, we'll release XOOPS 2.0.13.2
with the patch applied to the XOOPS code.

_When will the XOOPS.org site be reopened?_
As soon as we have tested the new server configurations on possible
conflicts with the website, and implemented the new security policy for
the server and site admins, we'll reopen the site to the public again.
Because the hacker damaged our database again, we'll have to restore a
backup. Some posts will be lost (again). I'll send a message on this
mailinglist as soon as the website has ben reopened.
In the meantime I suggest everyone use the project pages on
sourceforge.net and the XOOPS support resources listed on the Site
Closed page (www.xoops.org).

The local support sites are doing a great job helping people out in the
absence of the main support site, and I would like to take this
opportunity to thank them for all their support! One thing that this
little crisis has shown me is that XOOPS is a strong community that
cannot be broken by defacing and destroying a website. The people that
make the XOOPS community stand together to face this event, help
eachother out and come out stronger then before. You all have my sincere
gratitude and I feel proud to be part of this family!

I would like to say a special word of thanks to JMorris for his fast
thinking in closing the website when the hacker first started wreaking
his havoc, and JMorris and Ackbarr for making the server more secure and
restoring the website.

--
Herko Coomans
XOOPS.org Project Manager
Chairman of the XOOPS Foundation

[e] [email protected]
[w] http://www.xoops.org
[a] P.O.Box 75, 7400 AB, Deventer, The Netherlands
[t] +31 64 833 64 34
[f] +31 84 747 05 50

XOOPS: Open Source dynamic web Content Management System

The information sent by means of this e-mail message is intended only
for the use of the addressee. Publication, duplication, distribution
and/or forwarding to third parties of this message, as well as use of
the information by other persons than the intended recipient, is
strictly prohibited. If you have received this communication in error,
please notify the sender immediately by returning it.






From: Skalpa Keo <skalpa@xo...>
A security fix will be released soon
2005-10-16 05:46
Hello everybody,

We have recently been warned about a security issue affecting all XOOPS
releases.
Because of this the release of 2.2.3RC2 we expected to do a few days ago
has been delayed until today, and another one (2.0.13.2) will come at
the same time.
We won't tell anything more here as we agreed not to disclose more
details publicly before tonight, but wanted you to get prepared for
these releases that will be done as soon as possible (which means tomorrow).

skalpa.>