再一次强调,安装完成后,删除install文件. |
||
---|---|---|
初级会员
注册日期:
2005/8/10 16:28 所属群组:
注册会员 帖子:
36
等级: 4; EXP: 76
HP : 0 / 94 MP : 12 / 156 |
这是在sourceforge.net上XOOPS.org Project Manager Herko Coomans对这次总站被黑的详细描述.
大意是由于不注意留下了install文件夹,导致hacker重新安装,获得系统权限,进入了数据库,进行了极大的破坏.第2次攻击是第2天,通过数据库中的admin用户在此进入系统,对数据库有一次进行了破坏. 根据线索,hacker是ducth人.不是鬼子.呵呵 以下是原文. From: Herko Coomans [XOOPS.org] <herko@xo...> Status update on XOOPS.org server hack 2005-10-25 03:44 As most of you might know, the XOOPS.org webserver has fallen victim of a malicious and destructive hack attack. To prevent new attacks and to assess and restore the damage done to the website we have closed the website for the public. In this message I'll try and answer the most pressing questions. _What happened?_ The hacker gained access to our webserver through a series of unfortunate events, circumstances and configurations of which the hacker took full and deadly advantage. We were setting up a new subsite on one of the xoops.org subdomains, and inadvertently left the install/ folder on the server. This gave the hacker the possibility to reinstall the website and gain webmaster access to that unused website. He used his webmaster privileges to create a custom PHP block that loaded a malicious script into the website's cache/ folder, thus gaining access to the server and the database. That's how he gained database access to the main website, and started his destructive and disruptive work. JMorris -the lead moderator, and Ackbarr -our serveradmin acted quickly and closed the site for the public, and restored the database and files from the backups that are made regularly. Thus, we were able to reopen the site after about 40 hours. The hacker wasn't done yet, and early the next day (GMT) he had hijacked an account using a brute-force attack on a copy of the database he stole. Using that, he started changing posts and comments, and filling the database with all kinds of nonsense. We closed the website again, changed all our passwords, and decided to give the webserver a full security audit. JMorris and Ackbarr have been working very hard to make the server much more secure, and to close any routes the hacker might have used. _Are our own sites safe?_ The hacker used the installer script to gain first entry to the server. The system warns you after you have installed your XOOPS site to remove that folder. This is not an empty warning! If you have removed your install/ folder from the server, your site is safe. We have checked the webserver logs carefully, and (so far) haven't found any security holes in the XOOPS system. It was more a matter of the admin's security policy and server configuration that was the security hole in this case. _What are you going to do about the hacker?_ We know who he is. He left a clear trail and many hints on the internet about his true identity. We have collected a lot of evidence and have reported the hacker to the Ducth police (the XOOPS Foundation, who owns the server is based in The Netherlands), as well as to the authorities of the hackers home country. Both are looking into the evidence and will do their best to help us catch the hacker. _The hacker left all kinds of messages referring to XOOPSCube. Are they behind this?_ No. XOOPSCube is the project Onokazu started after he stepped out of the XOOPS Development Team a few months ago. He is taking the code into a slightly different direction. The XOOPS Cube project is in no way involved in this hacking. XOOPSCube recently released a patch closing a few holes, they did this in good communication with the XOOPS.org project. This is what Skalpa announced on the 16th on this mailinglist. We have verified that the hacker did not use this hole to hack our site. As soon as we have restored the website, we'll release XOOPS 2.0.13.2 with the patch applied to the XOOPS code. _When will the XOOPS.org site be reopened?_ As soon as we have tested the new server configurations on possible conflicts with the website, and implemented the new security policy for the server and site admins, we'll reopen the site to the public again. Because the hacker damaged our database again, we'll have to restore a backup. Some posts will be lost (again). I'll send a message on this mailinglist as soon as the website has ben reopened. In the meantime I suggest everyone use the project pages on sourceforge.net and the XOOPS support resources listed on the Site Closed page (www.xoops.org). The local support sites are doing a great job helping people out in the absence of the main support site, and I would like to take this opportunity to thank them for all their support! One thing that this little crisis has shown me is that XOOPS is a strong community that cannot be broken by defacing and destroying a website. The people that make the XOOPS community stand together to face this event, help eachother out and come out stronger then before. You all have my sincere gratitude and I feel proud to be part of this family! I would like to say a special word of thanks to JMorris for his fast thinking in closing the website when the hacker first started wreaking his havoc, and JMorris and Ackbarr for making the server more secure and restoring the website. -- Herko Coomans XOOPS.org Project Manager Chairman of the XOOPS Foundation [e] [email protected] [w] http://www.xoops.org [a] P.O.Box 75, 7400 AB, Deventer, The Netherlands [t] +31 64 833 64 34 [f] +31 84 747 05 50 XOOPS: Open Source dynamic web Content Management System The information sent by means of this e-mail message is intended only for the use of the addressee. Publication, duplication, distribution and/or forwarding to third parties of this message, as well as use of the information by other persons than the intended recipient, is strictly prohibited. If you have received this communication in error, please notify the sender immediately by returning it. From: Skalpa Keo <skalpa@xo...> A security fix will be released soon 2005-10-16 05:46 Hello everybody, We have recently been warned about a security issue affecting all XOOPS releases. Because of this the release of 2.2.3RC2 we expected to do a few days ago has been delayed until today, and another one (2.0.13.2) will come at the same time. We won't tell anything more here as we agreed not to disclose more details publicly before tonight, but wanted you to get prepared for these releases that will be done as soon as possible (which means tomorrow). skalpa.>
2005/10/28 10:01
|
|
工具箱 |