Im having major problems with a spip site.
Therefore a few quistions...

Can hackers write something ino the database that gives them "acces" to the folder on my ISP area ( where I place the site, in this case /mir.dk)

Im having a problem, with urls.. ( even after full reinstall ) ( with the same database)
If the urls are the "normal way" ( spip.php?articleXXXX) there are no problems, if I try with "propre" ( spip.php?article-name-) I get redirected ( turned of the feature right after i saw I got redirected)( they redirect me to mir2.dk) ( another of my sites, in the same "folder" in my ISP area ( sister site)

The hackers attacked the site, and all other (sister) sites, last saturday, and came back this saturday, again with a phizing folder. ( last week they placed 25 folders)
Its deleted now, but I think they will try again and again..

Any ideas to make the SPIP folder(s) more "safe".
Can I as an exsample change some "rights" to write in the folder and can I change some rights ( chmod etc) in the sub folders. ( do I need 777 chmod to local, IMG and other folders, or is 644 OK !?) ( does it matter)

Since I think they have been doing something to my database, how do I make a new one, and still keep the +4000 articles..
I have php my admin, but dont know how to use it for this purpose

PS
Anybody know any software telling you by mail, if any new folders/files has been installed on your apache server..( maybe this could help me solve the problem..)
______________________________

_________________
spip-en-JM9gtpQu/Ho@public.gmane.org - http://listes.rezo.net/mailman/listinfo/spip-en

Hi Gilles,
I upgraded from SPIP 1.9.2d to SPIP 1.9.2e when it has launched.  I gave error when I was validating messages. One of the users says he gave the same error when he was submitting a new article.
Regards

Kamran

 

From: Gilles VINCENT <gilles.vincent-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

To: kamran Mir Hazar <editor-KuNTkyfR4oyXFJAUJl40Xg@public.gmane.org>

Cc: spip-en spip-en <spip-en-JM9gtpQu/Ho@public.gmane.org>

Sent: Monday, November 3, 2008 5:23:21 AM
Subject: Re: [Spip-en] error

Hi, 

does this error occurs with a fresh install of SPIP, or during an upgrade ?

Sometimes, when you upgrade from an old 1.8.3 version, you forget the file ecrire/inc_connect.php3 which overwrites config/connect.php (in fact it's the same if inc_connect.php3 still exists at the root directory). 

.Gilles
---

On Mon, Nov 3, 2008 at 4:12 AM, kamran Mir Hazar <kamran_mirhazar-/E1597aS9LQAvxtiuMwx3w@public.gmane.org> wrote:

Hello,
I gave an error for several times. The translation of the error is like this: Cannot connect to database because of a technical problem. I have checked the database, repaired the tables via PHP my admin and SPIP Cpanel. I have also re-established the connection to the database, but still I'm giving that error for sometime.
Any idea?
All the best
Kamran

From: Gilles VINCENT <gilles.vincent-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: "tom-bGWuzas0w7A@public.gmane.org" <tom-bGWuzas0w7A@public.gmane.org>
Cc: spip-en spip-en <spip-en-JM9gtpQu/Ho@public.gmane.org>
Sent: Sunday, November 2, 2008 3:54:41 PM
Subject: Re: [Spip-en] big problems with spip site ( hackers attacking)

Hi,

On Sat, Nov 1, 2008 at 3:14 PM, tom-bGWuzas0w7A@public.gmane.org <tom-bGWuzas0w7A@public.gmane.org> wrote:

Im having major problems with a spip site.
Therefore a few quistions...

Can hackers write something ino the database that gives them "acces" to the folder on my ISP area ( where I place the site, in this case /mir.dk)

No, I don't think so.

The only serious problem like yours that was reported until now wasn't due to SPIP, but to a problem of the web hosting service.

 

Im having a problem, with urls.. ( even after full reinstall ) ( with the same database)
If the urls are the "normal way" ( spip.php?articleXXXX) there are no problems, if I try with "propre" ( spip.php?article-name-) I get redirected ( turned of the feature right after i saw I got redirected)( they redirect me to mir2.dk) ( another of my sites, in the same "folder" in my ISP area ( sister site)

This looks like a problem to .htaccess

Can you check that you do not indicate any "mir2.dk" inside it ?

Because it's still your website, I think that it's a pb of configuration, not an attack.

 

The hackers attacked the site, and all other (sister) sites, last saturday, and came back this saturday, again with a phizing folder. ( last week they placed 25 folders)
Its deleted now, but I think they will try again and again..

Do you have an access to the Apache logs ?

Is it a dedicated or a shared hosting ?

The first thing that I would do is changing every passwords : ftp / ssh / mySQL / manager

And of course Never keep the same password for each access. A simple tips is to pre- and post-fix your passwords with the name of the concerned process : ftMyPasswordp / ssMyPasswordh / myMyPasswordS / maMyPasswordn - Find something that is still easy to remember :)

 

Any ideas to make the SPIP folder(s) more "safe".
Can I as an exsample change some "rights" to write in the folder and can I change some rights ( chmod etc) in the sub folders. ( do I need 777 chmod to local, IMG and other folders, or is 644 OK !?) ( does it matter)

You don't have to use 777 mode.

The only directories that have to be writable for apache are IMG/ tmp/ and local/

What I personnaly do is to chown these directories to the apache user : 

chown -R apache:apache IMG/* tmp/* local/*

and chmod -R og-rw IMG/* tmp/* local/*

 

Since I think they have been doing something to my database, how do I make a new one, and still keep the +4000 articles..
I have php my admin, but dont know how to use it for this purpose

To dump / import properly, you can do like this : 

A/ export the database with phpMyAdmin. Uncheck the options "Extended inserts" and "Complete inserts" (it's for the import step)

B/ create a new database

C/ import your dump with phpMyAdmin. Sometimes, your dump file is to huge to be correctly imported by pMA. So I prefer using bigdump.php (available here : http://www.ozerov.de/bigdump.php -- it's really well documented)

D/ install SPIP whith these new database

You can parse your dump to see if you find anything strange. For exemple, an admin user that you haven't created.. But imho, I doubt that you find anything : you seems to be the victim of a root kit.

If you are not on a shared hosting, you can create a mysql user who will only be able to see a specific database (you can even restrict it's access right to some tables !).

 

PS
Anybody know any software telling you by mail, if any new folders/files has been installed on your apache server..( maybe this could help me solve the problem..)
______________________________

Yes : such systems exist - They are IDS (Intrusion Detection System) :

http://en.wikipedia.org/wiki/Intrusion-detection_system

gives an explanation and a list of free softwares

 

.Gilles

---

_________________
spip-en-JM9gtpQu/Ho@public.gmane.org - http://listes.rezo.net/mailman/listinfo/spip-en

_______________________________________________
spip-en-JM9gtpQu/Ho@public.gmane.org - http://listes.rezo.net/mailman/listinfo/spip-en