my mojoportal under ddos attack plus xss

7/23/2013 11:57:22 AM

chodri

Total Posts 4

View Posts

my mojoportal under ddos attack plus xss

my hosting administrator informed me today that my website is under ddos attack due to poor coding

kindly help me to resolve this problem

Regards

Toya

7/23/2013 12:04:10 PM

Joe Audette

Total Posts 18439

View Posts

Re: my mojoportal under ddos attack plus xss

If you wish to report something like that and expect a response you need to provide more details.

7/23/2013 12:15:53 PM

chodri

Total Posts 4

View Posts

Re: my mojoportal under ddos attack plus xss

msg from the hosting administrator:

Dear Customer,

We have suspended your account (WWW.ejbss.com) due to SPAM and one of the header as a proof is attached below.

SPAM is the sending of unsolicited e-mail, regardless of size or volume, to persons the sender does not know or have prior consent to
send the message to.

Please review our TOS/AUP:
http://nexus.net.pk/aup.php

Nexus Technologies reserves the right to require changes or disable as necessary any web site, account, database, or other component that does
not comply with its established policies, or to make any such modifications in an emergency at its sole discretion.

Nexus also reserves the right to charge the holder of the account used to send any unsolicited e-mail a clean-up fee or any charges incurred
for blacklist removal. This cost of the clean-up fee is entirely at the discretion of Nexus Technologies.

====================================================================================================================
Delivered-To: x Received: by 10.112.80.137 with SMTP id r9csp134321lbx; Sun, 12 May 2013 11:22:49 -0700 (PDT)
X-Received: by 10.152.1.196 with SMTP id 4mr11702918lao.54.1368382968181; Sun, 12 May 2013 11:22:48 -0700 (PDT) DomainKey-Status: bad format
Received-SPF: pass (google.com: domain of jjcharmings@gmail.com designates 74.125.83.65 as permitted sender) client-ip=74.125.83.65;
Received: by 10.152.98.244 with POP3 id el20mf1993888lab.29; Sun, 12 May 2013 11:22:48 -0700 (PDT) X-Gmail-Fetch-Info: x 3 pops.etsmtl.ca 995 cfuhrman
Received: from antispam.etsmtl.ca (10.162.33.211) by smtps.etsmtl.ca (10.162.33.194) with Microsoft SMTP Server (TLS) id 14.2.328.9; Sun, 12 May 2013 14:00:32 -0400 X-ASG-Debug-ID: 1368381629-03893f305589c90001-20OPPu
Received: from mail-ee0-f65.google.com (mail-ee0-f65.google.com [74.125.83.65]) by antispam.etsmtl.ca with ESMTP id 86c75ddC3mUbAv85 (version=TLSv1 cipher=RC4-SHA bits=128 verify=NO) for ; Sun, 12 May 2013 14:00:29 -0400 (EDT)
X-Barracuda-Envelope-From: jjcharmings@gmail.com
X-Barracuda-Apparent-Source-IP: 74.125.83.65
Received: by mail-ee0-f65.google.com with SMTP id t10so211723eei.8 for ; Sun, 12 May 2013 11:00:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:reply-to:sender:date:x-google-sender-auth :message-id:subject:from:to:content-type; bh=w3a1G5ZAoqg/u0zNKki5I54/WhlCPjHB4TnWcHFC/Fk=; b=M/jgcjlWBDiWHLOewsl2mlVLat1tS4lBJ3HgrQqTTJ8IDuXvhEx5f2XtzIAW3G48GO IUW9/L1VjRbKblRjCTLy0qrN4ypV35mZr24uCEUMr/YmIuhKbFp9w7p9AEm2qR3XED7p 9Vg8xyGCv5iJEuTIeKFah2HyElldxMUk6uWivgiecDrZxOyHqT9k05Y+i0QeD/Kjv7aV FZYmRW2kTnU65meSJl0V/O5HqPbDkBYanvbJnSF1nxP8nRx8aa5uFrUfZaSgoSrgV/uE ioxm+ViPgAwLputblxqmV0x4bDvAqxD/U4ZWxAPjLsL/zRcl5VVPI473bfwNDs77fKxL AxnA== X-Received: by 10.14.111.5 with SMTP id v5mr69315560eeg.27.1368381628754; Sun, 12 May 2013 11:00:28 -0700 (PDT)
Reply-To: Sender:
Received: by 10.14.129.197 with HTTP; Sun, 12 May 2013 11:00:28 -0700 (PDT) Date: Sun, 12 May 2013 23:00:28 +0500 X-Google-Sender-Auth: THLhcNBcwModSR3vdvKQ9o2Ojlw Message-ID:
Subject: Call for Manuscripts [European Journal of Business and Social Sciences- www.ejbss.com]
From: Editor EJBSS X-ASG-Orig-Subj: Call for Manuscripts [European Journal of Business and Social Sciences- www.ejbss.com]
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary="089e01634644e6525d04dc892cb9" BCC: X-Barracuda-Connect: mail-ee0-f65.google.com[74.125.83.65]
X-Barracuda-Start-Time: 1368381629
X-Barracuda-Encrypted: RC4-SHA
X-Barracuda-URL: http://antispam.etsmtl.ca:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at etsmtl.ca
X-Barracuda-BRTS-Status: 1
X-Barracuda-Bayes: INNOCENT GLOBAL 0.6216 1.0000 0.8560
X-Barracuda-Spam-Score: 0.86
X-Barracuda-Spam-Status: No, SCORE=0.86 using global scores of TAG_LEVEL=2.2 QUARANTINE_LEVEL=3.2 KILL_LEVEL=4.8 tests=HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.130761 Rule breakdown below pts rule name description
====================================================================================================================
other msg from my hosting administrator:

Dear Mr. Tahir,

Thank you for contacting Nexus Technologies.

Your account has been unsuspended with PPD(Password Protected Directory) which means your website is not accessible publically. Please review your coding because we found DDOS attacks due to your website. Please do resolve the issue on urgent basis and update us accordingly. Moreover your emails will work properly now.

7/23/2013 12:25:59 PM

Joe Audette

Total Posts 18439

View Posts

Re: my mojoportal under ddos attack plus xss

Sorry but that is still not any information I can use to be of any help.

I have no idea what you host means by saying:

"we found DDOS attacks due to your website"

Sounds like he is saying your site is attacking other sites but it really makes no sense.

Mainly it sounds like he is saying that your site is sending spam and doing bad things but it is not clear what or how it is doing that. Nothing built into mojoPortal sends spam. There are several features that can be configured to send email so maybe someone gained access to your site with admin privileges if it really is mojoportal code sending email but even that is not clear to me, nothing that you posted looks like anything from any of our features.

7/23/2013 12:38:39 PM

chodri

Total Posts 4

View Posts

Re: my mojoportal under ddos attack plus xss

i am using an old version of mojoportal

please follow this url: http://www.exploit-db.com/exploits/15018/

7/23/2013 12:45:10 PM

Joe Audette

Total Posts 18439

View Posts

Re: my mojoportal under ddos attack plus xss

I viewed a cached (from July 8) copy of your site from google and can see that it is running mojoportal 2.3.6.5 which was released in April 2011. So apparently your site has been running a long time before any problem happened which does not suggest a problem with the code, but it sounds like your site possibly got hacked in some way or another recently.

The link you posted was from a much older issue in mojoPortal 2.3.4.3 which was fixed in version 2.3.5.2 in the fall of 2010.

A DDOS attack is when lots of computers make web requests to overwhelm a server, so it is not caused by mojoPortal code. If someone believes there is a performance problem in mojoPortal that makes it easy to overload a server with only a few web requests then details of how and why they believe this would need to be provided. But there is certainly no code I could write that makes other machine attack a server with ddos.

What I would do is make sure you change your ftp password, upgrade to the latest mojoPortal which may help because if any mojoportal files or js files have been modified to hack your site then replacing them should resolve the current problem.

So I would download your site for a backup and for further analysis of what happened then I would upload the latest mojoPortal files, and restore any customizations to web.config

Then follow the steps in post installation checklist and read up on securing mojoportal.

I would also make sure that no other server side technology is enabled in your site except asp.net , ie make sure php is disabled if it is also installed in your hosting.

7/23/2013 1:02:29 PM

chodri

Total Posts 4

View Posts

Re: my mojoportal under ddos attack plus xss

i got it everything thanks for your cooperate

Regards Toya