Author |
Topic |
johngo33
Starting Member
14 Posts |
Posted - 09 May 2002 : 16:36:20
|
I'm sorry about that. Will not do that again.
|
|
|
Morten
Junior Member
Denmark
251 Posts |
Posted - 09 May 2002 : 20:23:51
|
hehe....I´ve got one from the hackpatrol:
62.xx.128.xxx - 5/10/2002 2:11:23 AM
Morten (x´s by me)
Edited by - morten on 09 May 2002 21:18:09 |
|
|
milki
Junior Member
Israel
320 Posts |
Posted - 10 May 2002 : 06:55:01
|
can some one give the mod that can crash is browser wen is try to hacked my forums ? tanks !
|
|
|
foo
New Member
52 Posts |
Posted - 10 May 2002 : 13:14:35
|
Please don't crash the browsers. It was my first instinct to lash back so I wrote the mod with the crash code. My second instinct, like many others, was to go searching for unhacked vulnerable sites and to warn them (sadly I havn't found one yet!) Crashing browsers defeats this effort. The best defense is to apply the patch HuwR was right. If you want to do some good go find an unhacked site that hasn't applied the patch and clue them in.
Tim
|
|
|
HandAble.com
Starting Member
15 Posts |
Posted - 10 May 2002 : 17:18:22
|
quote:
Please don't crash the browsers.
Indeed.. at worst, send them a redirect to Disney.com or something similarly saccharine sweet. Maybe find away to erase the history so they can't use the back button to find your site via the back button as well.. hmmm.. I wonder..
quote:
The best defense is to apply the patch HuwR was right. If you want to do some good go find an unhacked site that hasn't applied the patch and clue them in.
I sent a message to the person running the site that hooked me on Snitz in the first place.. she hadn't applied the mod yet.. and with several hundred users and several thousand messages, she was very happy that someone did clue her in...
---- http://HandAble.com
Edited by - HandAble.com on 10 May 2002 17:20:20 |
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 10 May 2002 : 17:39:09
|
We installed something similiar on this site, and then placed the following in the global.asa file in the Session_OnStart sub:
bannedip = "212.146.171.168|212.252.6.203|195.175.203.141|217.131.15.164|193.251.85.63|62.81.206.160|195.175.170.127|195.175.185.169" if InStr(bannedip, Request.ServerVariables("REMOTE_ADDR")) > 0 then Response.Redirect("http://www.fbi.gov") end if
The IP Addresses are e-mailed to me when someone attempts to hack the members page, I also have it sending me the entire Request.QueryString so I can see exactly what they were trying to do. The person who is attempting the hacking does not get any notice when they attempt it.
Then I just add IP Addresses to the bannedip list as I get new e-mails. |
|
|
Deleted
deleted
4116 Posts |
Posted - 10 May 2002 : 17:59:14
|
quote:
We installed something similiar on this site, and then placed the following in the global.asa file in the Session_OnStart sub:
bannedip = "212.146.171.168|212.252.6.203|195.175.203.141|217.131.15.164|193.251.85.63|62.81.206.160|195.175.170.127|195.175.185.169" if InStr(bannedip, Request.ServerVariables("REMOTE_ADDR")) > 0 then Response.Redirect("http://www.fbi.gov") end if
The IP Addresses are e-mailed to me when someone attempts to hack the members page, I also have it sending me the entire Request.QueryString so I can see exactly what they were trying to do. The person who is attempting the hacking does not get any notice when they attempt it.
Then I just add IP Addresses to the bannedip list as I get new e-mails.
Maybe it is a good idea to make this code public, so that a lot of us install it and redirect the e-mails about hacking attacs to one person (admin or moderator) so that he/she filters them and keeps the list up-to-date and public.
As 99% of the Internet users use dial-up (and I'm sure the hackers do not work for a bank o a large company, at least they do not use that computers - or they do not work at all because they are kids between 14-22) they will use another similar IP, but not the same. It is also not a good idea to use nnn.nnn.*.* style, because people like me are also using these blocks.
Think Pink ==> Start Internationalization Here |
|
|
foo
New Member
52 Posts |
Posted - 10 May 2002 : 19:28:38
|
The Hack Mod has been updated with a whois link and a cut and paste form letter to send the hackers ISP. It can be found at http://ozroot.com/forums .
quote:
The ozroot.com Hack Mod has detected an attempt to hack your forum.
Hacker IP - 5/10/2002 4:06:14 PM Pacific Daylight Time
The recommended course of action is to find the owner of the IP address at
http://www.geektools.com/cgi-bin/proxy.cgi?query="Hacker IP"
and send them the following message:
Hello,
Our web server at http://Your website has recently experienced a large number of malicious attacks. A user with the IP address:
Hacker IP
tried to break into our server and steal private information at:
5/10/2002 4:06:14 PM Pacific Daylight Time
These attacks have already cost us many hours and caused the loss of valuable data. It is our hope that you will take the appropriate action to ensure that these attacks do not continue from addresses under your control. We look forward to hearing back from you that this issue has been resolved.
Thank you,
Your Name Your email address
Tim
|
|
|
Morten
Junior Member
Denmark
251 Posts |
Posted - 10 May 2002 : 23:11:22
|
Absolut brilliant foo!!
Thanks a lot, just tested it with succes
|
|
|
Hopeton
Starting Member
4 Posts |
Posted - 14 May 2002 : 22:53:08
|
My forum has actually been hacked ("Your Forum HAcked By SpyMasterSnake.Com"). How do I fix it?
|
|
|
James
Average Member
USA
539 Posts |
Posted - 14 May 2002 : 23:04:35
|
quote:
We installed something similiar on this site, and then placed the following in the global.asa file in the Session_OnStart sub:
bannedip = "212.146.171.168|212.252.6.203|195.175.203.141|217.131.15.164|193.251.85.63|62.81.206.160|195.175.170.127|195.175.185.169" if InStr(bannedip, Request.ServerVariables("REMOTE_ADDR")) > 0 then Response.Redirect("http://www.fbi.gov") end if
The IP Addresses are e-mailed to me when someone attempts to hack the members page, I also have it sending me the entire Request.QueryString so I can see exactly what they were trying to do. The person who is attempting the hacking does not get any notice when they attempt it.
Then I just add IP Addresses to the bannedip list as I get new e-mails.
Richard, I currentl have no gloabal.asa running, but would like to do what you have. Could you post a simple version that will do the above (with formatting, sub, etc).
- *Interested in Radio Control* *The RC Web Board - http://www.rcwebboard.com/* |
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 14 May 2002 : 23:31:20
|
The default global.asa file that is put in the root web directory when you first install IIS 5.0 has this for it's contents:
<OBJECT RUNAT=Server SCOPE=Session ID=MyInfo PROGID="MSWC.MyInfo"> </OBJECT>
So, if you create a new file and name it global.asa and then place the following in it, it should work:
<OBJECT RUNAT=Server SCOPE=Session ID=MyInfo PROGID="MSWC.MyInfo"> </OBJECT> <SCRIPT LANGUAGE="VBScript" RUNAT="Server"> Sub Session_OnStart '## Ban IP Addresses bannedip = "212.146.171.168|212.252.6.203|195.175.203.141|217.131.15.164|" & _ "193.251.85.63|62.81.206.160|195.175.170.127|195.175.185.169" if InStr(bannedip, Request.ServerVariables("REMOTE_ADDR")) > 0 then Response.Redirect("http://www.fbi.gov") end if End Sub </SCRIPT>
This file should be put in the webroot of your server ( i.e. c:\inetpub\wwwroot\ ) |
|
|
Hopeton
Starting Member
4 Posts |
Posted - 15 May 2002 : 00:10:26
|
Richard,
Do you have any ideas on how to fix a hacked Snitz forum? When I try to access the forum I get the follow message from the down.asp page: "Your Forum HAcked By SpyMasterSnake.Com". I tried to reload the forum with fresh files and got the same message. Does this have to fixed at the database level?
Any suggestions or pointers would help.
Thanks.
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 15 May 2002 : 00:44:17
|
Yes, you would need to change the Admin Password in the database, because the person who hacked your forum, most likely changed it. |
|
|
Hopeton
Starting Member
4 Posts |
Posted - 15 May 2002 : 02:18:29
|
The password was changed! I changed it to something new but I still get the same message when I try to load the site.
|
|
|
Topic |
|