| Author |
 Topic  |
|
wcameron
New Member
55 Posts |
 Posted - 08 May 2002 : 09:22:33
|
I guess I'm just the latest hack victim. My forums were hacked by someone calling themself Northwind. At first, it seemed like they simply defaced the site, changing most of my main admin settings to point to a home page at http://selintoktay.gq.nu and forums at http://forum.wardom.com/
In reality, when I changed the admin settings back, the changes were accepted, but nothing changed. I planned on restoring from a backup, and then implementing the security fixes (I know, a little too late now), but nothing seems to help. The forum defacement says "Hacked by Northwind for good", and it seems true. I have gone as far as to completely delete all snitz files, including the database, and uploaded (I think) a clean backup, and yet the defacement remains. Please help.
You can see the problem at www.MountainNature.com/forum.
Edited by - wcameron on 08 May 2002 09:26:15 |
|
|
crash
Advanced Member
Netherlands
2064 Posts |
Posted - 08 May 2002 : 09:34:12
|
can you get to the file config.asp? if so, try downloading it and check where the strConnString points to.
if you can set it to another place, do so. i have a script for you that allows you to change the admin password online (DBS file) but you will need to be able to login as admin...
Crash's Site | Crash is from 
|
 |
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 08 May 2002 : 09:35:09
|
Make sure you apply the fixes, your members.asp does not look like its been updated to prevent them from just going back and hacking it again :(
If you go into your admin settings you will see that all they have done is changed the main configuration options, you can change them back pretty easily.
Please please update that members.asp though as soon as possible
www.daoc-halo.com
Edited by - Gremlin on 08 May 2002 09:37:38 |
|
|
|
crash
Advanced Member
Netherlands
2064 Posts |
Posted - 08 May 2002 : 10:08:18
|
yes. update members.asp first, then change/edit config.asp
Crash's Site | Crash is from
|
|
|
|
gbdg
New Member
73 Posts |
Posted - 08 May 2002 : 13:57:22
|
I got hacked too - www.northbay-tu.org
Can someone on the dev team look at the site and let me know (privately please) if you spot anything I need to update please?
Greg
|
|
|
|
shahaf
Starting Member
Israel
39 Posts |
Posted - 08 May 2002 : 15:35:38
|
Your forum is a phpBB comunity as I can see so what is the connection between your forum and this forum? or mabye I missed something???
I I didn't miss a thing, you should ask for help in phpBB main comunity!
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 08 May 2002 : 15:46:01
|
quote:
I got hacked too - www.northbay-tu.org
Can someone on the dev team look at the site and let me know (privately please) if you spot anything I need to update please?
Greg
The second post here has a link to the fixes you need to apply to your forum code.
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 08 May 2002 : 18:21:09
|
Looks like wcameron has now been rehacked by another group of people .. this really is getting rediculous.
www.daoc-halo.com |
|
|
|
gbdg
New Member
73 Posts |
Posted - 08 May 2002 : 19:53:56
|
I caught them in the act, and know how they are doing it. It's a mal-formed URL that reveals *ALL* member passwords, and are walking straight in the front door
Someone from the dev team please contact me - I sent an email to Huw and Mike R.
|
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
|
|
wcameron
New Member
55 Posts |
Posted - 08 May 2002 : 21:51:16
|
I've applied the fixes to members.asp and printer_friendly_post.asp. I've also uploaded backup copies of my forum to overwrite the changed files, as well as the snitz database. Nothing changes though. I can't seem to remove the defacements and reclaim control of the forum. I can't log in as an administrator, even though I have manually edited the database (so it should work).
Thanks to all the people that have helped me with this problem.
wcameron
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 08 May 2002 : 21:56:44
|
Are you sure you have put the database where it should be? I ran setup.asp on your forum and most of the graphical looks are back. There are still some things that need to be changed, but needs to be changed in the database.
Hey, this can be fixed. I'm sure there is something that you are not doing right...
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 08 May 2002 : 22:08:56
|
Sounds to me like your updating the wrong version of the DB. I've just checked and you've closed up the members.asp bug ok now anyway :) so at least thats something.
www.daoc-halo.com |
|
|
|
wcameron
New Member
55 Posts |
Posted - 08 May 2002 : 22:37:14
|
Hurray! I think I've got it solved. I think part of the problem had to do with the fact that while I was trying to repair one hack, another person was hacking it again. So here lies the challenge. Now that the patches have been applied, should I be safe now? I'm sure new exploits will be developed, but will this protect me on the short term? And yes, I have created entirely new passwords for all of my accounts.
Thanks again,
Ward
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 08 May 2002 : 22:50:44
|
Yes, I think these patched will keep you safe. Anyway remember to back up the database periodically.
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs |
|
|
|
gbdg
New Member
73 Posts |
Posted - 09 May 2002 : 00:29:32
|
Now that I fixed the forum that got slammed, I checked other forums I am running. I'm not able to locate code that matches the areas being repaired to block these vulnerabilities. I copied the portion of the url that he used to attack me, and executed it against those sites - no passwords revealed (thank goodness).
Does this mean those other boards are not vulnerable to this threat?
What versions are vulnerable?
How do I determine the version of a board? I looked at config.asp and see no indication.
Thanks, what a long day this became...
Greg
|
|
|
|
Topic |
|
Topic Locked
