| Author |
 Topic  |
|
|
haai
Starting Member
Belgium
3 Posts |
 Posted - 14 August 2002 : 05:41:26
|
I have on my site also a snitz forum running. This was yesterday hacked. The default pasword was changed from the default one (admin / admin if I remember it good)
Is this hacking the continue of a bug in the forum?
You can see the hacked result in this private map: http://www.kvcwesterlo.be/forum-Hernoemd/default.asp
they changed the top-image, deleted all administrators, and changed at the top and buttom some text |
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 14 August 2002 : 05:51:44
|
If you never changed the admin password from the default, then this was just waiting to happen.
Please make sure you read and apply all of the bugfixes listed in this forum. Or failing that if you can wait a week or so then there will be a brand new version of snitz (v3.4) available to everyone. |
Kiwihosting.Net - The Forum Hosting Specialists
|
 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
D3mon
Senior Member
United Kingdom
1685 Posts |
Posted - 14 August 2002 : 06:27:57
|
The fact that the hacker is from Turkey seems to be almost as important as his 'name'!
Is Turkey the place to be for hackers these days? |
Snitz 'Speedball' : Site Integration Mod : Friendly Registration Mod
"In war, the victorious strategist only seeks battle after the victory has been won" |
|
|
|
D3mon
Senior Member
United Kingdom
1685 Posts |
Posted - 14 August 2002 : 06:33:56
|
This seems like a silly question but here goes -
How come I can't lock the default 'admin' account?
It's common practice on servers and domains to create a new user account, give them admin rights then disable the admin account to avoid opportunist hacks on 'default' settings. |
Snitz 'Speedball' : Site Integration Mod : Friendly Registration Mod
"In war, the victorious strategist only seeks battle after the victory has been won" |
|
|
|
davemaxwell
Access 2000 Support Moderator
USA
3020 Posts |
Posted - 14 August 2002 : 07:49:11
|
In v3.4, there is no default account. You MUST create the account at setup time (note: will not affect the upgrades, I don't think). This is to prevent it for when some one doesn't bother to change the original admin password. 90% of the time, this is the cause of most Snitz hacks, and v3.4 takes the steps needed to stop that.
As for why you can't lock the default admin account, it's because that way you are guaranteed to have one account that can't be changed (ie one admin can't delete the original admin account and take over). It's a catch-all to prevent abuse. |
Dave Maxwell
Barbershop Harmony Freak |
|
|
|
D3mon
Senior Member
United Kingdom
1685 Posts |
|
|
haai
Starting Member
Belgium
3 Posts |
Posted - 14 August 2002 : 08:16:46
|
I have changed the default admin-password, that wasn't the reason they could login
I'll wait until next week to update to a new version, but now there must be a (small) bug in the code so they could login yesterday...
or they were really good ;-) |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 14 August 2002 : 08:38:23
|
| Check the forum I linked to there was a well publicised bug in members.asp which revealed all users passwords. 3.3.05 Fixes this problem and all others to date as well. But definately wait for 3.4 if you can hold out another week or so. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
| |
Topic |
|
Topic Locked
