Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 MOD-Group
 MOD Add-On Forum (W/Code)
 Go away, Hackers!
 New Topic  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

CaNgo
Starting Member

15 Posts

Posted - 16 August 2002 :  10:17:45  Show Profile
I use HuwR's version and applied all the security patches but it just has been hacked. Hacker used pop_mail.asp, put SQL Update command (I use SQL Server 2000 for database) and changed the email in the Admin account. Then they simply request a password reminder. They also attacked links.asp, default.asp… After that I fixed the holes and wrote this code. It’s based on “I’ve been hacked MOD” written by Foo. I would put this at the beginning of 2 files: inc_top.asp and inc_top_short.asp.

Remember, this is not a security patch. You have to patch all your files.

<% 
If Request.ServerVariables("QUERY_STRING") <> "" then
strChkQuery = UCase(Server.URLEncode(Request.ServerVariables("QUERY_STRING")))
If Instr(strChkQuery,"FORUM%5FMEMBERS") OR Instr(strChkQuery,"UNION") OR Instr(strChkQuery,"SELECT") Then
strTime = Now()
strRecipientsName = "Admin"
strIP = Request.ServerVariables("REMOTE_ADDR")
strRecipients = "YourEmailAddress"
strFrom = "Hack Patrol"
strFromName = "Hack Patrol"
strFromAddress = "YourEmailAddress"
strSubject = "Got One"
strMessage = strIP & " - " & strTime & vbcrlf
strMessage = strMessage & Request.ServerVariables("URL") & vbcrlf
strMessage = strMessage & Request.ServerVariables("QUERY_STRING")
%>
<!--#INCLUDE FILE="inc_mail.asp" -->
<%Response.Redirect("http://www.bored.com")
Response.End
End If
End If
%>


Edited by - CaNgo on 16 August 2002 17:05:07

Gremlin
General Help Moderator

New Zealand
7528 Posts

Posted - 16 August 2002 :  11:10:30  Show Profile  Visit Gremlin's Homepage
Good idea.

You will need to change FORUM_MEMBERS though to FORUM%5FMEMBERS else it won't pick that one up - this is becuase of the URLEncode your doing on the string. I'd add M%5FPASSWORD to that check as well as another backstop.

Kiwihosting.Net - The Forum Hosting Specialists
Go to Top of Page

CaNgo
Starting Member

15 Posts

Posted - 16 August 2002 :  11:17:03  Show Profile
Thanks Gremlin, I corrected that line.
Go to Top of Page

Gremlin
General Help Moderator

New Zealand
7528 Posts

Posted - 16 August 2002 :  11:28:00  Show Profile  Visit Gremlin's Homepage
Your welcome.

Also to note is that by placing that code either of the inc_top files you may end up with some pages having 2 copies of inc_mail.asp being included. At a quick glance I don't think this would cause any problems as theres no DIM, FUNCTIONS or SUBs in there but just something to be weary of.

Kiwihosting.Net - The Forum Hosting Specialists
Go to Top of Page

CaNgo
Starting Member

15 Posts

Posted - 16 August 2002 :  11:44:29  Show Profile
I'm not sure about this. If the querystring has those nasty words then it would include the inc_mail.asp to send mail, then it redirect hacker to other website. It's ended with Response.End. If the condition has not been met, it wouldn't include the inc_mail.asp.
Is it right?
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 16 August 2002 :  11:53:49  Show Profile  Send ruirib a Yahoo! Message
Adding the red part in line 47 is enough to fix it:

strSql = "SELECT M.M_EMAIL, M.M_NAME FROM " & strMemberTablePrefix & "MEMBERS M"
strSql = strSql & " WHERE M.MEMBER_ID = " & CLng(Request.QueryString("ID"))


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

CaNgo
Starting Member

15 Posts

Posted - 16 August 2002 :  12:05:14  Show Profile
Yes, I fixed that in my pop_mail.asp. As I said in my post, the code is not a security fixed. It's just another way to protect the other pages which we don't know if they have security holes or not. With all the MODs installed, I have no ideas which page is safe anymore!
Go to Top of Page

Gremlin
General Help Moderator

New Zealand
7528 Posts

Posted - 16 August 2002 :  12:09:59  Show Profile  Visit Gremlin's Homepage
All Include statements are parsed by IIS before any ASP is so I believe it would infact include both.

Kiwihosting.Net - The Forum Hosting Specialists
Go to Top of Page

CaNgo
Starting Member

15 Posts

Posted - 16 August 2002 :  12:49:51  Show Profile
If so, we can take out the send mail part:

<%
If Request.ServerVariables("QUERY_STRING") <> "" then
strChkQuery = UCase(Server.URLEncode(Request.ServerVariables("QUERY_STRING")))
If Instr(strChkQuery,"FORUM%5FMEMBERS") OR Instr(strChkQuery,"UNION") OR Instr(strChkQuery,"SELECT") Then
Response.Redirect("http://www.bored.com")
End If
%>
Go to Top of Page

Etymon
Advanced Member

United States
2385 Posts

Posted - 16 August 2002 :  16:06:42  Show Profile  Visit Etymon's Homepage
Thanks a lot for the code, CaNgo!

Seeing topics like this one gets me curious.

Because of issues exactly like this, it would be awesome if some Snitz members created a "MOD Builder's Guild" where the leaders of the guild would scrutinize the security issues of the MODs "before" the MOD's were publicized here at the forums. The MODs could be supported with a group effort rather than just a few individuals.

I think it would really help bring the Snitz community together. It would also be fun to see great minds working on cool projects.

Just my thoughts though.

Thanks again for the code, CaNgo!


Best regards,

Etymon


Edited by - Etymon on 16 August 2002 16:08:41
Go to Top of Page

OneWayMule
Dev. Team Member & Support Moderator

Austria
4969 Posts

Posted - 16 August 2002 :  16:13:28  Show Profile  Visit OneWayMule's Homepage  Send OneWayMule an ICQ Message
Thanks CaNgo, nice code!

My MODs:
Birthdays - Custom Policy - F.A.Q. Administration - Forum Rules - Guestbook
Links Manager - MyOwnGoogle - Profile Views - Search Log - WebSearch

Useful stuff:
Forum and MOD Installation - MOD Installation Guide - Snitz v3.4.05 Readme - Free ASP Hosts - Support Snitz
Go to Top of Page

Kent
Junior Member

United States
193 Posts

Posted - 16 August 2002 :  18:56:48  Show Profile
I run Huwr's portal on an Access DB. Is it vulnerable to the same hack?
Go to Top of Page

CaNgo
Starting Member

15 Posts

Posted - 16 August 2002 :  19:11:54  Show Profile
I think you can only using SQL injection attack on SQL server, MySQL... not on Access. Someone told me you can only use insertion injection with Access.

Maybe they can insert a new user with admin access? It's possible.
Go to Top of Page

Longnt06k
Starting Member

Vietnam
29 Posts

Posted - 20 August 2002 :  05:09:34  Show Profile  Visit Longnt06k's Homepage  Send Longnt06k a Yahoo! Message
Hey , some hacker used URLencode to pass , How to fix it ???.
That scripts was disabled when Hacker used urlencode !!!
Go to Top of Page

rick7165
Senior Member

USA
1094 Posts

Posted - 20 August 2002 :  05:25:05  Show Profile  Visit rick7165's Homepage
Don't mislead everyone with this... Its NOT Huwr's Portal that's vulnerable to being hacked... It's the Snitz Base Code no matter if its on Huwr's Modded Forum or just a standard Snitz Forum. You need to apply all patches to anything under 3.4


quote:
Originally posted by Kent

I run Huwr's portal on an Access DB. Is it vulnerable to the same hack?


Test Site:
EastPasco Huw's Code 3.3.10 SQL 2000
Huwr's Modified Code
Email
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 20 August 2002 :  06:01:34  Show Profile
quote:
Originally posted by Longnt06k

Hey , some hacker used URLencode to pass , How to fix it ???.
That scripts was disabled when Hacker used urlencode !!!

How much clearer can we make it for you? You obviously have not applied the fixes that we have posted. If you continue to post all over this forum with these types of posts, I will have no choice but to lock your account. It seems all you want to do is post nonsense posts and try to make everyone think that there is this grand bug that hasn't been fixed.

Read this forum:
http://forum.snitz.com/forum/forum.asp?FORUM_ID=118

and make sure that all of the fixes have been made to your forum. That means you have to actually edit the files in question with a text/html editor and then save the file and upload it to your site.
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.26 seconds. Powered By: Snitz Forums 2000 Version 3.4.07