| Author |
 Topic  |
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
 Posted - 05 December 2002 : 22:20:20
|
| Until comfirmed otherwise, we think that this person just knew one of the Admin passwords. Remember the hack to the members.asp page in v3.3.xx that displayed all passwords on the members.asp page next to the username? Some of the Admins here haven't logged in for a while. So we think that maybe that's how this person was able to make themself an Admin. We are not positive though. We did go in and change the passwords for these Admins just in case. |
 |
|
|
redbrad0
Advanced Member
USA
3725 Posts |
Posted - 05 December 2002 : 22:30:40
|
quote:
yahoo.com
hotmail.com
netscape.com
excite.com
myrealbox.com
football.com
Do a search on google, or just CLICK HERE and it will return about 119,000 webpages.
I think this should be built into the base of snitz as an option to not allow certain domains to be registered on the website. I would be more then happy to get this code into the base of snitz, and I also (in my little spare time) will try to look at the base code and see if I can see anything that should be changed.
Richard & Huwr both of yall are THE MAN's. I dont know how both of you do all the work you do here. I have been a long time member (Nov 17, 2000) as most of you know and with my life and 2 jobs I barely have time to sleep. I would just like to commend (spelling?) both of you two on on hell of a product that you both have helped get to where it is at. |
Brad
Oklahoma City Online Entertainment Guide
Oklahoma Event Tickets |
|
|
|
Etymon
Advanced Member
United States
2385 Posts |
Posted - 06 December 2002 : 00:05:45
|
quote:
Originally posted by ruirib
[quote]I think some discomfort comes from not knowing how they did it. I think some solace also comes from the fact that we're not watching a hacking wave, like we had with the 3.3.x infamous members.asp bug...
You're right, ruirib! Thanks for keeping us on track.
Cheers,
Etymon
|
|
|
|
sy
Average Member
United Kingdom
638 Posts |
Posted - 06 December 2002 : 06:37:07
|
quote:
Originally posted by RichardKinser
there are many, many others. Does anyone know of a place that might keep a list of them?
This should be a good start, its a site that reviews email services, seems to have all the ones i can think of included. HTH
Free email account listing |
The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails
|
|
|
|
MichaelA
Junior Member
USA
222 Posts |
Posted - 06 December 2002 : 07:50:25
|
Richard,
One other thought that I have not seen yet.
Is it possible a reworked asp script could have caused the hackers to get in? Could they have altered a script to give themselves access to any part of the forums? (I'm asking as I am neither a Snitz or asp guru.)
If there is that possibility, would restricting the access to the code by requiring a person to registered first? True, you might get some bogus information but it might be a small deterent. Could the script that downloads the product log the registered name with the IP address used so there is something for future reference?
Again, I'm not a guru so I may be way off base. Just some thoughts. It sounds like they just made some page changes and, so far, nothing else has come to the surface. I was not aware of the problem until I logged on the other day. Been busy getting the Snitz forums going on my web site.
I've heard some good ideas here. While I do understand your5 frustration over someone doing such a utterly stupid and childish thing to an all volunteer, open-source project, I hope that you take this as a challenge, not a threat. Where would all of us be if not for such a great product? Would might not be able to have the success on our websites if not for the relationship with this community of people. Not only have you turned out a great product but you have produced an international group of people who may not have much in common, who may be natural, cultural "enemies", who may have used their asp and computer expertise in other ways (hacking!) and made them a community that bonds together to create a very useful and greatly needed product with extensible MODs. All the other issues of life get pushed aside while they are working on this project and helping others worldwide without regard to who they are helping - without regard to race, religion, gender, or anything else! You should have an office at the UN!   I know my family is happy that you have kept me off the streets.
Enough of my rambling. A big thanks to Richard and the development team and all those who have created MODs and helped me and others have successful forums. Happy holidays to you and your families.
Thank you
Mike
|
|
|
|
D3mon
Senior Member
United Kingdom
1685 Posts |
Posted - 06 December 2002 : 07:53:55
|
Surely it's gonna be impossible to keep track of all the free email services?!?
Email validation (sending them the password via their submitted email address) is surely the safest way. |
Snitz 'Speedball' : Site Integration Mod : Friendly Registration Mod
"In war, the victorious strategist only seeks battle after the victory has been won" |
|
|
|
davemaxwell
Access 2000 Support Moderator
USA
3020 Posts |
Posted - 06 December 2002 : 07:58:10
|
Eliminating all the free services makes it easier to hold others accountable for their actions. It is simply too easy to get a free service and then abuse it. Eliminating the free services allows us to track the problems back to the source more efficiently.
This is done on the other major forums (vBulletin for sure), and while I an not particularly fond of the approach, it's obviously becoming a necessity. |
Dave Maxwell
Barbershop Harmony Freak |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 06 December 2002 : 08:45:09
|
| plus with the free services, you can just go and get another emal address if we lock your account and register again. |
|
|
|
edw
Starting Member
9 Posts |
Posted - 06 December 2002 : 09:39:13
|
Here is my sugestion:
1. Take a snap shot of the Members table every 24 hours.
2. Compare the Members table with the snapshot for changes.
If change in Admin privilege is detected then alert the administrator.
|
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 06 December 2002 : 09:59:39
|
| we are now being informed if anyone changes there m_level to admin status, I have created a trigger which will email me the username changed. |
|
|
|
PeeWee.Inc
Senior Member
United Kingdom
1893 Posts |
Posted - 06 December 2002 : 10:45:25
|
Euroseek
SearchEurope
Asturies
Ad Valvas
Belgique.com
DigiBel
K's Choice
PIMail
Student
3XL.net
Cataloniamail.com
TVCatalunya
UOLCat.com
Vilaweb.com
BlackburnMail.com
CheshireMail.com
CumbriaMail.com
DownSouth
GoColchester.com
LancsMail.com
McrMail.com
MerseyMail.com
SurfLondon
Alinto.com
AltaVista
Aude.org
AuFeminin
Bigfoot
BNP-Mail.com
Boitolet'
Caramail
Chez
Citeweb
CyberDif
Cyberis.fr
DotMail
EmailPlanet
Excite
FaireSuivre.com
France-Mail
FranceMail
Free.fr
FZ.ML.org
Hotmail
ID-Clic
iFrance
L'Express
La Poste
Le mél
Le Monde
LeMailParisien
LibeMail
Lycos
MailClub
MailPass
M@ilperso.com
MailStart
Meloo.com
MonCourrier
Multimania
Mygale
Nomade
PageFrance
Remcomp
RESpublica
Sites-Internet
Spray
TF1
TFZ.net
TinTin
Tuner.fm
VisitMail
Voila Mail
WebMailS
Yahoo.fr
Youpy
Glór Mhaigh Eo
Ireland.com
NFMail
Online.ie
Oxygen.ie
Yahoo.ie
Sagra
Webmail.lu
12Move
AltaVista
Adres
Apenstaartje
De Digitale Stad
Dolfijn
FreeMail
Gate99
Lycos
Mail4U
MailJe
MailMe
MailMij
MediaPort Rotterdam
Nederlands.com
NetMail
NetPostBus
WishMail
ZonNet
Irish4Ever.com
EmailPlanet
Iupi.pt
Luso
Lusoweb
Mail.pt
MegaMail
PortugalMail
SAPO
Starmedia Mail
Youpy.com
Ecosse.net
Aucland
Axis
Correo.nu
EmailPlanet
Excite
FotoFutura
Guay
Hotmail
InfoJobs
Infopista Jurídica
La-Mano
LaNetro
Lycos
MailStart
MARCA.es
MixMail
OleMail
OZU
Personales
Repsol.com
SportBarrio
Terra Mail
2000Net.com
2BMail
ABCFlash.net
AFCi Connect
AltaVista UK
Another.com
Bigfoot
ClaraMail
ConnectFree
Digital Mail
EasyPost
EM365
Excite
FetchMail
Financial Times
Fortune City UK
Free-Online.net
FreeServe
FunkyTiger
Funmail (Offers over 3,500 domain names)
Jeeves Mail
LiquidInformation
Live Club
Living History
LookSmart
LycosMail UK
ManCity.net
ManuUFree.net
MyMail
Nameplanet.com
Postman Pat Mail
Postmaster
PurpleTurtle
Talk21
Tesco Net
TheMail
Tollon
UK111.com
UK2.net
UKMax
WindyGates
WorldWideMail
X-Stream
Youpy.co.uk
Bantu
Everyday.com
Nameplanet.com
Starmedia Mail
Youpy |
De Priofundus Calmo Ad Te Damine |
|
|
|
xstream
Junior Member
242 Posts |
Posted - 06 December 2002 : 11:12:39
|
quote:
Originally posted by HuwR
we are now being informed if anyone changes there m_level to admin status, I have created a trigger which will email me the username changed.
Is it pretty easy to do?
X |
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 06 December 2002 : 11:29:56
|
| Yes! you will need to make few changes in pop_profile.asp. |
|
|
|
PeeWee.Inc
Senior Member
United Kingdom
1893 Posts |
Posted - 06 December 2002 : 11:35:13
|
anyone fancy giving out the code to do this? 
And do ya think it would be hard to sdit it to send a Pm? |
De Priofundus Calmo Ad Te Damine |
|
|
|
pknaz
Junior Member
USA
117 Posts |
Posted - 06 December 2002 : 13:50:56
|
| i would imagine the best way to do the trigger would be through SQL server and not an ASP page. just my $.02 worth. I realize that most people don't have the luxury of SQL server, so maybe the instructions for both ways would be best? |
|
|
|
Topic |
|
Topic Locked
