| Author |
 Topic  |
|
|
tlianza
Starting Member
USA
5 Posts |
 Posted - 27 July 2005 : 01:50:45
|
Hello,
My Snitz Forum was hacked today. The categories were renamed, and random posts were inserted. Various footer/decorations have been changed. Not sure what else. The hacker left the following clue as to how s/he did it:
"how i hack in
first i introduce it a code in you login.asp the code was 'or''=' whit this i login whit admin options so you shut patch you forum ;) sorry for mi inglish is not good i know"
Makes me think it's an exploit in the forum code. I am currently running version 3.4.04, I'll upgrade to 05 but I don't see any security fixes listed in that release, so I'm not optimistic that it will help any. Does anyone have any ideas? Has anyone else experienced a problem like this?
Thanks! |
Edited by - tlianza on 27 July 2005 01:52:01 |
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 27 July 2005 : 03:12:44
|
Tlianza ; If you can get your hands on the IIS log files you'd perhaps be able to trace this bloke down.
I'm not sure how he's done it, but it seems he used a form of SQL injection to do this.
3.4.05 does include several security fixes if I'm not mistaking.
However, I haven't heard anything regarding SQL injection... |
portfolio - linkshrinker - oxle - twitter |
 |
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 27 July 2005 : 03:42:19
|
| There was a patch for login.asp for .03 as I recall, can't recall anything off the top of my head in .04 |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
tlianza
Starting Member
USA
5 Posts |
Posted - 27 July 2005 : 12:22:42
|
quote:
Originally posted by marcelgoertz
3.4.05 does include several security fixes if I'm not mistaking.
Does Snitz provide release notes or documentation with a list of bugs fixed in each release? The readme on the .05 zip file I downloaded did not provide this information. Where is it available? The security forums seem out of date - the last post was last year.
Thanks! |
--------------
Tom Lianza |
|
|
|
Shadow69
Starting Member
18 Posts |
Posted - 27 July 2005 : 16:33:12
|
http://forum.snitz.com/forum/forum.asp?FORUM_ID=118
http://forum.snitz.com/specs.asp scroll down untill you see:
Snitz Forums 2000 v3.4.04 -> v3.4.05
and
Announcements: Security Related Bug Fixes
http://forum.snitz.com/archive/default.asp?catid=12&cattitle=Snitz+Forums+2000
alternatively use the search button (security fix)
security is an all'round matter, snitz may or most probably may NOT have anything to do with it: OS must be secure and other code running under IIS too, other programs running on the machine as well)
i would check to make sure your directory have the correct read/write permissions also (expecially the directory where you place your database), then check for your snitz installed is the latest (or fixes applyed) and at that point follow marcelgoertz suggestion which is probably the best thing to do asap anyways
good luck!
|
Image, we want only honest people, here! You will NEVER get back! |
|
|
|
tlianza
Starting Member
USA
5 Posts |
Posted - 27 July 2005 : 21:37:52
|
quote:
Originally posted by Shadow69
http://forum.snitz.com/forum/forum.asp?FORUM_ID=118
http://forum.snitz.com/specs.asp scroll down untill you see:
Snitz Forums 2000 v3.4.04 -> v3.4.05
and
Announcements: Security Related Bug Fixes
http://forum.snitz.com/archive/default.asp?catid=12&cattitle=Snitz+Forums+2000
I've visted a few of those areas - certainly the top link. Maybe I'm seeing something different from others? When I go to the top link - http://forum.snitz.com/forum/forum.asp?FORUM_ID=118 - I see two topics, and on the right it says the last post in each of them was back in 2004. The second link - http://forum.snitz.com/specs.asp - talks about features at a high level, and when it talks about version 3.4.05 specifically it refers me to the first link for details on security changes.
quote:
security is an all'round matter, snitz may or most probably may NOT have anything to do with it: OS must be secure and other code running under IIS too, other programs running on the machine as well)
I ceratinly agree with you that security is an all around matter. In this case the rest of my site and it's database appear untouched. The forum was the only thing defaced. Additionally, the message left by the hacker referred to "login.asp" which is a Snitz Forums file (assuming I can believe the hacker - who knows). I did notice that login.asp was not among the files delivered in the .04->.05 upgrade.
I will continue persuing the general concerns of course... I was just hoping to get some confidence that it was a known hole that was exploited, giving me confidence that the upgrade will plug it. Since there doesn't appear to be a fix on login.asp, or a specific, public, list of the resolved security holes, I'm a little less confident in opening up the forum again with the new (.05) version. |
--------------
Tom Lianza |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 28 July 2005 : 03:29:26
|
Tom,
As I also said, a SQL injection through login.asp is yet unknown to me.
Not that I am the security expert or anything, but as far as I heard there is no SQL injection weakness in login.asp.
So, therefore it's important to trackback the path of the hacker by means of the IIS logfiles.
You can obtain his IP adress, and possibly see the track of files/paths requested.
This might provide insight to the method applied, and even more interesting ; the identity of the 'hacker'. |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 28 July 2005 03:30:33 |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
|
|
Shadow69
Starting Member
18 Posts |
Posted - 28 July 2005 : 04:54:38
|
tlianza,
we are giving you those link references because they include all fixes since 3.4.03 and You just might want to check if You do have the latest installed. Those links would help You do a file compare to check for code possibly been modified (by the hacker as well?). You could just replace the files, but in case You have installed mods You'd have to do a file compare and a cut&paste job.
We are all interested to know what exactely happened for our security concern as well, that is why You should ask for logs. It is not basically a matter to trace down the hacker (although You could try), instead You could learn what exactely was done through those logs and We could all profit from it.
We all host (little exeption) a Snitz forum on a MS OS platform but at a different host... if You had a problem, solving it might help prevent other's forum be defaced
As for the date of the fixes, why would there have to be a new one every day? I haven't seen Bill G. in the Developer Team 
regards, |
Image, we want only honest people, here! You will NEVER get back! |
Edited by - Shadow69 on 28 July 2005 05:18:39 |
|
|
| |
Topic |
|
Topic Locked
