| Author |
 Topic  |
|
svickrey
Starting Member
USA
43 Posts |
 Posted - 02 May 2006 : 20:42:32
|
| You warned me not to make anyone an admin unless you truley trusted this person. I really thout I had found someone that I could really trust but this turned out not to be true...errrr. The have admin priveledges and have removed me as admin. I still have control over the DB and the site can I regain control of my forum I have worked so hard to build? |
~ PhraseWorks ~
a phrase generator and manager for adwords |
|
|
leatherlips
Senior Member
USA
1838 Posts |
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 02 May 2006 : 21:34:13
|
I didn't think anybody could change the Super Admin's account without some other coding/db shenanigans...
Did they have any access to the DB and or the files on the server?
Also, now that I think about it, do you see any other accounts marked as admin/moderator that shouldn't be? Sometimes if someone is really up to no good they'll create an extra account or two and make them admins as well... and/or they may leave a file or two (if they have the ability to do this) to help them re-set their Admin privileges. They may not have done this, but it never hurts to double-check. |
Edited by - AnonJr on 02 May 2006 21:36:41 |
 |
|
|
bobby131313
Senior Member
USA
1163 Posts |
Posted - 03 May 2006 : 00:14:38
|
I too, don't understand how an admin changes a super-admin at all without server access. 
|
Switch the order of your title tags |
Edited by - bobby131313 on 03 May 2006 00:19:00 |
|
|
|
imweazel
Starting Member
49 Posts |
Posted - 03 May 2006 : 08:33:05
|
| Once you have access to the admin section, I would think they would use the Alternate Mod Setup to run a few SQL updates to make the changes. |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 03 May 2006 : 08:36:38
|
| Hmm. I never thought of that... always kind of assumed that only the Super Admin had access to the Alternate MOD Setup (and the MOD setup too for that matter). Maybe I better go back and make it so... |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 03 May 2006 : 08:46:46
|
Ok. I thought so.
That brings the question back around:
Did they have any access to the DB and or the files on the server?
Also, do you see any other accounts marked as admin/moderator that shouldn't be? Sometimes if someone is really up to no good they'll create an extra account or two and make them admins as well... and/or they may leave a file or two (if they have the ability to do this) to help them re-set their Admin privileges. They may not have done this, but it never hurts to double-check. |
|
|
|
imweazel
Starting Member
49 Posts |
Posted - 03 May 2006 : 11:46:35
|
| I took it to mean that svickrey gave the user a m_level of 3 when he said the user has admin privileges. This would give them access to the Alt Mod Setup I believe. |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 03 May 2006 : 11:48:09
|
quote:
Originally posted by imweazel
I took it to mean that svickrey gave the user a m_level of 3 when he said the user has admin privileges. This would give them access to the Alt Mod Setup I believe.
No. Only the SuperAdmin can use the alternate mod setup. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 03 May 2006 : 11:59:54
|
| Correct me if I'm wrong, but doesn't it essentially check the value of intAdminMemberID - which is assigned in config.asp - to determine the SuperAdmin? Would changing the SuperAdmin's m_lev value prevent them from accessing the admin options? |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 03 May 2006 : 12:17:30
|
Interesting...
I guess we need to get back to answering the original question...quote:
can I regain control of my forum I have worked so hard to build?
First, I'd probably change the passwords for access to the server and database, and then I'd check to see if your member id is still listed as the value of intAdminMemberID in config.asp
Next step would be to .... to remember what the next step was ... 
If I'm remembering right, you would need to make sure that the value of M_LEVEL for your account is set to 3 in the database.
Then I'd go lock their account and check to see if they didn't leave themselves any extra admin accounts or extra files to re-insert themselves as admin.
I'd swear I was missing a step, but its lunch time. |
Edited by - AnonJr on 03 May 2006 12:18:12 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 03 May 2006 : 14:16:15
|
All that would be needed would be to change the hijacking member's M_Level back to 1, change the new admin to be member M_Level to 3. Of course, set intAdminMemberID to the new admin member id.
Change all admin level member's passwords, probably all moderator passwords as well. This would work, admiting that the hijacking member has no server access (FTP or otherwise). |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 19 May 2006 : 15:55:15
|
and why should we email you, are you unable to use email yourself ?
There is never any excuse for doing what you did, even if you do think you have found a security hole in Snitz, there is nothing that could condone hijacking somebody elses site, if you are so hot shot sure you can do it, then do it here I dare you. |
Edited by - HuwR on 19 May 2006 15:56:01 |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 19 May 2006 : 15:59:58
|
| if you need server access to do it then how is it a security hole in Snitz smart ass |
|
|
|
Topic |
|
Topic Locked
