Author |
Topic  |
|
the agony booth
Starting Member
19 Posts |
Posted - 20 October 2007 : 06:02:53
|
I just logged into my forum to find that almost all topics were inaccesible, with an ASP error along the lines of "arguments are of the wrong type, or are in conflict with each other".
Then I queried the database (I'm on SQL 2005), and found that porn spammers were able to start about 20 new topics using my user name, all full of nothing but spam. (My user name also has admin privileges.)
I figured they somehow were able to log in as me, but here's the wierd thing: Briefly, all the configuration settings in the "Admin Options" were set back to the defaults. Like, the header image, the copyright text, etc, were all the Snitz defaults. But then I queried FORUM_CONFIG_NEW in my SQL database, and I saw the configuration options were correct--- they were the same as what I had entered. In other words, what I saw in the "Admin Options" section did not match what was in the FORUM_CONFIG_NEW table. It was like it was pointing at another site.
Another wierd thing: When I clicked on the "profile" link in the header, I got a popup that said "It is up to you to keep your profile up to date" and a Submit button. This is strange, because never has the "profile" link brought up a popup in my forum.
I re-uploaded good copies of pop_profile.asp, inc_header.asp and config.asp, and that didn't fix the problem.
Then, just as suddenly, I was able to access the forums again. I was able to go in and delete all the porn spam threads. However, I have no idea how it happened, or how it was resolved. I changed the password on all my admin users, but it doesn't seem like the spammers hacked my password or anything. It seems like they were able to somehow point the configuration to some other site (some type of cross-site scripting attack, maybe?)
Has anyone else experienced anything like this? My Snitz version is 3.4.04.
|
http://www.agonybooth.com/ |
|
ruirib
Snitz Forums Admin
    
Portugal
26364 Posts |
Posted - 20 October 2007 : 06:14:54
|
That's very weird. Can you have a look at your web server logs and check to see what happened?
You may have had a server reset and the application variables lost, though it usually doesn't result in getting back to default values...
You should also apply all the latest security fixes to your forum, regardless of the reason for what happened. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
 |
|
HuwR
Forum Admin
    
United Kingdom
20595 Posts |
Posted - 20 October 2007 : 08:33:47
|
quote: My Snitz version is 3.4.04
You should update your code to the latest version as there are several SQL injection vulnerabilities in the older code |
 |
|
the agony booth
Starting Member
19 Posts |
Posted - 22 October 2007 : 22:51:32
|
Thanks for the quick response, guys.
I requested my web server logs from my host. I found some interesting things.
It appears this happened during the window of time when my host was rebooting the SQL Server to apply a Microsoft patch. It appears that in this span of time, the file /forum/setup.asp was accessed three times.
Is it possible that because the SQL Server was down, that setup.asp was displayed, and whoever viewed setup.asp was then able to set up the forum as if it were a fresh, first time install?
That would explain why I saw the "default" Snitz install values. Perhaps setup.asp allowed someone to temporarily change the connection to some other database?
Either way, I think having setup.asp just sitting there is kind of a security hole. I went ahead and renamed by setup.asp file to something else. It seems like I shouldn't even need that file, as long as I'm not upgrading my forum, correct?
|
http://www.agonybooth.com/ |
 |
|
HuwR
Forum Admin
    
United Kingdom
20595 Posts |
Posted - 23 October 2007 : 02:05:38
|
if the SQL was down running setup would not have done anything since it would not have been able to connect to the server. also running setup would not reset the forums config settings, it would just do nothing other than reset the app variables. you can not change the db connection in setup.asp this must be done manually in config.asp
if IIS gets reset you may need to run setup.asp to reinstate the app variables. setup.asp is not a security issue in anyway. |
 |
|
|
Topic  |
|
|
|