Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: General / Classic ASP versions(v3.4.XX)
 Got hacked hard
 New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

the agony booth
Starting Member

19 Posts

Posted - 20 October 2007 :  06:02:53  Show Profile
I just logged into my forum to find that almost all topics were inaccesible, with an ASP error along the lines of "arguments are of the wrong type, or are in conflict with each other".

Then I queried the database (I'm on SQL 2005), and found that porn spammers were able to start about 20 new topics using my user name, all full of nothing but spam. (My user name also has admin privileges.)

I figured they somehow were able to log in as me, but here's the wierd thing: Briefly, all the configuration settings in the "Admin Options" were set back to the defaults. Like, the header image, the copyright text, etc, were all the Snitz defaults. But then I queried FORUM_CONFIG_NEW in my SQL database, and I saw the configuration options were correct--- they were the same as what I had entered. In other words, what I saw in the "Admin Options" section did not match what was in the FORUM_CONFIG_NEW table. It was like it was pointing at another site.

Another wierd thing: When I clicked on the "profile" link in the header, I got a popup that said "It is up to you to keep your profile up to date" and a Submit button. This is strange, because never has the "profile" link brought up a popup in my forum.

I re-uploaded good copies of pop_profile.asp, inc_header.asp and config.asp, and that didn't fix the problem.

Then, just as suddenly, I was able to access the forums again. I was able to go in and delete all the porn spam threads. However, I have no idea how it happened, or how it was resolved. I changed the password on all my admin users, but it doesn't seem like the spammers hacked my password or anything. It seems like they were able to somehow point the configuration to some other site (some type of cross-site scripting attack, maybe?)

Has anyone else experienced anything like this? My Snitz version is 3.4.04.


http://www.agonybooth.com/

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 20 October 2007 :  06:14:54  Show Profile  Send ruirib a Yahoo! Message
That's very weird. Can you have a look at your web server logs and check to see what happened?

You may have had a server reset and the application variables lost, though it usually doesn't result in getting back to default values...

You should also apply all the latest security fixes to your forum, regardless of the reason for what happened.


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 20 October 2007 :  08:33:47  Show Profile  Visit HuwR's Homepage
quote:
My Snitz version is 3.4.04

You should update your code to the latest version as there are several SQL injection vulnerabilities in the older code
Go to Top of Page

the agony booth
Starting Member

19 Posts

Posted - 22 October 2007 :  22:51:32  Show Profile
Thanks for the quick response, guys.

I requested my web server logs from my host. I found some interesting things.

It appears this happened during the window of time when my host was rebooting the SQL Server to apply a Microsoft patch. It appears that in this span of time, the file /forum/setup.asp was accessed three times.

Is it possible that because the SQL Server was down, that setup.asp was displayed, and whoever viewed setup.asp was then able to set up the forum as if it were a fresh, first time install?

That would explain why I saw the "default" Snitz install values. Perhaps setup.asp allowed someone to temporarily change the connection to some other database?

Either way, I think having setup.asp just sitting there is kind of a security hole. I went ahead and renamed by setup.asp file to something else. It seems like I shouldn't even need that file, as long as I'm not upgrading my forum, correct?


http://www.agonybooth.com/
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 23 October 2007 :  02:05:38  Show Profile  Visit HuwR's Homepage
if the SQL was down running setup would not have done anything since it would not have been able to connect to the server. also running setup would not reset the forums config settings, it would just do nothing other than reset the app variables. you can not change the db connection in setup.asp this must be done manually in config.asp


if IIS gets reset you may need to run setup.asp to reinstate the app variables. setup.asp is not a security issue in anyway.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.4 seconds. Powered By: Snitz Forums 2000 Version 3.4.07