| Author |
 Topic  |
|
|
Jim Riley
New Member
United Kingdom
64 Posts |
 Posted - 08 December 2007 : 14:24:54
|
www.tutor2u.net/forum/default.asp
Looks like a sql injection hack
I have got into the sql db and found a strcopyright change which redirects the forum user to the hackers website - I thought I has got rid of this, but the hack is still in place
<title>Tutor2u Discussion Forum</title>
<meta name="copyright" content="This Forum code is Copyright (C) 2000-02 Michael Anderson, Pierre Gorissen, Huw Reddick and Richard Kinser, Non-Forum Related code is Copyright (C) Tutor2u LimitedWE ARE LANGSON SECURITY TEAM FROM VIETNAM.YOU SITE HAVE MANY BUG.I TRY CLOSE IT.PLEASE FIX THE BUG AND OPEN AGAIN FOR SECURE.THANK.MYSITE IS www.VIETBACSCHOOL.COM <meta http-equiv="Refresh" content="0;url=http://vietbacschool.com/ls">">
<script language="JavaScript" type="text/javascript">
Any ideas?
Jim |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 08 December 2007 : 14:26:56
|
Have you had a look at our Security Bug Fixes forum?
Apply the bug fix, then visit down.asp and get the forum up. Also, don't forget to change the hacker from admin to normal status, and then lock him. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
 |
|
|
Jim Riley
New Member
United Kingdom
64 Posts |
Posted - 08 December 2007 : 14:55:35
|
I have applied all recent security fixes - but the redirect hack is still there, so I must be missing something.
what is down.asp?
Jim |
|
|
|
modifichicci
Average Member
Italy
787 Posts |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Jim Riley
New Member
United Kingdom
64 Posts |
Posted - 09 December 2007 : 07:22:18
|
This is odd.
I have installed a new version of the latest Snitz files on a new forum directory, calling the directory something other than "forum" (which was hacked). It works fine.
I think I have cleared out all the hacks to the SQL db
But when I create a new version of the old "forum" directory and upload the new snitz files, the redirect hack is still there.
Anyone got any ideas about how this can be happening. I'm happy that there hasnt been any security issue with our ftp settings, so I'm assuming that it must still be something in the sql db?
Jim |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
tooms
Starting Member
Denmark
3 Posts |
Posted - 09 December 2007 : 09:09:42
|
My forum was hacked also, by some one adding them self as a admin user..
this admin user then changed one of the "message" texts to incode a iframe tag there was trying to load the "Remote Data Services Data Control" from a other site..
also seeing alot of "post" request attacks..
Looks like this software need a big security update to make it alow more secure and maybe more content checking, like checking posted urls into forum with url blacklists.
by the way, if you need to fix a hacked forum then use the "Fiddler http debugging proxy" software, that help me alot.
|
Edited by - tooms on 09 December 2007 09:11:17 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 09 December 2007 : 09:30:04
|
| We posted a security fix about a week ago, before any hacking occurred. You'd better susbcribe to the Announcements Security Related Bug Fixes forum, so that you can be notified whenever we post a security fix. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
Maxime
Average Member
France
521 Posts |
Posted - 10 December 2007 : 11:40:50
|
I have also been hacked by a Turkish with an image on the forum and no way to become administrators in the options. I think a lot of you have been affected by this hackeur which seems the same person and foudrait complain. Those who are globas.asa on their site can internt blocked the ip to Turkish Here is the code that I had to make you a direction web and put the good ip.
I fully placed under day forum on security and I registered to receive news wagering Updated.
Global.asa
Sub Session_OnStart
If InStr(request.ServerVariables("REMOTE_ADDR"),"201.221.198.") > 0 then
Session.Abandon
Response.redirect("http://www.casserole.fr/")
End If
End Sub |
Cordially,
Maxime
Taxation consists in so plucking the goose to get the most out of feathers with the least possible cries.(Jean-Baptiste Colbert)
|
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 10 December 2007 : 12:39:32
|
I probably sound like a broken record every time IP blocking comes up, but its worth mentioning again: Its hard, if not impossible, to block someone based on their IP... the short version goes like this: If this individual is working out of a university or stuck (/hiding) behind a proxy, you could be blocking a large number of innocents.
With that said, the IP Gate MOD will also allow you to block IP addresses without the need to set up/modify global.asa - assuming your host allows you to set one up in the first place... which would be why I mention it.  |
|
|
|
iresprite
Starting Member
1 Posts |
Posted - 11 December 2007 : 13:49:00
|
Hey, guys. I'm helping out with a site that was hacked by the same people. I'm trying to play catch up here-- I applied the patch suggested in the Security Bug Fix setting; what other steps do I need to take? I noticed something about down.asp. Where can I read to get myself clued in?
Thanks! |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
ptrimmer
Starting Member
3 Posts |
Posted - 12 December 2007 : 15:13:11
|
I am unable to get our forum back up. We were hacked by the lovely Turkish fellows. I am also unable to get to the www.tutor2u.net/forum/down.asp site. I am at a loss as to what to do next.
Thanks! |
|
|
| |
Topic |
|
Topic Locked
