Looks like the same guys behind the "vietbacshool" hacks are at it again. This time someone has registered with the id "vietnam1" (the hacker who made himself an admin last week used the id "vietnam").
I'm unable to delete this user, because they've done something to break active.asp.
I checked the database; Somehow they were able to insert the value ',M_Level='3 into the M_LASTHEREDATE column.
It looks like an injection attack. I'm using 3.4.04, but I already went through and manually applied all the security fixes listed in the Security Related Bug Fixes forum.
Thanks for the quick response. I see that it's just someone trying to use the same hack attempt that was already patched. Well, here's my quick attempt to try to fix the problem.
In inc_func_common.asp (my changes are in red):
function UpdateLastHereDate(fTime,UserName)
If Not IsNumeric(fTime) Then Exit Function
'## Forum_SQL - Do DB Update
strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS "
strSql = strSql & " SET M_LASTHEREDATE = '" & fTime & "'"
strSql = strSql & ", M_LAST_IP = '" & Request.ServerVariables("REMOTE_ADDR") & "'"
strSql = strSql & " WHERE " & strDBNTSQLName & " = '" & ChkString(UserName, "SQLString") & "' "
my_conn.Execute (strSql),,adCmdText + adExecuteNoRecords
end function
And of course the data in M_LASTHEREDATE will have to be fixed. I'll just set it to NULL, and hopefully that doesn't break anything.
Topic Locked
Posted - 11 December 2007 : 16:42:23
