| Author |
 Topic  |
|
JohnC
Junior Member
215 Posts |
 Posted - 12 December 2007 : 11:42:54
|
hackman@inbox.lv 195.244.128.16
Made him or herself administrator and changed some things. Was this an SQL injection? How do I find out exactly what was changed? Are there some common things to look for?
Time is of the essence as our forums are very popular.
Thanks,
-John |
|
|
JohnC
Junior Member
215 Posts |
Posted - 12 December 2007 : 11:45:10
|
| Also, my email address for the support/update email letters has changed and I don't know where to update it with our new email address. Please advise. Thanks! |
 |
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 12 December 2007 : 11:55:51
|
I would advise you to check the "Announcements: Security Related Bug Fixes" forum - and subscribe to it so you'll be notified of any other issues that pop up. This is probably a result of the issue that was patched on 1 Dec. 
I'd also take a look through the "DEV Bug Reports (Open)" forum and fix any other outstanding issues.
After applying all the patches I would go to the Admin options and see if they created any extra Admin accounts and lock them. Then I'd start systematically going through all the settings to see what might have been changed. Then I'd start going through the files and see if any had been modified or if there are any new files that weren't there before.
Also, you may want to close the forums down while you are doing this so they don't have the opportunity to jack with anything while you're doing this...
That's a lot to start with, but it covers the major bases. |
Edited by - AnonJr on 12 December 2007 11:57:08 |
|
|
|
JohnC
Junior Member
215 Posts |
Posted - 12 December 2007 : 13:36:13
|
| Thanks so much for the quick and detailed reply, Anon! I'm finding out that the supposed hacker didn't do too much. Just created or injected him or herself as an admin and changed a few settings. I applied the update to active.asp and now subscribed to Bug Fixes with my new email address. Do you think there's any danger of passwords being compromised even though they're encrypted? |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 12 December 2007 : 13:44:34
|
No problem. Its what we're here for. 
I would send an announcement to your admins/moderators to check/change their passwords. While they could change the password of a regular member there isn't much to gain by that, and when said member tries to log in they will likely just use the "Forgot Password" link to reset their password.
Scratch that - forgot that only the Super Admin can change passwords....  |
Edited by - AnonJr on 12 December 2007 13:45:51 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 13 December 2007 : 06:33:58
|
He registered at oxle too ; didn't do any damage though, at least not that I can see.
He tried the SQL injection, which resulted in his 'last here date' being completely off. I'll implement the additional fix you provided Rui, that checks if lastheredate is a number. |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 13 December 2007 06:37:38 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 13 December 2007 : 07:20:23
|
Yep, the date was set to M_'/Le'/ve or something like that.
I've nailed the bloke: http://oxle.com/all4you.id publicly
I now have put in the check that
- retrieves the cookie
- if emtpy, retrieves the value from the db, puts the value in the cookie
- retrieves the cookie again, and checks it's validity.
- if invalid, sets the cookie to 'now' |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 13 December 2007 07:23:41 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Mighty Whites
Starting Member
6 Posts |
Posted - 13 December 2007 : 08:31:16
|
We were hacked last night by some Turkish militant website.
Need assistance in getting the forum back up and running. The webhost LCN stated that the ASP was weak and the hackers got into the back end of the forum.
Now I am not a techie, and have forgot most of the stuff that I learnt when setting the forum up.
So, some quesions
The forum wasn't backed up anywhere, does this mean that effectively that all the posts are lost, even though looking in the FTP pages of the forum there appears to be a lot of stuff still in there?
Have we someone on here that will be kind enough to upload everything and save as much of the old forum as possible, the last thing I want to do is delete or overide files etc that I don't need to.
What about the ASP coding, is there a fix for this ?
http://www.leedu-forum.org.uk is the forum address.
I have just removed the index.htm page that directed you to the other site.
How do I put up a temporary page, to let users know what is going on?
A speedy reply and assistance would be greatly appreciated. |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 13 December 2007 : 08:55:45
|
If you email me through the forum and give me forum admin username / password and FTP access data, I will fix it for you.
P.S.: Please don't double post.
P.P.S.: Be sure to subscribe to our Announcements Security Related Bug Fixes forum, to receive email notification when there are fixes to apply. If you had a subscription, your forum could have been protected, since we posted the fix before hackers started to hit. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
Mighty Whites
Starting Member
6 Posts |
Posted - 13 December 2007 : 09:01:20
|
Many thanks Ruirub, wasn't sure which was the best topic to place my quandry under, hence the double post, I was surprised to see two subjects on the matter.
PM on it's way, with all the requested info.
Once again, many thanks.
Re: the subscription, I did that about 10 mins ago, a sure fire way of being protected in the future, I agree, for armed, is to be forewarned. |
Edited by - Mighty Whites on 13 December 2007 09:04:12 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
JohnC
Junior Member
215 Posts |
Posted - 13 December 2007 : 13:22:44
|
| A couple of our forum members have reported java security warnings since our forums were hacked into. Has anyone else reported something like this? Could code have been added or replaced by an injection? What tables, if any, should I take a close look at for injections? Could it be just a coincidence? None of the forum file dates seem to have been changed indicated no code change... |
Edited by - JohnC on 13 December 2007 13:33:55 |
|
|
|
Topic |
|
Topic Locked
