Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: General / Classic ASP versions(v3.4.XX)
 Forums hacked into last night!		  New Topic  Topic Locked
 Printer Friendly
Previous Page | Next Page
Author Previous Topic Topic Next Topic
Page: of 7

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 13 December 2007 :  14:48:46  Show Profile  Send ruirib a Yahoo! Message
Yep, ZoneAlarm blocked xxxmovies.dip.jp when I visited your forum.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

JohnC
Junior Member

215 Posts
Posted - 13 December 2007 :  14:54:49  Show Profile
That doesn't help, Rui. Where would I find this code?
Go to Top of Page

AnonJr
Moderator

United States
5768 Posts
Posted - 13 December 2007 :  15:19:50  Show Profile  Visit AnonJr's Homepage
Are you sure there are no extra files that weren't there before? Also have you double-checked the URL that was entered in for the forum logo?
Go to Top of Page

JohnC
Junior Member

215 Posts
Posted - 13 December 2007 :  15:46:40  Show Profile
We don't use a forum logo but what file is that in, default.asp? I'm not seeing anything... where are other areas to look?
Edited by - JohnC on 13 December 2007 15:51:58
Go to Top of Page

AnonJr
Moderator

United States
5768 Posts
Posted - 13 December 2007 :  15:57:25  Show Profile  Visit AnonJr's Homepage
No image in the top-left corner?

The code for it is in inc_header.asp

The reason I asked is because its something that could be changed via the Admin. Options - meaning they wouldn't need access to the server to get it to point to a file on their servers.
Go to Top of Page

JohnC
Junior Member

215 Posts
Posted - 13 December 2007 :  16:06:51  Show Profile
No image. That code looks fine.

I wonder if they did something through Alternate Mod Setup where you can enter code as an admin. I think I want to remove this feature. Seems vulnerable.
Edited by - JohnC on 13 December 2007 16:09:15
Go to Top of Page

CertGuard
Starting Member

United States
10 Posts
Posted - 13 December 2007 :  16:41:56  Show Profile  Visit CertGuard's Homepage
Just an FYI for this. I monitor my site activity (moreso after something like this happens) and I found that the guy is monitoring alot of the hacked sites from here (http://mirror-h.com/onhold/?s=1). I know this isn't going to to keep him from viewing my site, but I added this code to the config.asp file:


if instr(request.servervariables("HTTP_REFERER"), "mirror-h.com") then
	response.end
end if


I'm sure it's not the best solution, but it works for now.

Edit: Here is their WHOIS information for anyone interested in contacting their ISP.
http://whois.domaintools.com/mirror-h.com
Robert Williams

Join the fight against braindumps!
Edited by - CertGuard on 13 December 2007 16:45:08
Go to Top of Page

JohnC
Junior Member

215 Posts
Posted - 13 December 2007 :  17:16:18  Show Profile
Luckily I'm not on that list.

I'm still trying to find the code that's causing the javascript load...
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 13 December 2007 :  18:37:27  Show Profile  Send ruirib a Yahoo! Message
John, check server variables, from Admin Options.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

AnonJr
Moderator

United States
5768 Posts
Posted - 13 December 2007 :  18:39:00  Show Profile  Visit AnonJr's Homepage
quote:
Originally posted by JohnC

I think I want to remove this feature. Seems vulnerable.


Its only vulnerable if they have Super Admin access. Regular Admins do not have the ability to use the Alt. MOD setup. And if they've hacked your Super Admin account you've got bigger issues...
Go to Top of Page

JohnC
Junior Member

215 Posts
Posted - 13 December 2007 :  18:45:32  Show Profile
quote:
Originally posted by ruirib

John, check server variables, from Admin Options.
I've done that already and did not see anything out of the ordinary. I went through all javascripts in all files for something fishy. I can't find anything! There are no outside links from the forum files that I can find.

Rui, can I give you admin login via your email so you can see if I'm missing something?
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 13 December 2007 :  19:01:47  Show Profile  Send ruirib a Yahoo! Message
Sure, email me the data.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

JohnC
Junior Member

215 Posts
Posted - 13 December 2007 :  19:07:53  Show Profile
Sent.

Right now I'm seeing if I can glean anything from my log files...
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 13 December 2007 :  19:29:32  Show Profile  Send ruirib a Yahoo! Message
They had added an iframe to the description of the first forum of the board. Probably something other people who had their forums hacked should check.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

JohnC
Junior Member

215 Posts
Posted - 13 December 2007 :  19:59:38  Show Profile
Thanks for catching that, Rui. Much appreciated!
Go to Top of Page
Page: of 7 Previous Topic Topic Next Topic  
Previous Page | Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.38 seconds. Powered By: Snitz Forums 2000 Version 3.4.07