Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: General / Classic ASP versions(v3.4.XX)
 possible hack but other info as well
 New Topic  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

weeweeslap
Senior Member

USA
1077 Posts

Posted - 17 December 2007 :  10:13:05  Show Profile  Visit weeweeslap's Homepage  Send weeweeslap an AOL message  Send weeweeslap a Yahoo! Message
On occasion when visiting http://www.weeweeslap.com/forum/active.asp
I get a popup like so:
http://www.weeweeslap.com/forum/file_attachments/weeweeslap/200712179629_digi_cert.jpg
I found 4 files that were placed into my root directory of that site:
omega.php
omega.html
gharbeyya.html
jman.php

the first 3 are files that display "this site hacked ____" where the blank isfilled out by who hacked. The thrid file seems encrypted. I think so anyway, I am not php friendly and it's just a bunch of text and numbers between the php tags. I did fix active.asp the same day the fix was released and since that digital certificate thing only shows up on active.asp I was wondering if there might be something else that should be checked out? That digital certificate thing pops up rarely. I've gotten it twice in the past week and with finding those 4 files placed in root I felt it might be related thouse they all show dirrent dates of creation. Do you guys have any additional info on this? Or what can I do to find outhow they were placed or through where. We have a good firewall and only allow port80 and another port to manage the firewall, other than that the rest of the ports are hammered down. Well, the files were just placed and never seen by the gneral public so maybe they got scared and ran away? Or maybe a time bomb of sorts was placed on the server but after runing a thorough scan of adaware, viruses and all that juicy stuff, the box came back clean. I appreciate any info you can provide. Thank you.

coaster crazy

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 17 December 2007 :  10:23:43  Show Profile  Send ruirib a Yahoo! Message
No Snitz hack would allow the installation of files on the root folder. That was either caused by a server hack or some other issue (php or some other server stuff).


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

weeweeslap
Senior Member

USA
1077 Posts

Posted - 17 December 2007 :  10:29:44  Show Profile  Visit weeweeslap's Homepage  Send weeweeslap an AOL message  Send weeweeslap a Yahoo! Message
ok. Thanks ruirib!

coaster crazy
Go to Top of Page

AnonJr
Moderator

United States
5768 Posts

Posted - 17 December 2007 :  10:31:02  Show Profile  Visit AnonJr's Homepage
Didn't someone mention an issue with one of the file upload MODs based off of active.asp?
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 17 December 2007 :  10:47:40  Show Profile  Send ruirib a Yahoo! Message
I'm not sure, not even sure if there are mods based on active.asp.


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

weeweeslap
Senior Member

USA
1077 Posts

Posted - 17 December 2007 :  10:55:27  Show Profile  Visit weeweeslap's Homepage  Send weeweeslap an AOL message  Send weeweeslap a Yahoo! Message
only file upload mod I have is mikes file attachment mod and I've checked to make sure it only allows the allowed files. html, php, asp, exe, zip etc are prohibited on there and the directory have no executeable rights. Thanks

coaster crazy
Go to Top of Page

bobby131313
Senior Member

USA
1163 Posts

Posted - 17 December 2007 :  11:09:45  Show Profile  Visit bobby131313's Homepage
unanswered.asp (OWM's Unanswered Topic mod) is based on active.asp.

Switch the order of your title tags

Edited by - bobby131313 on 17 December 2007 11:10:37
Go to Top of Page

AnonJr
Moderator

United States
5768 Posts

Posted - 17 December 2007 :  11:36:55  Show Profile  Visit AnonJr's Homepage
That must have been the one I was thinking of.
Go to Top of Page

weeweeslap
Senior Member

USA
1077 Posts

Posted - 17 December 2007 :  11:44:35  Show Profile  Visit weeweeslap's Homepage  Send weeweeslap an AOL message  Send weeweeslap a Yahoo! Message
ah, I don't use that. Anyone wanna take a look at the files that got uploaded just for kicks?

coaster crazy
Go to Top of Page

phy1729
Average Member

USA
589 Posts

Posted - 17 December 2007 :  12:11:58  Show Profile
Can you post/e-mail a txt copy of jman.php ? My native language is php.
Go to Top of Page

weeweeslap
Senior Member

USA
1077 Posts

Posted - 17 December 2007 :  12:20:44  Show Profile  Visit weeweeslap's Homepage  Send weeweeslap an AOL message  Send weeweeslap a Yahoo! Message
quote:
Originally posted by phy1729

Can you post/e-mail a txt copy of jman.php ? My native language is php.




http://www.weeweeslap.com/file.rar
here it is. I placed it in a rar. If you want it in a zip file let me know. Or email me through forum mail and I'll attach it to an email. Thanks
-wws

coaster crazy
Go to Top of Page

weeweeslap
Senior Member

USA
1077 Posts

Posted - 17 December 2007 :  12:23:43  Show Profile  Visit weeweeslap's Homepage  Send weeweeslap an AOL message  Send weeweeslap a Yahoo! Message
I forgot the windows 2003 securiy settings we have don't allow .rar or .zip direct downloads, so here's a txt file. If that doesn't work, send me en email throguh forum mail and I'll attach the file, it's 42kb in size.
http://www.weeweeslap.com/jman.txt

coaster crazy
Go to Top of Page

phy1729
Average Member

USA
589 Posts

Posted - 17 December 2007 :  12:39:36  Show Profile
Base 64 and gz compressed well someone has something to hide. And I love the first line:
"This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited."
Go to Top of Page

weeweeslap
Senior Member

USA
1077 Posts

Posted - 17 December 2007 :  12:51:34  Show Profile  Visit weeweeslap's Homepage  Send weeweeslap an AOL message  Send weeweeslap a Yahoo! Message
yeah, I am going to go ahead and remove it. Thanks for looking at it Any chance we could get it decoded to see what they're hiding? Thanks phy1729

coaster crazy
Go to Top of Page

phy1729
Average Member

USA
589 Posts

Posted - 17 December 2007 :  13:05:10  Show Profile
I'm working on it but it may take a while.
A long while.
I'm decoding by running it while sanitizing anything possibly harmful not a fast procedure but it works.
Go to Top of Page

phy1729
Average Member

USA
589 Posts

Posted - 17 December 2007 :  14:38:17  Show Profile
From Googleing it looks like c99 v0.0.1 SYN-MOD [SYNSTA] . I've never hear of it before but seems like a back door.

Slightly Later

From more Googleing this is a personal web based shell made by Synsta he has now stopped using it and others have starting using it for other things. It has a brute force FTP cracker so I would change my username and password. Link to discussion between Synsta an another cracker here
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.3 seconds. Powered By: Snitz Forums 2000 Version 3.4.07