| Author |
 Topic  |
|
Red01Z06
Starting Member
18 Posts |
|
|
weeweeslap
Senior Member
USA
1077 Posts |
 Posted - 04 January 2008 : 14:49:33
|
| how do you conclude this was done through the forum and not through your ftp. The link indicates files were placed on your home page. and not the forum directory. |
coaster crazy |
 |
|
|
Red01Z06
Starting Member
18 Posts |
Posted - 04 January 2008 : 14:53:05
|
| There is only one file on home page that redirects to forum. No FTP up and running. |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Red01Z06
Starting Member
18 Posts |
Posted - 04 January 2008 : 14:57:18
|
I found some edits in my DB.
in the config_new table
STRFORUMTITLE "<script>document.location=""http://e-protest.net/hacked/""</script>"
STRCOPYRIGHT"<script>document.location=""http://e-protest.net/hacked/""</script>" |
Edited by - Red01Z06 on 04 January 2008 14:58:18 |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 04 January 2008 : 14:58:15
|
It's an SQL injection in the forum title:
<title><script>document.location="http://e-protest.net/hacked/"</script></title>
[edit]What Red said, I was too late.
Red, do you have the PM mod installed, or do you have other (old) mods installed? They have come in somewhere via a SQL injection, ór they have gained access to your (or the admin's) account.
Please check your serverlogs, and check if something can be made up from there, as to how they came in. |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 04 January 2008 15:00:39 |
|
|
|
Red01Z06
Starting Member
18 Posts |
Posted - 04 January 2008 : 14:59:51
|
| best way to patch, clean? I removed those edits.....site stil down. |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 04 January 2008 : 15:01:51
|
You will need to apply the December 1st fixes in active.asp. Then visit down.asp?mlev=4 and get the forum up.
Once the forum is up, remove any admins that should not be there.
Don't forget to subscribe to the Announcements Security Related Bug Fixes forum. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 04 January 2008 : 15:01:57
|
| Red, the copyright thing is still the script....that's keeping you getting redirected to the hackers site. |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 04 January 2008 15:02:11 |
|
|
|
Red01Z06
Starting Member
18 Posts |
Posted - 04 January 2008 : 15:04:04
|
| That patch was done after first hack. I canot visit down.asp as it sends me to hacked site. |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Red01Z06
Starting Member
18 Posts |
Posted - 04 January 2008 : 15:09:44
|
| I edited that table, but hack still there....where else should I look? |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 04 January 2008 : 15:11:59
|
| Its also worth re-asking Marcel's question: do you have any MODs installed (or custom code, or anything other than a clean install)? It will help us figure out how you got hacked after applying the patch. |
Edited by - AnonJr on 04 January 2008 15:12:49 |
|
|
|
Red01Z06
Starting Member
18 Posts |
Posted - 04 January 2008 : 15:15:25
|
| Alot of mods, started with the Imagageforum version. |
|
|
|
Red01Z06
Starting Member
18 Posts |
Posted - 04 January 2008 : 15:18:20
|
I beleave the hacker came from this IP
88.235.78.31
fyi |
|
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 04 January 2008 : 15:18:40
|
if you can get hold of your web servers log files around the time the hack happened that is the best place to start looking, you can email me th log file if you would rather someone else looked  |
|
|
|
Topic |
|
Topic Locked
