| Author |
 Topic  |
|
markos
Starting Member
33 Posts |
 Posted - 17 January 2008 : 08:03:27
|
I'm having some troubly lately (previous 4-5 months, but not so often) with spam messages on my forum.
I've traced the logs and it seems that the intruder gets in AFTER the restart of the MSSQL server by ISP staff, using post_info.asp. He menages to leave the posts and topics without authentication, just by some random username (but always the same for each "spam session"). During that period, the forum is inusable - it seems that the application variables are lost, you can see the list of topics, but without color scheme, and you canmot open any topic or leave posts. When I restart application pool, forum is normal again.
It starts to get annoying, at first I blacklisted attackers IP addresses, but they obviously use either proxy or something so it's unefficient.
Any clues?
If needed, I can post IIS logs etc etc.
Regards,
Marko |
|
|
Podge
Support Moderator
Ireland
3776 Posts |
|
|
markos
Starting Member
33 Posts |
Posted - 17 January 2008 : 08:32:43
|
| How do you mean - physically hosted or what is the address? |
Edited by - markos on 17 January 2008 08:32:53 |
 |
|
|
Podge
Support Moderator
Ireland
3776 Posts |
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 17 January 2008 : 09:05:16
|
How do you know they're getting in through post_info.asp? Do the usernames they post under belong to existing members?
|
 Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
markos
Starting Member
33 Posts |
Posted - 17 January 2008 : 09:23:56
|
quote:
Originally posted by Podge
The url to the forum. I just want to see what type of spam it is. Email me the address & a test username & password if you don't want to share it here.
Is it shared or dedicated hosting you are on ?
Shared hosting.
There's nothing to see on site, because I've deleted the posts. But I've saved the recordset with all the info, thuogh.
Here's one example:
2 5 0 699344 NULL 3598 Breathe <a href=http://groups.google.com/group/allison6251/web/free-ringtones-lg-cell-phone>cell free lg phone ringtones verizon</a> fish shoe pasadena <a href=http://groups.google.de/group/evelyn7337/web/klingeltne-3>logo klingeltöne< 20080117124549 83.21.225.171 1 NULL NULL 0
Anyway, the forum url is forum.stripovi.com.
For Shaggy - I know it because I can see in IIS logs. The post is left under existing username (and strangely - the "number of post" counter for that user is not increased).
Here's IIS log line for previous post:
2008-01-17 11:46:00 W3SVC26281 PADME 85.94.76.21 POST /post_info.asp - 80 - 83.21.225.171 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) - - forum.stripovi.com 200 0 64 0 948 15765
What is strange here is that I can see in IIS logs that the same attack attempts are repeated every day, and only AFTER the restart of SQL (or Web server) they manage to get in!
|
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 17 January 2008 : 09:47:18
|
The first thing you should do is upgrade your forums to the latest version. Off the top of my head, I don't remember any issues with v3.4.03 that would result in someone being able to do this. Once you've upgraded, recreate the conditions on the server that previously allowed them in and see if they can still make their posts. If it weren't for the fact that the member's post count wasn't being increased, I would have suggested that they were using the bug in password.asp to gain access to existing accounts.
|
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
markos
Starting Member
33 Posts |
Posted - 17 January 2008 : 09:58:43
|
quote:
Originally posted by Shaggy
The first thing you should do is upgrade your forums to the latest version. Off the top of my head, I don't remember any issues with v3.4.03 that would result in someone being able to do this. Once you've upgraded, recreate the conditions on the server that previously allowed them in and see if they can still make their posts. If it weren't for the fact that the member's post count wasn't being increased, I would have suggested that they were using the bug in password.asp to gain access to existing accounts.
Well, I've included few mods in this version, and I really wouldn't want to upgrade to new version and go through the whole process of mod implementation again. I've made all the changes required in security fixes mentioned on this board, so I'm not sure the upgrade will do any good. It definetly isn't password asp because as a normal user, during that time (remember:app variables seem to be gone!) you simply cannot post anyting normally (you get something like this:
/forum.asp FORUM_ID=19|333|800a0bb9|Arguments_are_of_the_wrong_type__are_out_of_acceptable_range__or_are_in_conflict_with_one_another.
/post.asp method=ReplyQuote&REPLY_ID=691802&TOPIC_ID=28636&FORUM_ID=20|1643|80040e14|Incorrect_syntax_near_the_keyword_'SELECT'.
) and also, I've locked the first user under whose name the first spam appeared, and the next time they apeared again under his name, no matter he was locked. Anyway, I'll check password.asp anyway. |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 17 January 2008 : 10:11:48
|
| The problem may well result from the fact that the session variables are not being loaded once the server is reset. It should, but it seems it doesn't always happens. I think someone wrote code to ensure that session variables are always loaded. I will search for it and post again. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
markos
Starting Member
33 Posts |
Posted - 17 January 2008 : 10:42:08
|
I've already had this problem and solved it by myself (or at least I thought so) by adding this in config.asp:
If Application(strCookieURL & "ConfigLoaded")= "" Or IsNull(Application(strCookieURL & "ConfigLoaded")) Or blnSetup="Y" Then
on error resume next
blnLoadConfig = TRUE
set my_Conn = Server.CreateObject("ADODB.Connection")
my_Conn.Errors.Clear
Err.Clear
my_Conn.Open strConnString
for counter = 0 to my_conn.Errors.Count -1
ConnErrorNumber = Err.Number
ConnErrorDesc = my_Conn.Errors(counter).Description
If ConnErrorNumber <> 0 Then
If blnSetup <> "Y" Then
my_Conn.Errors.Clear
Err.Clear
Response.Redirect "setup.asp?RC=1&CC=1&strDBType=" & strDBType & "&EC=" & ConnErrorNumber & "&ED=" & Server.URLEncode(ConnErrorDesc)
else
blnLoadConfig = FALSE
end if
end if
next
my_Conn.Errors.Clear
Err.Clear
|
Edited by - markos on 17 January 2008 10:42:54 |
|
|
|
markos
Starting Member
33 Posts |
Posted - 17 January 2008 : 10:47:12
|
| The always_setup.asp file in the link you've posted contains some possible database modifications for 3.4.06 which I don't know how can effect 3.4.03. |
|
|
|
Podge
Support Moderator
Ireland
3776 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 17 January 2008 : 12:23:10
|
quote:
Originally posted by markos
The always_setup.asp file in the link you've posted contains some possible database modifications for 3.4.06 which I don't know how can effect 3.4.03.
if you are using 3.4.03 you MUST upgrade if you wish to make the forum more secure. |
|
|
|
Podge
Support Moderator
Ireland
3776 Posts |
|
|
markos
Starting Member
33 Posts |
Posted - 17 January 2008 : 12:58:41
|
quote:
Originally posted by HuwR
quote:
Originally posted by markos
The always_setup.asp file in the link you've posted contains some possible database modifications for 3.4.06 which I don't know how can effect 3.4.03.
if you are using 3.4.03 you MUST upgrade if you wish to make the forum more secure.
I am pretty sure I have 3.4.04 not 03. |
|
|
|
Topic |
|
Topic Locked
