| Author |
 Topic  |
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
 Posted - 17 January 2008 : 13:02:20
|
| that is still not up to date, 3.4.06 is the current version and there a a few security fixes for 3.4.06 too |
 |
|
|
markos
Starting Member
33 Posts |
Posted - 17 January 2008 : 13:05:56
|
quote:
Originally posted by Podge
quote:
Have you searched your logs for any trace of sql injection ?
My point being that they may be getting in through an insecure mod. Search for something like
INSERT+
_TOPIC
FORUM_
No, no trace of injection - that's what's bugging me. There's a log of system shutdown (which my ISP confirmed was initiated by them), then, after reload, first user is beeing redirected to setup.asp (which was result of workaround code I submited above), but nevertheless, after that session variables weren't fully loaded, and the spam was inserted using post_info.asp and post.asp WITHOUT any injections, probably just using form data (which is not, as it seems, logged in IIS log). I can illustrate this by posting log here, but tomorrow, it's on my office computer...
|
|
|
|
markos
Starting Member
33 Posts |
Posted - 17 January 2008 : 13:09:39
|
quote:
Originally posted by HuwR
that is still not up to date, 3.4.06 is the current version and there a a few security fixes for 3.4.06 too
I've made those fixes by myself. However, I think this is not the problem described in any of those fixes. It seems strange that noone had this problems before... And that there's no trace of available exploit on the net... |
|
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 17 January 2008 : 13:19:12
|
well, nothing you have shown or said so far even indicates that they are using an exploit at all, posting topics/replys using post_info.asp is not an exploit, that is what it is supposed to do. you need to look in your logs for something else not post_info.asp
your first posts states that these things happen when your forum is not accessible, which would kind of indicaate that it is not forum related at all, and you have a serious issue somewhere. you can't exploit a security issue if the forum isn't working. and there is certainly nothing whatsoever that would be caused by resetting the sql server, that isn't related to forum code at all.
losing application variables just means that the webserver was reset for some reason, it is also not indicitive of any exploit having occured.Spam posts are also not generally the result of an exploit either.
your best bet would be to email either myself or rui your IIS logs. |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
markos
Starting Member
33 Posts |
Posted - 17 January 2008 : 14:56:30
|
quote:
Originally posted by HuwR
well, nothing you have shown or said so far even indicates that they are using an exploit at all, posting topics/replys using post_info.asp is not an exploit, that is what it is supposed to do. you need to look in your logs for something else not post_info.asp
your first posts states that these things happen when your forum is not accessible, which would kind of indicaate that it is not forum related at all, and you have a serious issue somewhere. you can't exploit a security issue if the forum isn't working. and there is certainly nothing whatsoever that would be caused by resetting the sql server, that isn't related to forum code at all.
losing application variables just means that the webserver was reset for some reason, it is also not indicitive of any exploit having occured.Spam posts are also not generally the result of an exploit either.
your best bet would be to email either myself or rui your IIS logs.
As I've said - webserver was indeed reset. After restart - Forum WAS available - but application variables we not loaded, so instead of normal look - you got just plain list of forums/topics, but when you click on some forum or topic, you get SQL error (probably caused by lack of app variables). At certain point I realize that and restart the IIS App. pool and then everything's normal again. Between webserver restart and my IIS restart only SPAM posts were posted to board, and I could easily list them in SQL Query analizer and I can easily find coresponding IIS logs for these posts. There's just post_info.asp and post.asp?Method=TOPIC.
However, thank for your time and help, I will send you IIS log tomorrow, maybe well manage to find an answer... |
|
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 18 January 2008 : 01:34:27
|
| as I said, none of what you said indicates any kind of security exploit in the forums code, posting topics via post.asp/post_info.asp is normal not an exploit, the reseting of sql/IIS/snitz (from the info you have given us) is purely coincidental. SPAM is SPAM it doees not in anyway imply there is a problem |
|
|
|
markos
Starting Member
33 Posts |
Posted - 18 January 2008 : 04:33:15
|
| I have sent you an email with logs. |
|
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 18 January 2008 : 07:36:45
|
thanks for the files, that still does not look like a code exploit, it just looks like they logged in and posted a load of stuff using a valid members account, have you checked the status of member_id 3598 ?
you included in your zip a file called "log of repeated(unsuccesful) attacks" ????? I looked at that file and every log line in it had a status of 200 which means it was a perfectly valid http request which returned a perfectly valid (200) response, so why do you think they were unsuccessful hack attempts ? |
|
|
|
markos
Starting Member
33 Posts |
Posted - 18 January 2008 : 08:34:20
|
quote:
Originally posted by HuwR
thanks for the files, that still does not look like a code exploit, it just looks like they logged in and posted a load of stuff using a valid members account, have you checked the status of member_id 3598 ?
you included in your zip a file called "log of repeated(unsuccesful) attacks" ????? I looked at that file and every log line in it had a status of 200 which means it was a perfectly valid http request which returned a perfectly valid (200) response, so why do you think they were unsuccessful hack attempts ?
M_status of Member_ID is 1. I don't think they've been logged in, because, as I've said, in previous attacks they posted the spam under some username although I have locked it!
Unsuccessful attacks means that they've tried repeatedly, every once in a while to leave posts, but without success! Yes, they've got http status 200, but they've probably got only "you must be logged in to leave a message" page. Only AFTER server restart, that attempt resulted in successfully left spam messagge. That's what's the problem here - it seems that when application variables are not loaded they can leave a post. I will take a look at the code, to check that out.
|
|
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 18 January 2008 : 09:28:19
|
quote:
M_status of Member_ID is 1
so in otherwords all the spam was posted by a perfectly valid unlocked account. SO LOCK IT.
quote:
Unsuccessful attacks means that they've tried repeatedly, every once in a while to leave posts, but without success! Yes, they've got http status 200, but they've probably got only "you must be logged in to leave a message" page.
like I keep saying, attempting to make a post is not a hack attempt, it simply means that a bot is trying to post items in forums it does not have access too, if they get a "you must be logged in" then the forum is working as it should.
quote:
Only AFTER server restart, that attempt resulted in successfully left spam messagge. That's what's the problem here - it seems that when application variables are not loaded they can leave a post. I will take a look at the code, to check that out.
Do you maybe have an iprestriction MOD installed ? this may be using app variables to store the blocked IP's which will get reset if IIS is reset. |
|
|
|
markos
Starting Member
33 Posts |
Posted - 18 January 2008 : 09:56:01
|
quote:
Originally posted by HuwR
quote:
M_status of Member_ID is 1
so in otherwords all the spam was posted by a perfectly valid unlocked account. SO LOCK IT.
I'm sorry if I'm beeing rude, but I feel as if I'm talking to the wall. I've said two times already that they've already left posts using locked account, so locking accounts won't help.
quote:
Originally posted by HuwR
quote:
Unsuccessful attacks means that they've tried repeatedly, every once in a while to leave posts, but without success! Yes, they've got http status 200, but they've probably got only "you must be logged in to leave a message" page.
like I keep saying, attempting to make a post is not a hack attempt, it simply means that a bot is trying to post items in forums it does not have access too, if they get a "you must be logged in" then the forum is working as it should.
Yes - and I'm saying that after server restart and app variables are not loaded - they succeed in posting items in forums they don't have access to.
quote:
Originally posted by HuwR
quote:
Only AFTER server restart, that attempt resulted in successfully left spam messagge. That's what's the problem here - it seems that when application variables are not loaded they can leave a post. I will take a look at the code, to check that out.
Do you maybe have an iprestriction MOD installed ? this may be using app variables to store the blocked IP's which will get reset if IIS is reset.
No. I have IP Gate. |
|
|
|
HuwR
Forum Admin
United Kingdom
20600 Posts |
Posted - 18 January 2008 : 10:23:23
|
quote:
I'm sorry if I'm beeing rude, but I feel as if I'm talking to the wall. I've said two times already that they've already left posts using locked account, so locking accounts won't help.
you are not being rude, but neither am I, we only have your word for this, all the evidence you have given me does not indicate they are using a locked account at all.
quote:
Yes - and I'm saying that after server restart and app variables are not loaded - they succeed in posting items in forums they don't have access to.
well, I am now just going to ignore this thread since none of the info you have provided supports this hypothesis, we only have your word for this.
quote:
No. I have IP Gate.
no idea how that works so can't comment, but if they are getting in after an IIS reset (sql resets will have no effect whatsoever on anything in the forum) then the thing preventing them must be an application variable which is being reset. |
|
|
|
Topic |
|
|
|
Topic Locked
