| Author |
 Topic  |
|
|
endomorph
Junior Member
United Kingdom
128 Posts |
 Posted - 04 March 2008 : 14:15:40
|
I have just been hacked by TURKISH DEFACER KimLiksiZ DEVLET.
No serious damaged done, they appear to have just placed default.asp, default,cfm, default,htm, default,html, default.php in the wwwroot and in the forum directory.
As far as I am aware, I am fully up to date on all fixes.
No new memberships appear to have been created.
Any ideas anyone ?
|
Need help with your Snitz ? Most Snitz & ASP custom coding undertaken. Email for info | Search Engine Optimisation |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 04 March 2008 : 14:17:24
|
| there is nothing in the forum that would allow them to upload files to any directory on your server let alone the root, if they have done this it is not via Snitz. |
 |
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 04 March 2008 : 16:08:04
|
| At least not the base Snitz... do you have any file upload MODs installed? |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
endomorph
Junior Member
United Kingdom
128 Posts |
Posted - 04 March 2008 : 17:23:31
|
Yes I do have a file upload MOD installed. Can't remember which one, but it is Snitz based.
1. I have Googled for them and they do not appear to have any history of attacking Snitz based sites.
2. I have looked through the log files and cannot see anything strange (although my knowledge of what to look for is moderate so I may have missed something). There were no file uploads for several hours before for certain.
3. They placed the files in every single folder throughout the whole site - must have been done by a robot as all files have the same time stamp)
My hosts have been fantastic and I was only down for 2 hours, nothing lost as I back up every hour, so minimal disruption in the end. I am just concerned by how and with what and if it will happen again. |
Need help with your Snitz ? Most Snitz & ASP custom coding undertaken. Email for info | Search Engine Optimisation |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 04 March 2008 : 17:34:19
|
| You really ought to audit the upload code. While there's no way to know without looking at the logs if that was the vector they used, its a potential point of entry and thus worth looking into. |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 04 March 2008 : 17:35:36
|
No forum based hack would cause that, IMO. That's a server side thing, server security was compromised somehow, frontpage extensions "hacks" are usually called defacing attacks and the group does call itself "DEFACER".
Probably your host should just reinstall FP extensions if you use them, or remove them altogether, if you don't use them. Many times this can be done by you. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
endomorph
Junior Member
United Kingdom
128 Posts |
Posted - 05 March 2008 : 01:45:50
|
| Some interesting comments there. I will look into the FP for certain. |
Need help with your Snitz ? Most Snitz & ASP custom coding undertaken. Email for info | Search Engine Optimisation |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 05 March 2008 : 09:14:11
|
If you're not making use of FrontPage extensions, I'd highly recommend that you turn them off.
Actually, I highly recommend that you don't use them at all and that you turn them off.  |
|
|
| |
Topic |
|
Topic Locked
