Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: General / Classic ASP versions(v3.4.XX)
 Users posted as another user (me!)
 New Topic  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 3

MJFarmgirl
Starting Member

USA
39 Posts

Posted - 16 July 2008 :  20:02:05  Show Profile  Visit MJFarmgirl's Homepage
I've tried searching but no luck, and I'm not really sure what terms to use anyway.
We've had a thrice-recurring problem. I'll try to keep this as short as I can, but I'm not sure how well I'll do and still feel I'm giving all the pertinent info.
The common thread - all posts during each timeframe came through as another user, hypothesized to be the first on the list of members' emails beneath the super admin. Originally that was the user Sarah that set up our Snitz forum, and the last two times me, since her user account was recreated or something after the initial incident.

For more information than you may need, proceed. I'm being explicit, because each may be separate causations:
Incident 1:
Our "latest posts" RSS feed on a non-Snitz page stopped working, and eventually our forum lost all its graphical formatting (like the things set up under Admin Options > Font/Table Color Code Configuration). There were many spam posts, as well as many legitimate posts that came through from "Sarah", but were obviously from other users (Sarah didn't even work here at that point, and was inactive on the forum, but we can be fairly sure it was not her, because we know her AND parted on happy terms).
Our ISP fixed it, and other than that I don't remember the outcome (other than that we may have recreated Sarah's account, since it got moved from its previous spot in the listing).

Incident 2:
Users started complaining about having problems posting and eventually the graphical formatting disappeared, etc. just like above. This time the legitimate posts came from me. Here's a link to a remnant from that attack: http://www.maryjanesfarm.org/snitz/topic.asp?TOPIC_ID=19505
Look for "Gabe" further down the page. Should have been "cathy cobblestone".
Our ISP fixed it once again, and told us that some hacker with a Netherlands IP was to blame. They also had me change my password for good measure

Incident 3:
While sitting at my computer during the entire hour of it, two posts from a particular user, a moderator of ours, came through as though from me, as well as a third post spamming from a newly approved user. Unfortunately all these incidents have been deleted or corrected, so there's no evidence. I changed my account password immediately after it came to my attention, and thereafter we saw no other problems, whether because of or regardless.

Has anyone an explanation? or has anyone seen this behavior before?
Thanks in advance.<

Farmgirl Connection
MaryJanesFarm

AnonJr
Moderator

United States
5768 Posts

Posted - 16 July 2008 :  20:33:26  Show Profile  Visit AnonJr's Homepage
What version of the forums are you running? Have you been keeping up with the updates?

You may also want to peruse this thread: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=66113

It may or may not be related, but either way its worth going through.<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 16 July 2008 :  21:16:25  Show Profile  Send ruirib a Yahoo! Message
There have been similar reports and all of them are related to application variables being lost (what you describe as graphical formatting disappearing). It seems that if app variables are lost, spam posts can be made. We actually don't know very much about this, as it seems real hard to recreate.

Do you have server logs for any of the situations?<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

MJFarmgirl
Starting Member

USA
39 Posts

Posted - 17 July 2008 :  14:41:09  Show Profile  Visit MJFarmgirl's Homepage
Apparently we are on ver. 3.04.05 (sorry for not including that the first time).

We have not been very good about keeping updated, and at this point we have a lot of custom code that would require someone to really familiarize themselves with what we've done before updating so we can put it all back in place - which is pretty much where we're headed if we're going to keep it running: an .ASP Snitz expert (unless I want to start working evenings, too).
I am subscribed to the security updates topic now (thank you for that advice) after a recent hack (same vein as all the others you've seen) on another Snitz forum we're running.

I assume that our customizations could play a role in the problem of losing app variables, except much of the customization has been since the original occurrence (for what that's worth... *crinkle, toss*).

I will check out that link sometime soon, and also see whether I can get some logs from our ISP.
Way too much multi-tasking on my end, but I'll try to keep it timely.<

Edited by - MJFarmgirl on 17 July 2008 14:43:33
Go to Top of Page

budzombie
Starting Member

2 Posts

Posted - 19 July 2008 :  20:39:49  Show Profile
I think the same thing happened to me today. My forum is current with security patches. Here's my initial theory on what happened:

1) My SQLServer was having problems last night for a several hours - I think it was connectivity issues between my app server and my SQLServer. This happens a couple of times a year, so it's not an unheard of or a terribly unusual event. However, I've never associated it before with a forum issue.

2) In the midst of these intermittent SQLServer issues (not immediately, but an hour or so into them), my Snitz forum throws it's first error trying to access SQLServer. I can see in the logs where post_info.asp starts throwing a "General_network_error". That error is consistent with what my non-forum SQL apps are occasionally reporting. The only somewhat curious thing I notice is an ip address from Serbia seems to be hitting post_info.asp once an hour or so and happens to be the first forum access that trips on the forum in an error state.

3) About 4 hours into the SQLServer issues, the error changes to one occurrence of an "SQL_Server_does_not_exist_or_access_denied." message, and then consistently is a "ADODB.Recordset error '800a0bb9' Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another. " error in forum.asp. I take this to mean that the forum is now able to access SQLServer, but has somehow lost its app variables.

4) Attempts to access the forum at this point get the "no formatting" look to the main forum page and an access to any specific forum returns "ADODB.Recordset error '800a0bb9' Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another. " error in forum.asp.

5) Before and after the above incidents, I got the usually sundry of automated spam posting attempts, none of which were successful. I've got a couple of custom measures (custom required fields in registration) to block spam.

6) 5 hours or so after the first forum error, a manual spam attack was successful. Someone was either able to manually register, or was not required to be logged in and was able to post a variety of spam messages. They all showed up attributed to the first non-admin user on the board, even though this spammer had not logged in as that user. Even though I have moderation turned on to deal with manual spam attacks, the posts were not moderated... presumably because of the "lost variables" state. I see the first couple of posts they made were test posts of something like "Test Message"... as if they weren't sure if their posts were really going to work.

6) I noticed that when I browsed the board in it's "lost variables" state, my ip address was then shown as the "last access" for that "first non-admin user". So something is clearly whacked regarding user identification in this "lost variable" state.

7) Aside from a couple of spam posts (albeit attributed to the wrong user), I don't see anything else unusual.

I'm still looking at it, but so far I don't see a hack here... I think it's more likely a bug or missing feature in how the forum code deals with DB stability issues and/or corrupted app variables. I haven't had a chance to check the data in the forum db tables yet for mischief.<
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 20 July 2008 :  02:40:53  Show Profile  Visit HuwR's Homepage
user identification has nothing to do with application variables, the only thing stored in application variables are forum configuration settings, and losing the database connection does not cause loss of application variables either. The only thing that can cause the app varables to disappear is if IIS crashes or is reset (this would be indicated in your log file by a gap and a new header line.

So losing app variable will have no effect on posting, posters would still need to be logged in with a valid account in order to post. It may affect floodcontrol and/or moderation, but would not allow someone to post as another member or post if not logged in, unless of course you have some mods that would change that behaviour.<
Go to Top of Page

budzombie
Starting Member

2 Posts

Posted - 20 July 2008 :  09:16:14  Show Profile
Yes, IIS looks like it was reset in the midst of the SQLServer issues I was describing.<
Go to Top of Page

bobby131313
Senior Member

USA
1163 Posts

Posted - 20 July 2008 :  11:23:12  Show Profile  Visit bobby131313's Homepage
Well it happened to me a while ago, there is absolutely some kind of problem that allows a hacker to get in when IIS is reset. From what I've seen posted here in the past it always seemed to be member ID #2 (which is me on my forum). The last time my app variables were lost there was a half dozen spam posts under my name.<

Switch the order of your title tags
Go to Top of Page

modifichicci
Average Member

Italy
787 Posts

Posted - 20 July 2008 :  11:37:15  Show Profile  Visit modifichicci's Homepage
yes it is member id = 2 that is used to spam.
I don't know how they can do it, maybe cookies use?<

Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 20 July 2008 :  12:13:06  Show Profile  Visit HuwR's Homepage
quote:
Originally posted by bobby131313

Well it happened to me a while ago, there is absolutely some kind of problem that allows a hacker to get in when IIS is reset.


unless you can prove it, there is no basis for such a statement.<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 20 July 2008 :  12:22:49  Show Profile  Send ruirib a Yahoo! Message
We now have several users who reported precisely that exact situation: loss of app variables, spam posts made under ID#2. Not sure what the heck happens, but the reports are there and I, for sure, would like to be able to reproduce this. Just getting the dang app variables to be lost is hard.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 20 July 2008 :  13:02:07  Show Profile  Visit HuwR's Homepage
it doesn't prove anything other than they used an account to post spam, something which believe it or not the forum is actually designed to do.

what did you r host tell you? obviously something you believe above what we have to say? however without evidence, your statement means no more or less than mine.<
Go to Top of Page

bobby131313
Senior Member

USA
1163 Posts

Posted - 20 July 2008 :  13:03:28  Show Profile  Visit bobby131313's Homepage
You know what I deleted my post, I'm not going to have this argument. I'll just fix it if it happens again.<

Switch the order of your title tags
Go to Top of Page

modifichicci
Average Member

Italy
787 Posts

Posted - 20 July 2008 :  13:55:15  Show Profile  Visit modifichicci's Homepage
just happens here!

lost of app variables and a spam post by huwr...

Are you working or it was a real spam?<

Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 20 July 2008 :  13:56:52  Show Profile  Send ruirib a Yahoo! Message
We're working on it.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

modifichicci
Average Member

Italy
787 Posts

Posted - 20 July 2008 :  14:02:40  Show Profile  Visit modifichicci's Homepage
:)<

Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum
Go to Top of Page
Page: of 3 Previous Topic Topic Next Topic  
Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.24 seconds. Powered By: Snitz Forums 2000 Version 3.4.07