Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: General / Classic ASP versions(v3.4.XX)
 New SQL Injection Attack?
 New Topic  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

cult_of_frank
Starting Member

Canada
20 Posts

Posted - 15 November 2008 :  15:32:14  Show Profile  Visit cult_of_frank's Homepage
Hi again. I'm running the latest version of Snitz with all the updates and patches, I'm subscribed to the security forum, and as far as mods go, I have a running news-ticker at the top of my active and default forum pages (which doesn't take any outside input) and a customized search for MSSQL by the fine folks here.

The site, for reference: http://forum.frankblack.net

Anyway, I was just on my forum last night and all was well, but this morning, everything is crazy. Most of the images aren't loading and there's no means of logging in or anything.

It looks like none of the files have been modified (though I did see in config.asp that the admin was pointing to a non-existing user account which may have been a leftover from a previous attack), so I naturally looked in the database. There's no config table though I do have a table called config_new which I can't remember if _I_ created (the info looks valid in there).

Anyway, before I go and recreate the config table, I wanted to get to the bottom of how exactly I was hacked anyway since, well, if I just copy the config across, there's nothing to stop it from happening again.

So I went log browsing, but I already am over my head. Still, it seems like pop_profile, post, default, and topic.asp are the targets.

The first error I find looks like this:

GET /pop_profile.asp mode=display&id=8225|137|80004005|[DBNETLIB][ConnectionWrite_(send()).]General_network_error._Check_your_network_documentation. 80 - 201.92.21.214 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.2;+.NET+CLR+2.0.50727) %2FGROUP=2;+ASPSESSIONIDACCSQBSS=PENHEAEDIOOBDHDFCBPHIBPA http://forum.frankblack.net/topic.asp?ARCHIVE=true&TOPIC_ID=11444 forum.frankblack.net 500 0 64 0 588 21422

They go through pop_profile, topic, and post, where they try ConnectionWrite(Connect()) and receive a SQL_Server does not exist. Then they hammer at that a bit and eventually try something with setup.asp and default.asp:

GET /setup.asp RC=1&CC=1&strDBType=sqlserver&EC=-2147467259&ED=%5BDBNETLIB%5D%5BConnectionOpen+%28Connect%28%29%29%2E%5DSQL+Server+does+not+exist+or+access+denied%2E 80 -

Eventually, they do this, I don't this it's a success but it looks like they're getting SQL to do things:

GET /topic.asp whichpage=-1&TOPIC_ID=19336&REPLY_ID=446006|231|800a000b|Division_by_zero 80 - 72.30.78.236 HTTP/1.0 Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp) - - forum.frankblack.net 500 0 0 5653 261 265


... and then this:

GET /post.asp method=ReplyQuote&REPLY_ID=448569&TOPIC_ID=20461&FORUM_ID=1|1422|80040e14|Incorrect_syntax_near_the_keyword_'SELECT'. 80 - 65.55.210.222 HTTP/1.1 msnbot/1.1+(+http://search.msn.com/msnbot.htm) - - forum.frankblack.net 500 0 0 12506 342 406

.. and so on. I've now renamed most of the files because I can't tell if they're still trying to do things and I've put up a copy of the log here (I've taken out most of the initial business-as-usual pre-attack stuff though I left some of it in for reference and in case I missed something):

http://www.frankblack.net/ouch.log

Any assistance is extremely appreciated.
<

cult_of_frank
Starting Member

Canada
20 Posts

Posted - 15 November 2008 :  16:28:42  Show Profile  Visit cult_of_frank's Homepage
I was looking through the replies database, nothing there. In the TOPICS table, the last three posts belong to a user I created to prevent anyone from actually using that username (i.e. this account was hacked). UsedID = 2.

Posts:

Sub: Helen never next king later time foods.
Msg: MESSAGE

Sub: Helen never next king later time foods.
Msg: Prince agree indication that <a href=http://bonusroundtulzfc.fora.pl/>bonus round</a> are over <a href=http://threeofakindrhcrxc.fora.pl/>three of a kind</a> journey. Beetle protested age when <a href=http://fourofakinderkeld.fora.pl/>four of a kind</a> tune must <a href=http://deuceswildzoqfed.fora.pl/>deuces wild</a> identified the <a href=http://gamblingquyvbw.fora.pl/>gambling</a> treasurer. Twenty minutes antagonize almost <a href=http://dontcomebetccsmgw.fora.pl/>don't come bet</a> require sympathy <a href=http://comepointymtila.fora.pl/>come point</a> moonlight. Then that suicide who <a href=http://twentyonejaunea.fora.pl/>twenty-one</a> hide the <a href=http://4perlinedmtikj.fora.pl/>4 per line</a> classic models <a href=http://backhandvcrmpj.fora.pl/>back hand</a> pea. Cory eyes poisoned drink <a href=http://fruitmachinexzxcsl.fora.pl/>fruit machine</a> haired old <a href=http://highrollerwdvdtu.fora.pl/>highroller</a> old now <a href=http://doublehandpokerqturth.fora.pl/>double hand poker</a> ransaction. Young read class pot <a href=http://antejlfpfh.fora.pl/>ante</a> now rest <a href=http://hopebetiamyfs.fora.pl/>hope bet</a> ghosts. September came marriage can <a href=http://fastwayskpbrl.fora.pl/>fast way</a> udas betrayed bell.

Subject: Ñîâåòóåì ïîñåòèòü èíôîðìàöèþ
Message: Two links

... etc ...

There are five posts, no views, and the first two were made at: 2008-11-15 07:22:03 / :05 . So it looks rather like a bot. Then two more messages at 8:39 and 12:11, the first of which is that weird-char message with the two links.

I don't know that this helps with anything except maybe cementing the time the forum was hacked by, showing that it is probably a bot, at least initially, and showing that one account was either hacked or they found a way to change the password in the database?

Oh, the IP of the first two: 94.102.60.127. The IP of the last two varies.<

Edited by - cult_of_frank on 15 November 2008 16:30:22
Go to Top of Page

bobby131313
Senior Member

USA
1163 Posts

Posted - 15 November 2008 :  16:51:16  Show Profile  Visit bobby131313's Homepage
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=67497

This fix was created because of the member 2 spam. Good start.<

Switch the order of your title tags

Edited by - bobby131313 on 15 November 2008 16:56:33
Go to Top of Page

cult_of_frank
Starting Member

Canada
20 Posts

Posted - 15 November 2008 :  16:56:29  Show Profile  Visit cult_of_frank's Homepage
You're right, I hadn't patched that (which is weird, I remember looking at that patch back when it was posted so I'm not sure how I didn't put it in but) thanks. I don't think that addresses the issue of the missing config table, though?<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 15 November 2008 :  17:51:49  Show Profile  Send ruirib a Yahoo! Message
The spam bots wouldn't be able to delete your config table. Your logs just show errors connecting to the SQL Server DB.

Not sure about the tables, though. The server logs would need to be looked at to find out something else that could have caused that.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

bobby131313
Senior Member

USA
1163 Posts

Posted - 15 November 2008 :  18:05:54  Show Profile  Visit bobby131313's Homepage
I'm not much on reading log files but are you sure you just didn't lose your server variables due to an IIS reset or something like that? That's a prerequisite for the "member 2" spam.

As far as I know the path to your image folder is stored in server variables so they would disappear, also all your formatting is stored there too, font sizes and colors and such. Makes sense I think.<

Switch the order of your title tags
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 15 November 2008 :  18:17:01  Show Profile  Send ruirib a Yahoo! Message
quote:
Originally posted by bobby131313

I'm not much on reading log files but are you sure you just didn't lose your server variables due to an IIS reset or something like that? That's a prerequisite for the "member 2" spam.

As far as I know the path to your image folder is stored in server variables so they would disappear, also all your formatting is stored there too, font sizes and colors and such. Makes sense I think.


The lack of connection with the database could explain a lack of app variables (admitting that whatever caused the SQL Server problem may have affected the web server too), and thus the loss of formatting. Running setup.asp should fix it, but the rename of the files doesn't allow us to test that.
<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

cult_of_frank
Starting Member

Canada
20 Posts

Posted - 16 November 2008 :  01:18:49  Show Profile  Visit cult_of_frank's Homepage
Awesome, thanks for taking the time to look at my problem guys, that's really awesome of you. I'll re-rename the files and try setup.asp and see if that does it. Thanks again for looking and I'll get back to you to let you know if that fixes things.<
Go to Top of Page

cult_of_frank
Starting Member

Canada
20 Posts

Posted - 16 November 2008 :  01:32:29  Show Profile  Visit cult_of_frank's Homepage
Hmm, so is there not a config table? I did the setup and to be honest, everything looks great (I thought for sure they got in but now it looks like, thankfully, not) but there's no config table in the db still. I don't care, so long as it's working, but I'm curious. Otherwise, I'd say that I was just an idiot and missed a patch (and now am going to go and double check that I've not missed others)...<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 16 November 2008 :  05:56:19  Show Profile  Send ruirib a Yahoo! Message
For the 3.3.x versions and later, the configuration table is named FORUM_CONFIG_NEW.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Lon2
Junior Member

USA
151 Posts

Posted - 07 January 2009 :  23:39:37  Show Profile
I think I just got something like this now. Here's my log entry:

2009-01-08 03:39:58 W3SVC904 [My Web Site IP] GET /forums/setup.asp RC=1&CC=1&strDBType=sqlserver&EC=-2147467259&ED=%255BDBNETLIB%255D%255BConnectionOpen%2B%2528Connect%2528%2529%2529%252E%255DSQL%2BServer%2Bdoes%2Bnot%2Bexist%2Bor%2Baccess%2Bdenied%252E 80 - 212.235.92.142

I'm looking in to the update now...<
Go to Top of Page

Lon2
Junior Member

USA
151 Posts

Posted - 08 January 2009 :  00:18:24  Show Profile
What does it mean to see the above line in my logs?

Also, I implimented the fixes here. Thanks Rui! Is there a way to test it?<

Edited by - Lon2 on 08 January 2009 00:19:41
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 08 January 2009 :  04:48:37  Show Profile  Send ruirib a Yahoo! Message
This just shows the server trying to run setup.asp and failing to connect to the database. There is nothing wrong with it.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Lon2
Junior Member

USA
151 Posts

Posted - 08 January 2009 :  08:58:47  Show Profile
Thanks Rui. So it doesn't look like a hack attemp? Why would the server be trying to run setup? I thought it was only run once manually when the forum was initially setup. So if rename the file in an attempt to foil malicious activity, will my forum stop working?<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 08 January 2009 :  09:59:11  Show Profile  Send ruirib a Yahoo! Message
That happened surely because the DB connection was lost. Don't think there is a security risk in that.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Lon2
Junior Member

USA
151 Posts

Posted - 08 January 2009 :  10:17:48  Show Profile
So I should not rename setup.asp because the forum code automatically makes an attempt to regain connection?<
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.33 seconds. Powered By: Snitz Forums 2000 Version 3.4.07