Author |
Topic  |
cult_of_frank
Starting Member
Canada
20 Posts |
Posted - 15 November 2008 : 15:32:14
|
Hi again. I'm running the latest version of Snitz with all the updates and patches, I'm subscribed to the security forum, and as far as mods go, I have a running news-ticker at the top of my active and default forum pages (which doesn't take any outside input) and a customized search for MSSQL by the fine folks here.
The site, for reference: http://forum.frankblack.net
Anyway, I was just on my forum last night and all was well, but this morning, everything is crazy. Most of the images aren't loading and there's no means of logging in or anything.
It looks like none of the files have been modified (though I did see in config.asp that the admin was pointing to a non-existing user account which may have been a leftover from a previous attack), so I naturally looked in the database. There's no config table though I do have a table called config_new which I can't remember if _I_ created (the info looks valid in there).
Anyway, before I go and recreate the config table, I wanted to get to the bottom of how exactly I was hacked anyway since, well, if I just copy the config across, there's nothing to stop it from happening again.
So I went log browsing, but I already am over my head. Still, it seems like pop_profile, post, default, and topic.asp are the targets.
The first error I find looks like this:
GET /pop_profile.asp mode=display&id=8225|137|80004005|[DBNETLIB][ConnectionWrite_(send()).]General_network_error._Check_your_network_documentation. 80 - 201.92.21.214 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.2;+.NET+CLR+2.0.50727) %2FGROUP=2;+ASPSESSIONIDACCSQBSS=PENHEAEDIOOBDHDFCBPHIBPA http://forum.frankblack.net/topic.asp?ARCHIVE=true&TOPIC_ID=11444 forum.frankblack.net 500 0 64 0 588 21422
They go through pop_profile, topic, and post, where they try ConnectionWrite(Connect()) and receive a SQL_Server does not exist. Then they hammer at that a bit and eventually try something with setup.asp and default.asp:
GET /setup.asp RC=1&CC=1&strDBType=sqlserver&EC=-2147467259&ED=%5BDBNETLIB%5D%5BConnectionOpen+%28Connect%28%29%29%2E%5DSQL+Server+does+not+exist+or+access+denied%2E 80 -
Eventually, they do this, I don't this it's a success but it looks like they're getting SQL to do things:
GET /topic.asp whichpage=-1&TOPIC_ID=19336&REPLY_ID=446006|231|800a000b|Division_by_zero 80 - 72.30.78.236 HTTP/1.0 Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp) - - forum.frankblack.net 500 0 0 5653 261 265
... and then this:
GET /post.asp method=ReplyQuote&REPLY_ID=448569&TOPIC_ID=20461&FORUM_ID=1|1422|80040e14|Incorrect_syntax_near_the_keyword_'SELECT'. 80 - 65.55.210.222 HTTP/1.1 msnbot/1.1+(+http://search.msn.com/msnbot.htm) - - forum.frankblack.net 500 0 0 12506 342 406
.. and so on. I've now renamed most of the files because I can't tell if they're still trying to do things and I've put up a copy of the log here (I've taken out most of the initial business-as-usual pre-attack stuff though I left some of it in for reference and in case I missed something):
http://www.frankblack.net/ouch.log
Any assistance is extremely appreciated. < |
|
cult_of_frank
Starting Member
Canada
20 Posts |
Posted - 15 November 2008 : 16:28:42
|
I was looking through the replies database, nothing there. In the TOPICS table, the last three posts belong to a user I created to prevent anyone from actually using that username (i.e. this account was hacked). UsedID = 2.
Posts:
Sub: Helen never next king later time foods. Msg: MESSAGE
Sub: Helen never next king later time foods. Msg: Prince agree indication that <a href=http://bonusroundtulzfc.fora.pl/>bonus round</a> are over <a href=http://threeofakindrhcrxc.fora.pl/>three of a kind</a> journey. Beetle protested age when <a href=http://fourofakinderkeld.fora.pl/>four of a kind</a> tune must <a href=http://deuceswildzoqfed.fora.pl/>deuces wild</a> identified the <a href=http://gamblingquyvbw.fora.pl/>gambling</a> treasurer. Twenty minutes antagonize almost <a href=http://dontcomebetccsmgw.fora.pl/>don't come bet</a> require sympathy <a href=http://comepointymtila.fora.pl/>come point</a> moonlight. Then that suicide who <a href=http://twentyonejaunea.fora.pl/>twenty-one</a> hide the <a href=http://4perlinedmtikj.fora.pl/>4 per line</a> classic models <a href=http://backhandvcrmpj.fora.pl/>back hand</a> pea. Cory eyes poisoned drink <a href=http://fruitmachinexzxcsl.fora.pl/>fruit machine</a> haired old <a href=http://highrollerwdvdtu.fora.pl/>highroller</a> old now <a href=http://doublehandpokerqturth.fora.pl/>double hand poker</a> ransaction. Young read class pot <a href=http://antejlfpfh.fora.pl/>ante</a> now rest <a href=http://hopebetiamyfs.fora.pl/>hope bet</a> ghosts. September came marriage can <a href=http://fastwayskpbrl.fora.pl/>fast way</a> udas betrayed bell.
Subject: Ñîâåòóåì ïîñåòèòü èíôîðìàöèþ Message: Two links
... etc ...
There are five posts, no views, and the first two were made at: 2008-11-15 07:22:03 / :05 . So it looks rather like a bot. Then two more messages at 8:39 and 12:11, the first of which is that weird-char message with the two links.
I don't know that this helps with anything except maybe cementing the time the forum was hacked by, showing that it is probably a bot, at least initially, and showing that one account was either hacked or they found a way to change the password in the database?
Oh, the IP of the first two: 94.102.60.127. The IP of the last two varies.< |
Edited by - cult_of_frank on 15 November 2008 16:30:22 |
 |
|
bobby131313
Senior Member
   
USA
1163 Posts |
|
cult_of_frank
Starting Member
Canada
20 Posts |
Posted - 15 November 2008 : 16:56:29
|
You're right, I hadn't patched that (which is weird, I remember looking at that patch back when it was posted so I'm not sure how I didn't put it in but) thanks. I don't think that addresses the issue of the missing config table, though?< |
 |
|
ruirib
Snitz Forums Admin
    
Portugal
26364 Posts |
Posted - 15 November 2008 : 17:51:49
|
The spam bots wouldn't be able to delete your config table. Your logs just show errors connecting to the SQL Server DB.
Not sure about the tables, though. The server logs would need to be looked at to find out something else that could have caused that.< |
Snitz 3.4 Readme | Like the support? Support Snitz too |
 |
|
bobby131313
Senior Member
   
USA
1163 Posts |
Posted - 15 November 2008 : 18:05:54
|
I'm not much on reading log files but are you sure you just didn't lose your server variables due to an IIS reset or something like that? That's a prerequisite for the "member 2" spam.
As far as I know the path to your image folder is stored in server variables so they would disappear, also all your formatting is stored there too, font sizes and colors and such. Makes sense I think.< |
Switch the order of your title tags |
 |
|
ruirib
Snitz Forums Admin
    
Portugal
26364 Posts |
Posted - 15 November 2008 : 18:17:01
|
quote: Originally posted by bobby131313
I'm not much on reading log files but are you sure you just didn't lose your server variables due to an IIS reset or something like that? That's a prerequisite for the "member 2" spam.
As far as I know the path to your image folder is stored in server variables so they would disappear, also all your formatting is stored there too, font sizes and colors and such. Makes sense I think.
The lack of connection with the database could explain a lack of app variables (admitting that whatever caused the SQL Server problem may have affected the web server too), and thus the loss of formatting. Running setup.asp should fix it, but the rename of the files doesn't allow us to test that. < |
Snitz 3.4 Readme | Like the support? Support Snitz too |
 |
|
cult_of_frank
Starting Member
Canada
20 Posts |
Posted - 16 November 2008 : 01:18:49
|
Awesome, thanks for taking the time to look at my problem guys, that's really awesome of you. I'll re-rename the files and try setup.asp and see if that does it. Thanks again for looking and I'll get back to you to let you know if that fixes things.< |
 |
|
cult_of_frank
Starting Member
Canada
20 Posts |
Posted - 16 November 2008 : 01:32:29
|
Hmm, so is there not a config table? I did the setup and to be honest, everything looks great (I thought for sure they got in but now it looks like, thankfully, not) but there's no config table in the db still. I don't care, so long as it's working, but I'm curious. Otherwise, I'd say that I was just an idiot and missed a patch (and now am going to go and double check that I've not missed others)...< |
 |
|
ruirib
Snitz Forums Admin
    
Portugal
26364 Posts |
|
Lon2
Junior Member
 
USA
151 Posts |
Posted - 07 January 2009 : 23:39:37
|
I think I just got something like this now. Here's my log entry:
2009-01-08 03:39:58 W3SVC904 [My Web Site IP] GET /forums/setup.asp RC=1&CC=1&strDBType=sqlserver&EC=-2147467259&ED=%255BDBNETLIB%255D%255BConnectionOpen%2B%2528Connect%2528%2529%2529%252E%255DSQL%2BServer%2Bdoes%2Bnot%2Bexist%2Bor%2Baccess%2Bdenied%252E 80 - 212.235.92.142
I'm looking in to the update now...< |
 |
|
Lon2
Junior Member
 
USA
151 Posts |
Posted - 08 January 2009 : 00:18:24
|
What does it mean to see the above line in my logs?
Also, I implimented the fixes here. Thanks Rui! Is there a way to test it?< |
Edited by - Lon2 on 08 January 2009 00:19:41 |
 |
|
ruirib
Snitz Forums Admin
    
Portugal
26364 Posts |
|
Lon2
Junior Member
 
USA
151 Posts |
Posted - 08 January 2009 : 08:58:47
|
Thanks Rui. So it doesn't look like a hack attemp? Why would the server be trying to run setup? I thought it was only run once manually when the forum was initially setup. So if rename the file in an attempt to foil malicious activity, will my forum stop working?< |
 |
|
ruirib
Snitz Forums Admin
    
Portugal
26364 Posts |
|
Lon2
Junior Member
 
USA
151 Posts |
Posted - 08 January 2009 : 10:17:48
|
So I should not rename setup.asp because the forum code automatically makes an attempt to regain connection?< |
 |
|
Topic  |
|