| Author |
 Topic  |
|
Shaggy
Support Moderator
Ireland
6780 Posts |
 Posted - 23 January 2009 : 04:17:59
|
I've had a look in your logs at the times those users "registered" but can find nothing untoward in them - actually, for most of the times, I can find no log entries at all. Of course, if they're adding fake IP addresses to the database, they could well be spoofing M_DATE as well. Perhaps, if Rui's still keeping up with this topic, he can give them a second look for you.
< |
 Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 23 January 2009 : 04:32:18
|
Shaggy,
My findings are similar, but I'm admiting that there is a time difference between the database times and the server time and maybe that would allow us to determine whether the records were added through the web interface. If not, then there is some other security issue here are stake.< |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 23 January 2009 : 05:20:01
|
quote:
Originally posted by ruirib
... there is a time difference between the database times and the server time and maybe that would allow us to determine whether the records were added through the web interface.
Even taking that into account I couldn't spot anything.
< |
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 23 January 2009 : 05:42:02
|
quote:
Originally posted by Shaggy
quote:
Originally posted by ruirib
... there is a time difference between the database times and the server time and maybe that would allow us to determine whether the records were added through the web interface.
Even taking that into account I couldn't spot anything.
I'm basically trying to determine whether the registrations were made via the web server or not. If they were, we should see the normal policy.asp and register.asp involved.< |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
Carefree
Advanced Member
Philippines
4222 Posts |
|
|
barrynet
Starting Member
36 Posts |
Posted - 23 January 2009 : 09:25:17
|
quote:
Originally posted by Carefree
quote:
Originally posted by barrynet
Its still happening
http://www.nwsca.com/snitz_docs/Albania_jan22_2009.jpg
Did you add in that country routine (specifically for Albania) from my last post above before these registrations occurred?
No I only added the duplicate name check. I tested that well and it works. The new Albania ones have the same first and last name and were not caught. They did not show up in pending either. I will add the country code today but since the duplicate names were not caught I bet the country is not either.
I am way out out of my knowledge base with how this can happen outside the script. Perhaps I should reload all the 3.0.6 modules from a clean copy of Snitz and see if that helps. I could rename the database at the same time.
cheers
Barry
< |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 23 January 2009 : 09:50:08
|
quote:
Originally posted by barrynet
Perhaps I should reload all the 3.0.6 modules from a clean copy of Snitz and see if that helps.
That may not help if they're not coming through the forums.quote:
I could rename the database at the same time.
That could rule out a couple of possibilities. I always recommend changing the name of an Access database to a string of random characters with a .asp extension - rather than .mdb - and storing it, if possible, in a directory outside your root directory. Of course, whatever changes you make to the name and location of the database will need to be reflected in your connection string in config.asp.
< |
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
barrynet
Starting Member
36 Posts |
Posted - 23 January 2009 : 10:33:31
|
I was really really hoping something would turn up in the database.
Carefree - the country/name code works fine and it is now "live"
Shaggy - The database is not the default name but it is the standard mdb extension. It is not in the HTML public area, its in a special Dir setup by my hosting service for this purpose. I was not aware I could change the database extension. I am going to setup a duplicate script/database for test purposes. Will do this tonight.
Thanks to all.
cheers
Barry
< |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 23 January 2009 : 12:34:44
|
OK, well that rules out that possibility!
If your *.mdb already sits outside your root directory then there's no real need to change the extension; that tip is mainly for people who can only upload files to their root directory and means that if some ne'er-do-well actually happens to guess the location of the database, the server will process it as an ASP page and spit out a load of gibberish.
< |
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
barrynet
Starting Member
36 Posts |
Posted - 23 January 2009 : 22:13:22
|
quote:
Originally posted by Shaggy
OK, well that rules out that possibility!
If your *.mdb already sits outside your root directory then there's no real need to change the extension; that tip is mainly for people who can only upload files to their root directory and means that if some ne'er-do-well actually happens to guess the location of the database, the server will process it as an ASP page and spit out a load of gibberish.
At this point I am playing long shots. I created a parallel test board, it is using all the original modules from a fresh download from Snitz. I did copy the config.asp across and the database is also the same one with a very different name and extension. I will wait a couple of days and see if its "discovered".
cheers
Barry< |
Edited by - barrynet on 23 January 2009 22:15:10 |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 23 January 2009 : 23:19:45
|
| Not quite the best test. I run three different forums, one is under constant barrage, one gets the occasional attempt, and one has remained untouched since it launched. All are running the same code base. Go figure.< |
|
|
|
barrynet
Starting Member
36 Posts |
Posted - 24 January 2009 : 17:02:35
|
quote:
Originally posted by AnonJr
Not quite the best test. I run three different forums, one is under constant barrage, one gets the occasional attempt, and one has remained untouched since it launched. All are running the same code base. Go figure.
How are you being attacked? If its the same way I am then this is not a new security problem for Snitz.
I wounder if the order of the Database or Forum Dir has anything to do with the frequency of attack. 1st one found in the server script or database dir is the one that they mess with.
cheers
Barry
< |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 24 January 2009 : 21:11:00
|
| All of the forums run in the root, not a "forum" directory. They are bots running through register.asp. Changing some of the rules like requiring a birthday, then later requiring the gender, all temporarily stopped them until the dolt running the system adjusted it. Setting "Restrict Registration" to "On" and manually processing registration - while a PITA - has kept them from spamming the forum. I just need to periodically clean out the pending registrations.< |
|
|
|
Topic |
|
Topic Locked
