| Author |
 Topic  |
|
|
C2K
New Member
USA
73 Posts |
 Posted - 07 May 2010 : 20:48:21
|
Good evening folks, I'm wondering if you can offer some advice.
I run the website Coasters2K (http://www.coasters2k.com) using this awesome forum (v3.4.06), and well lately we've had an issue that we just cannot seem to figure out where it is coming from. What we are seeing is someone hacking random user accounts and posting, well, whatever they'd like to the forums. They usually post about 15-25 random things (ads, links, etc.), and then disappear without a trace. I've tried looking through the forum files for things that look out of place and we even did a complete reload of the forum and still the threads appear, randomly. So, we clear them off and go back to the drawing board ... but well ... it never seems to end. It appeared out of no where and to be honest, I know I've kept up with the security updates religiously so I'm a bit lost on this one.
Any suggestions as to where to look to maybe rectify this? Thanks much for your help in advance.
TJ
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
C2K
New Member
USA
73 Posts |
Posted - 07 May 2010 : 21:05:17
|
Thanks ruirib. I added the fix in and now we'll play the waiting game.
Another thing I was told about (moments ago) was adding something like this to the inc_header.asp page:
if instr(request.querystring,";")>0 or instr(lcase(request.querystring),"declare") >0 or instr(lcase(request.querystring),"cast")>0 then Response.End
Also, call me dumb I can take it -- but what does it mean if the forum lost app variables?
|
Edited by - C2K on 07 May 2010 21:20:52 |
 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 07 May 2010 : 21:57:30
|
I can't rule out you being hacked, but if it was a hack, I think you'd see parts or the whole forum destroyed, or your site offering malware payloads to its visitors. I would bet that the issue you faced was the variables thing.
A forum that loses variables would look weird graphically. All it needs is a few secs of variables lost for bots to get in. It happened here, which led us to get the fix you now see.
You are using SQL Server? |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
C2K
New Member
USA
73 Posts |
Posted - 08 May 2010 : 10:39:48
|
Yes indeed, it is SQL running on a 2008 platform. I think we may have fixed it with your fix plus the other item -- minus of course the knuckleheads simply registering now and posting junk as 'new members'. Man, it just never ends, does it?
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 08 May 2010 : 12:02:12
|
| The other item is unneeded, if your forum version has all the security fixes in place. As I told you, I don't really believe a hacker would be happy just to post spam. As things look like now, I think it wasn't a hacker at all. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
C2K
New Member
USA
73 Posts |
Posted - 08 May 2010 : 14:44:21
|
I agree that hacking just to post is a waste of time. What is odd though, is that the person was taking over accounts of other members. That is, suddenly there was a flood of posts by a member(s) who've been with the site since its inception. When I'd lock that account to stop it, another account would be used and the posts would continue.
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 08 May 2010 : 14:56:17
|
| That's because of the loss of the app variables. The effect of that loss was such as to cause the posts to be made as if done by legitimate members. It was a bug, that we corrected with the fix you have now applied. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
C2K
New Member
USA
73 Posts |
Posted - 08 May 2010 : 15:29:43
|
Well, all I can say is thank you SO much for taking the time to walk me through it. I really appreciate you guys.
TJ
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 08 May 2010 : 17:36:06
|
You're welcome, that's what we are here for  .
P.S.: Just wanted to say that no user accounts were being taken over. The bot (almost certain this was a bot) was posting, while leaving blank the username and password and the lack of app variables resulted in the code returning a member's id as the poster's id. In no time does this allow access to the user account (like getting into the profile or anything). If the Snitz code didn't allow for non logged in posting, this would have no chance of occurring, even with app variables being lost. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
C2K
New Member
USA
73 Posts |
Posted - 08 May 2010 : 20:14:03
|
| So, I'm guessing that was the fix then .... to not allow for non-logged in posting? |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
C2K
New Member
USA
73 Posts |
Posted - 08 May 2010 : 20:37:42
|
| Ahhhh, ok, gotcha. Little by little I'll figure this stuff out! |
|
|
|
marjie
Starting Member
United Kingdom
2 Posts |
Posted - 29 May 2010 : 19:56:40
|
quote:
Originally posted by ruirib
The other item is unneeded, if your forum version has all the security fixes in place. As I told you, I don't really believe a hacker would be happy just to post spam. As things look like now, I think it wasn't a hacker at all.
|
|
|
| |
Topic |
|
Topic Locked
