| Author |
 Topic  |
|
|
spreadpoems
New Member
52 Posts |
 Posted - 22 July 2013 : 17:58:27
|
Hi,
My snitz forum, Snitz Forums 2000 Version 3.4.06, was hacked.
I'm trying to figure out how it was done and how to prevent it and if I am at risk for further damage.
It appears that all the application level variables were reset or deleted. When I logged in all the images and colors were gone but the homepage was accessible. Navigation was impossible because all topic.asp and forum.asp pages resulted in Internal server errors. Luckily the admin pages were accessible and I was able to reset the Main Forum Configuration at admin_config_system.asp.
All of these were blank:
Forum's Title:
Forum's Copyright:
Title Image Location:
Home URL:
Forum URL:
Images Location:
Version info:
Authorization Type: DB: NT:
Set Cookie To:
However, once I reset those, then everything started working correctly, nothing on admin_config_features.asp had been changed.
Topic.asp resulted in a error at line 380
rsReplies.cachesize = strPageSize
I checked Forum Variables Information by checking admin_variable_info.asp and strPageSize did not display and neither did most of the usual variables
During the time before I caught the problem 235 new members were registered over a period from 2:00 AM until 11:00 AM. They were not added at one time. Here's an example from the database.
m_date
20130722021050
20130722021055
20130722021514
20130722021549
20130722021801
20130722021849
20130722021854
20130722022004
20130722022027
20130722022239
20130722022614
20130722022643
20130722022735
20130722022911
Now, I have the forum setup to require new members to validate their email address. Since I've required that there has been very little spam and almost no Automated Spam. I don't think anyone created 235 members manually. So maybe doing what they did enabled them to add the members automatically without having to verify their email addresses?
Any ideas how this happened and what I can do to prevent it?
What should I look for in the log file?
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 22 July 2013 : 19:51:32
|
From your description, doesn't sound like you were hacked. Sounds like there was a server issue, which resulted in the forum's application variables not to load, resulting in spam bots being able to get in and register on your site.
All seems to point to a server problem during that time.
But I would encourage you to upgrade to the latest version, or the very least, add the security fixes listed here: http://forum.snitz.com/forum/forum.asp?FORUM_ID=118 |
Support Snitz Forums
|
Edited by - Davio on 22 July 2013 23:17:46 |
 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 22 July 2013 : 22:25:50
|
| I agree with Davio, it seems your forum lost its app variables, opening the forum up to bot registration. For 3.4.07 we added a change to config.asp that had the goal of preventing a forum from running without app variables. If you can follow Davio's advice, that would be the best. If you just want to add the security fixes, I would also suggest you download a copy of 3.4.07 and perform a comparison between your current config.asp and the one for 3.4.07, updating your own file with the additions of the new version, to prevent this from reoccurring. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
spreadpoems
New Member
52 Posts |
Posted - 23 July 2013 : 12:47:24
|
Thanks Davio and ruirib,
I agree that with your assessment that it's a server issue. We just migrated to a new server less than a week ago so it's a likely culprit.
I will have to take a look and see what happened on that night, maybe there was downtime or the application pool was reset. Not even sure what I should be looking for?
I am subscribed to the security forum and apply all updates. Unfortunately, updating to 3.4.07 in not an option because of all the modifications.
I'm going to take a look at the new config.asp and see if I can add the additions to my current file.
Thanks! |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 23 July 2013 : 14:10:24
|
quote:
Originally posted by spreadpoems
Thanks Davio and ruirib,
I will have to take a look and see what happened on that night, maybe there was downtime or the application pool was reset. Not even sure what I should be looking for?
Not something you be looking for, other than what you have experienced with your forum.
You would have to ask your hosting support if the server was restarted that day. Or if something else happened. |
Support Snitz Forums
|
|
|
|
spreadpoems
New Member
52 Posts |
Posted - 27 August 2013 : 13:56:59
|
I just had this happen again. Turns out my server was rebooted to install Windows Updates both last night and the day that I first posted this.
I don't know why this is happening now every time the server is rebooted and and not for the past 7 years. I am on a new server now.
quote:
I agree with Davio, it seems your forum lost its app variables, opening the forum up to bot registration. For 3.4.07 we added a change to config.asp that had the goal of preventing a forum from running without app variables. If you can follow Davio's advice, that would be the best. If you just want to add the security fixes, I would also suggest you download a copy of 3.4.07 and perform a comparison between your current config.asp and the one for 3.4.07, updating your own file with the additions of the new version, to prevent this from reoccurring.
My question is, is this the code to add to config.asp from the newest snitz version to stop this from happening again?
Dim appVarsLoadError
appVarsLoadError = false
if blnLoadConfig then
Application.Lock
do while not rsConfig.EOF
Application(strCookieURL & Trim(UCase(rsConfig("C_VARIABLE")))) = Trim(rsConfig("C_VALUE"))
' Check for errors loading the variables...
If Err.Number <> 0 Then appVarsLoadError = true
rsConfig.MoveNext
' Check again for errors, this time moving to the next record...
If Err.Number <> 0 Then appVarsLoadError = true
loop
Application.UnLock
rsConfig.close
my_Conn.Close
set my_Conn = nothing
If Not(appVarsLoadError) Then
Application.Lock
Application(strCookieURL & "ConfigLoaded")= "YES"
Application.UnLock
Else
Response.Write("Server Error: The Application variables are not loaded.")
Response.End
End If
end if
Thanks! |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 27 August 2013 : 14:36:35
|
If it is happening only when the server is rebooted, the fix posted in the thread linked should work. I can't say if it's this code alone, tbh.
You can also post a link to a text version of your config.asp and I will try to fix it. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
| |
Topic |
|
