| Author |
 Topic  |
|
webshorts
New Member
USA
96 Posts |
 Posted - 20 May 2001 : 09:21:51
|
I'm honestly not sure if this is the right spot for this, but I had a major hack on my forum last night. The live forum has been shut down temporarily, and you can find the full forum at http://www.dhtmlshock.com/test_forum .
The malicious user somehow got into the admin area of the site, added a new category and forum, changed my logo to link the thechurchofsatan.com, locked out my admin password and changed my profile.
I'm running the forum on win2k advanced server with SP2 installed (so it has all the security hotfixes installed). My only guess is that he got in through a vulnerability in the forum.
He didn't leave any clues as to his identity, and unfortunately I didn't have IP logging turned on so I don't know where he came from.
Are there any known vulnerabilities that I should know about? I'd love to get my forum up and running again, but this has left a sour taste in my mouth.
Thanks,
Daniel Short
Chief Designer,
Web Shorts Site Design
Free DHTML at DHTMLShock.com
JavaScript and DHTML forum, powered by Snitz |
|
|
TommyBALL
Starting Member
Norway
20 Posts |
Posted - 20 May 2001 : 10:48:36
|
quote:
I'm running the forum on win2k advanced server with SP2 installed (so it has all the security hotfixes installed.
WRONG!
SP2 does NOT include all the security hotfixes. There are several fixes that where not included (because SP2 went into beta sometime before Xmas, and at some time they "froze" the code).
You have to go through all hotfixes released since february 2001, and see if they state that they will be included in SP2. Several of them state that they will not be included until SP3.
I know the following fixes where NOT included in SP2.- Microsoft Security Bulletin MS01-007 - Network DDE Agent Requests can Enable Code to run in System Context
- Microsoft Security Bulletin MS01-011 - Malformed Request to Domain Controller can Cause CPU Exhaustion
- Microsoft Security Bulletin MS01-013 - Windows 2000 Event Viewer Contains Unchecked Buffer
- Microsoft Security Bulletin MS01-014 - Malformed URL can Cause Service Failure in IIS 5.0 and Exchange 2000
Now, check for yourself... :)
http://www.microsoft.com/technet/security/current.asp
Besides, installing all these fixes won't help you a bit if you haven't set things up right in the first place. Here is a document to help you on the way.
http://www.microsoft.com/technet/security/iis5chk.asp
Regards
- TommyBALL
Edited by - TommyBALL on 20 May 2001 10:55:01 |
 |
|
|
work mule
Senior Member
USA
1358 Posts |
Posted - 20 May 2001 : 13:11:21
|
quote:
The malicious user somehow got into the admin area of the site, added a new category and forum, changed my logo to link the thechurchofsatan.com, locked out my admin password and changed my profile.
...
Are there any known vulnerabilities that I should know about? I'd love to get my forum up and running again, but this has left a sour taste in my mouth.
My guess is that the person either got to the database or somehow accessed the admin pages. By chance do you have access to your server logs? That would probably provide you clues as to when and how!! An IP address could also be found there, whether or not it's the true IP of the person is another question.
"Do not go where the path may lead, go instead where there is no path and leave a trail."
-Ralph Waldo Emerson |
|
|
|
webshorts
New Member
USA
96 Posts |
Posted - 20 May 2001 : 20:00:01
|
I have all the hot fixes installed. I installed those along with SP2 (sorry I didn't make myself clearer :-).
I'm assuming that they were only able to get to the admin pages of the forum because didn't change any of the database options for my main site (http://www.dhtmlshock.com ) which is part of the same sql database, but has to be accessed through a separate admin area. I'm pretty sure they would have defaced the main site if they could have hit the rest of the database (a news entry on the main page saying I had been hacked would have been an obvious tactic).
I've been digging through my server logs, and unfortunately, have been unable to find anything. Are there any known security vulnerabilities for Snitz? My guess is the user typed a sql string into the username and password field to gain access.
Daniel Short
Chief Designer,
Web Shorts Site Design
Free DHTML at DHTMLShock.com
JavaScript and DHTML forum, powered by Snitz |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 20 May 2001 : 20:14:47
|
quote:
My guess is the user typed a sql string into the username and password field to gain access.
Why do you think they would be able to do this ?
The user name and password are strings, and are therfore wrapped in single quotes before being passed or checked against the DB, you could put whatever you wanted in the boxes, it would not be able to execute it, and would just refuse to log you in.
if they got access to your config.asp, or another file with a db connection, they would have been able to get hold of your logun info, they may have just attacked snitz because they new where to look, but didn't know what your other tables were for.
|
|
|
|
webshorts
New Member
USA
96 Posts |
|
|
tilttek
Junior Member
Canada
333 Posts |
Posted - 22 May 2001 : 09:08:58
|
quote:
Why do you think they would be able to do this ?
Maybe they just run the setup or someting like this. Like the problem you had. If he change the admin user, it my have created a new one.
Philippe Gamache
http://www.tilttek.com
http://www.lapageamelkor.com |
|
|
|
dkerns
Starting Member
14 Posts |
Posted - 22 May 2001 : 16:52:03
|
That raises an important point. What files from the original installation should be deleted to prevent inappropriate actions? For example, setup.asp? When installing MODs I have deleted the setup files as they are no longer necessary and could pose a greater security risk...
|
|
|
|
webshorts
New Member
USA
96 Posts |
Posted - 22 May 2001 : 17:13:14
|
I'm beginning to come to the conclusion that it was due to Win2k sp2. It "removed" several hotfixes (thanks for the tip, but that really torques me  ). I've reinstalled the removed hotfixes, and I haven't had the hacker back in. It still baffles me that he would have been able to get into the SQL, but didn't change anything on the home page of my site. Oh well, hackers have never been known to be bright right?
Thanks for the tips guys.
Daniel Short
Chief Designer,
Web Shorts Site Design
Free DHTML at DHTMLShock.com
JavaScript and DHTML forum, powered by Snitz |
|
|
|
brkonthru
Development Team Member
Jordan
69 Posts |
|
|
webshorts
New Member
USA
96 Posts |
|
|
brkonthru
Development Team Member
Jordan
69 Posts |
|
|
webshorts
New Member
USA
96 Posts |
|
|
brkonthru
Development Team Member
Jordan
69 Posts |
Posted - 23 May 2001 : 18:21:16
|
hate hackers? get a simple, cheap and VERY effective firewall --> Zone Alarm Pro, very customizable and can put you in stealth so most hackers will not even know that you exist to start messing with you in the first place, in addition to many other benefits the program offers.
I am not on commision, I swear 
http://www.jeeran.com - free hosting for Arabs and Muslims |
|
|
|
webshorts
New Member
USA
96 Posts |
|
|
tilttek
Junior Member
Canada
333 Posts |
Posted - 24 May 2001 : 08:03:38
|
quote:
That raises an important point. What files from the original installation should be deleted to prevent inappropriate actions? For example, setup.asp? When installing MODs I have deleted the setup files as they are no longer necessary and could pose a greater security risk...
I think Setup.asp and inc_create_forum*.asp should be deleted.
Philippe Gamache
http://www.tilttek.com
http://www.lapageamelkor.com |
|
|
|
Topic |
|
Forum Locked
Topic Locked
