Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 MOD-Group
 MOD Add-On Forum (W/Code)
 Protect every version of Snitz staff members.
 New Topic  Reply to Topic
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

KC
Junior Member

USA
152 Posts

Posted - 07 December 2005 :  16:27:00  Show Profile  Visit KC's Homepage  Reply with Quote
This is NOT for rookies!...
But if you can edit Access DB's loacally and know .asp, this is for you.

Details and DL on my Secure your Snitz website with Secondary Security page.

You pros are going to love this.
It makes your higher level access virtualy bulletproof.
Enjoy, and your welcome ;-}

< Moved to MOD Add-On Forum (W/Code) by Shaggy />

Owner of vales.com and Elite Computers.

Edited by - Shaggy on 08 December 2005 05:53:42

DJGray
New Member

USA
68 Posts

Posted - 08 December 2005 :  11:07:00  Show Profile  Visit DJGray's Homepage  Reply with Quote
Looks nice. I'm checking it out as we speak.
Go to Top of Page

KC
Junior Member

USA
152 Posts

Posted - 22 February 2006 :  12:25:04  Show Profile  Visit KC's Homepage  Reply with Quote
Works great.
Not a single hack even when the hacker had the login name and passowrd to staff memberships.

Owner of vales.com and Elite Computers.
Go to Top of Page

Gizmo3
Junior Member

130 Posts

Posted - 02 March 2006 :  16:45:17  Show Profile  Reply with Quote
So how does this mod worm. There was no instruction. Do you just copy the files over to the forum.<

This account was hacked into by Image, a very honest guy as you all can see! Stealing people's passwords is his pasttime. Beware of this, before you register at his forums!
Go to Top of Page

Jezmeister
Senior Member

United Kingdom
1141 Posts

Posted - 02 March 2006 :  19:01:37  Show Profile  Visit Jezmeister's Homepage  Reply with Quote
"You place these bold Include lines just after the

<%sub sForumNavigation() line in inc_header.asp or inc_top.asp depending on version.

' ********* Hack Catch ******%>
<!--#INCLUDE FILE="callSecure.asp" -->"

they seem like instructions to me
One point KC, while I havent looked at the code so it may well throw errors on MySql I see no reason why it can't be done on MS SQL and after being made "mysql compliant" on mysql... the database changes can be made either through custom code or a database manager."
Go to Top of Page

KC
Junior Member

USA
152 Posts

Posted - 27 March 2006 :  13:33:43  Show Profile  Visit KC's Homepage  Reply with Quote
Ya Jez, the code is pretty straight foward and could be modified to any platform, it's the concept that makes it work.

When someone with staff powers logs in (when their mLev is higher than 1 or 2 depending on version) I force another check to see if it really is them, and I do this by tracking their IP number in another db/login system.

If the current and saved IP's don't match, the staff member has to go to the speacial secret page you never link from anywhere and login with their member name and special password to reset their current IP address.

The best part is, none of the info in that little DB can be changed from the internet so nobody can edit it or add themselves.
You FTP the DB down, add the new user, and send it back.

It's a pain for very active dial-up staff who's IP changes all the time, but a breeze for broadband guys.

It's worth the pain to track and know that regardless of any BBS security flaw or stolen staff info there is, no hacker is going to get any staff options unless he's sitting at their computer, and as we all know, you can't do anything to a web site without staff powers.

As mentioned, you need the skills to do it as I'm not a teacher or "document" making official mod guy.

I just pop in to share code when I can, and as I should.
A system like this pretty much makes every "gain staff access" hack a moot point, and that was my goal.

*edit* One other note...
Hackers are rare, but staff needs a good page to be sent to if they didn't re-set their IP from the new system so I changed the page they see to this: http://vales.com/duhh.html

hehhehe.
At least it provides a smile ;-}

Owner of vales.com and Elite Computers.

Edited by - KC on 27 March 2006 13:46:04
Go to Top of Page

ILLHILL
Junior Member

Netherlands
341 Posts

Posted - 15 April 2006 :  19:57:09  Show Profile  Reply with Quote
This sounds real good.
I will work on this first thing tomorrow and test it on my forum.

Thanks for this great addition.

D

CLPPR.com - All The News Only Seconds Away
Go to Top of Page

Billbo
Starting Member

USA
9 Posts

Posted - 08 May 2006 :  09:31:03  Show Profile  Send Billbo a Yahoo! Message  Reply with Quote
I would like to implement this nifty security feature but can't seem to download your SecureSnitz1.0.zip file. Is it still available? Thanks.

Bill Bowen
IS Manager
KC-135 ATS
Go to Top of Page

KC
Junior Member

USA
152 Posts

Posted - 04 February 2008 :  11:32:26  Show Profile  Visit KC's Homepage  Reply with Quote
It's back up again now.
I cleaned up my server Billbo and this must have been deleted.

As mentioned this is not a "drop in fix" for rookies.
It is the building blocks for how to add a second virtually bulletproof level of security to your site no matter how a person gains Mod or even Admin privledges.

I could give you my Admin login and you couldn't get in.
I could make you a Mod and you couldn't get in anymore until I manually added you to this 2nd level.
I could make you an Admin and added you but you could'nt make anyone else a mod or admin either.
Well, you could with admin powers, but they would just get the banned page when they tried to login.

I would have just posted all the instructions and DL links to the .zip files here but I have my server protected from being able to DL any .mdb or .zip file from anything but a link on my sites too, and of course there are not even any links to DL any .mdb files.

It's 2008 now (the Superbowl was down the street from me yesterday) and I have still never had any "Higher Member Level" breech of any kind.

Owner of vales.com and Elite Computers.
Go to Top of Page

designgoddess
Starting Member

USA
11 Posts

Posted - 14 February 2008 :  11:45:03  Show Profile  Visit designgoddess's Homepage  Send designgoddess an AOL message  Reply with Quote
Well I have a similiar question...I am wondering two things: 1) is there a way to hold registration and have regisration get emailed to the admin for approval? 2) if we were to wipe out the user names in the db and have everyone reregisterw ould they be able to use the same user name as previously?
Go to Top of Page

KC
Junior Member

USA
152 Posts

Posted - 13 April 2009 :  12:29:25  Show Profile  Visit KC's Homepage  Reply with Quote
Note that this mod has a couple of updates as of 2009 and the link at the top is still good.

Considering I posted this back in 2005 and still using it should tell you something.
I have had my share of staff level forum hack attempts and all failed.
I actually get a smile when I read the log of their tries and then ban their IP's ;-}

Owner of vales.com and Elite Computers.
Go to Top of Page

Etymon
Advanced Member

United States
2385 Posts

Posted - 13 April 2009 :  13:34:26  Show Profile  Visit Etymon's Homepage  Reply with Quote
Hi KC,

Thank you for this MOD!! Good stuff!

Hey, the link for this ... http://vales.com/securesnitz/ISAPI_Rewrite ... is dead. Do you still have the info?

Cheers,

Etymon
Go to Top of Page

KC
Junior Member

USA
152 Posts

Posted - 13 April 2009 :  14:22:08  Show Profile  Visit KC's Homepage  Reply with Quote
Yep.
http://vales.com/elite/topic.asp?TOPIC_ID=914

I moved to a new server recently and had to re-install it myself.
Man, I love this new kick butt fast IIS6 server, I have Remote Desktop with Admin Logon to it ;-}

For example you'll get a ban page for trying to DL http://vales.com/test.zip or http://vales.com/test.mdb no matter how you try to do it.

The .zips will DL if it's a link from a vales.com web page, but there is no DLing an .mdb database from HTTP no matter what ;-}


Owner of vales.com and Elite Computers.

Edited by - KC on 13 April 2009 14:23:42
Go to Top of Page

Etymon
Advanced Member

United States
2385 Posts

Posted - 13 April 2009 :  15:08:14  Show Profile  Visit Etymon's Homepage  Reply with Quote
Great! Thanks KC!
Go to Top of Page

SiSL
Average Member

Turkey
671 Posts

Posted - 13 April 2009 :  16:10:54  Show Profile  Visit SiSL's Homepage  Reply with Quote
quote:
Originally posted by KC

Man, I love this new kick butt fast IIS6 server, I have Remote Desktop with Admin Logon to it ;-}


You should see IIS7 ones that came out last year

CHIP Online Forum

My Mods
Select All Code | Fix a vulnerability for your private messages | Avatar Categories W/ Avatar Gallery Mod | Complaint Manager
Admin Level Revisited | Merge Forums | No More Nested Quotes Mod
Go to Top of Page

~Katherine
Starting Member

1 Posts

Posted - 14 April 2009 :  17:56:05  Show Profile  Reply with Quote
Great! Now. Any suggestions for getting rid of spambots?

~K~



quote:
Originally posted by KC

This is NOT for rookies!...
But if you can edit Access DB's loacally and know .asp, this is for you.

Details and DL on my Secure your Snitz website with Secondary Security page.

You pros are going to love this.
It makes your higher level access virtualy bulletproof.
Enjoy, and your welcome ;-}

< Moved to MOD Add-On Forum (W/Code) by Shaggy />

Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.16 seconds. Powered By: Snitz Forums 2000 Version 3.4.07