| Author |
 Topic Search  Topic Options
|
Michael Mullis 
Newbie
Joined: 10 September 2005
Location: United States
Status: Offline
Points: 6
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: New Turkish Hacker Trick.
Posted: 10 September 2005 at 12:34am |
Hello gang. I know the Turkish Hacker has been making the rounds on the forums, and we've been the latest casualty, but not quite in the way everyone else has been hit.
Before the admins throw out the "it's not our forums", hear me out on this one. We are using the WWF with MS-SQL 2000. The forum directory itself has not and has never been open to write permissions for IUSR_Guest or any other guest account.
Now since the hacker could not change or take over my main pages, he was able to selectively hijack INDIVIDUAL THREADS. And on multiple page threads only the page his post was on was affected.
For example:
That page is fine. When you go to the next page:
I also just in case look at the forum directory and the forums_post.asp script has not been altered and the date is consistant to when I installed the forums. This is a redirection hack, and I say that because for a split second before the hack page comes up,you can see the WWF header. And again, threads he didn't touch are fine. Even though I deleted the user in question, the posts remain under the "guests" post and I can't remove them. I also can't find them in the SQL database.
I am going to first do the 7.92 update and see if that clears it up. In the meantime if anyone has any thoughts to THIS one, I'd love to hear it. He couldn't hack the entire forum, so he did his best to take a few pot shots before moving on. But he's already tried again.
|
 |
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 September 2005 at 4:05am |
|
To prevent this you need to be using the latest version of web wiz
forums, 7.92, as it has a couple of security updates to prevent this.
The reason why the hacker was able to do this was because you didn't apply the security update.
A small problem was found that allowed CSS to be placed into a post
that would course a background image to be placed over the top of the
page.
The problem with CSS in some browsers is that it doesn't need to be in
HTML tags for a browser to run it, which meant that the built in
security filters didn't see it as HTML and therefore allowed it through.
The latest version employees measures that prevent this type of inline CSS from running.
|
|
|
|
Michael Mullis
Newbie
Joined: 10 September 2005
Location: United States
Status: Offline
Points: 6
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 September 2005 at 2:37pm |
I did that right after posting this. The trick was trying to thread through the SQL database manually to find and remove the offending posts. Today I learned a lot about the SQL structure of the Web Wiz Forums and where to find things. :)
Now, I did just the patch update which overwrote the post_message.asp and the filter script. Is that enough or do I need to redownload the entire 7.92 package?
And not to worry, I will be paying much closer attention to WWF updates and such from now on. Oh, and kudos for putting in the IP Address collector. I already forwarded it on to the proper ISP.
Thanks!
|
|
gölge
Groupie
Joined: 16 April 2005
Location: Turkey
Status: Offline
Points: 182
|
Post Options
Thanks(0)
Quote Reply
Posted: 12 September 2005 at 7:43am |
i hate those lamers.  they hacked my forum 3 months ago. i uploaded latest backup and update v7,92.
|
"A lie travels round the world while Truth is putting on her boots" C.H. Sturgeon
PLEASE VISIT www.tallarmeniantale.com AND SEE THE TRUTH.
|
|
wistex
Mod Builder Group
Joined: 30 August 2003
Location: United States
Status: Offline
Points: 877
|
Post Options
Thanks(0)
Quote Reply
Posted: 17 September 2005 at 4:57pm |
Borg, one thing that would help admins in this situation, is to turn on html editing of posts for admins only. I modified my forum so that as the admin, I could use that feature but noone else can. It's a lifesaver, especially when people copy and paste stuff into the RTE and accidentally copy a bunch of code they didn't mean to copy.
I think I mentioned this in the suggestions thread somewhere, but I thought I'd mention it again since this is a perfect example of why that feature is desperately needed.
|
|
|
|
RAVALON
Groupie
Joined: 31 December 2003
Location: Italy
Status: Offline
Points: 132
|
Post Options
Thanks(0)
Quote Reply
Posted: 24 September 2005 at 10:54am |
I'm sorry borg, but i apply patch v 7,92 one month ago, after last hacker attack to my forum....
today, 24 september, turkish hacker hack my forum again......with version 7,92
Now, if i have last version of forum, what i have to do ?
|
|
JJLatWebWiz
Groupie
Joined: 02 March 2005
Location: United States
Status: Offline
Points: 136
|
Post Options
Thanks(0)
Quote Reply
Posted: 24 September 2005 at 4:59pm |
RAVALON, can you provide a link to let us see what the hack looks like? I've been browsing your forum and don't see any problems, so it's going to be hard to tell if this latest hack was another CSS attack or something else.
|
|
RAVALON
Groupie
Joined: 31 December 2003
Location: Italy
Status: Offline
Points: 132
|
Post Options
Thanks(0)
Quote Reply
Posted: 24 September 2005 at 7:06pm |
i have adjust yet my site.....
Turkish hacker change me the name of forum, admin user's name and password and change the path of imagine wich is positioned at left top of forum...
if is necessary i could ask my users if someone saved some screenshot
|
|
