| Author |
 Topic Search  Topic Options
|
nolan 
Newbie
Joined: 10 July 2005
Status: Offline
Points: 4
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: Haxored
Posted: 10 July 2005 at 6:22pm |
|
Hi ya,
I've seen the patch which I will apply, but the hack on my site doesn't seem to be related to the css bug.
I found 'hacked by Turkish Hacker' etc etc on my front page. He had put his own default.asp/htm pages in my site!
I am running web wiz forums so I can't help presume this was his way in to my site.
At least he didn't remove anything, but is still very worrying!
Cheers,
Lee
|
 |
dj air
Senior Member
Joined: 05 April 2002
Location: United Kingdom
Status: Offline
Points: 3627
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 July 2005 at 7:20pm |
|
do you have a url then we can tell what it maybe?
have you any posts things etc that could be exploited or any uplaoding features.
|
|
nolan
Newbie
Joined: 10 July 2005
Status: Offline
Points: 4
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 July 2005 at 8:52pm |
Sure, the url to my forum is here
Avatar uploading is disabled and I cannot see anything in the database that looks suspicious (it's in a hidden dir by the way).
The guy names himself ENO7, if you look for him on Google you can see he has been pretty busy!
I'll get the IIS logs from my host and see if there's anything that can help in there.
Thanks,
Lee
|
|
nolan
Newbie
Joined: 10 July 2005
Status: Offline
Points: 4
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 July 2005 at 9:07pm |
I've just been given this from a friend, maybe it was a server hack instead.
Zone-H
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 11 July 2005 at 4:19am |
|
If he replaced the default.asp page with his own then it does sound like the server was hacked and not the forum software.
Make sure that you disable write permissions on your site apart from the folder containg the database and the upload folder.
|
|
|
|
pmormr
Senior Member
Joined: 06 January 2003
Location: United States
Status: Offline
Points: 1479
|
Post Options
Thanks(0)
Quote Reply
Posted: 13 July 2005 at 3:03am |
|
he's only hacking Win2k3 machines... he probably wrote a script that takes advantage of unprotected shares or unpatched holes in the OS... but he's only targeting WWFs.. that leads me to think that he's hacking through a vulnerability in WWF. Anyway, it's only a matter of time before he's traced and busted... you can't f*ck up 700 websites without leaving traces. If i can find his IP address from Zone-H i'll personally report him to his ISP for you.
|
|
|
|
pmormr
Senior Member
Joined: 06 January 2003
Location: United States
Status: Offline
Points: 1479
|
Post Options
Thanks(0)
Quote Reply
Posted: 13 July 2005 at 3:10am |
The attacker used the ip address 83.245.15.61 to hack your site. That IP address is registered to RIPE Network Coordination Centre in Amsterdam, which is in turn registered to RapidSwitch Ltd: Refer to http://www.ripe.net/whois?form_type=simple&full_query_string=&searchtext=83.245.15.61.
I complained to their abuse address for you.
|
|
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 13 July 2005 at 5:28am |
|
I've checked up on this hacker and it seems that he is targeting sites
running on Windows 2000/2003 servers that have write permissions
enabled on their directories.
Most of the sites he has targeted are not running Web Wiz Forums, but
as Web Wiz Forums only runs on Windows 2000/2003 servers the hacker may
use this to find sites running these OS's.
This is not a problem with Web Wiz Forums, you need to make sure that
you do not have write permissions enabled on your site for directories.
|
|
|
|
