| Author |
 Topic Search  Topic Options
|
AlanP 
Newbie
Joined: 24 December 2005
Location: Canada
Status: Offline
Points: 11
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: Turkish Hackers
Posted: 24 December 2005 at 10:42pm |
I am completely flummoxed. I run a small web site for a client in England, and we put up a Web Wiz forum. It isn't very highly used, but a couple of people talk about things.
It got hacked last summer and I upgraded it to a new version of web wiz that was supposed to have fixed a security glitch. All was going well until we got hacked again this week.
To make a long story short, I tried a bunch of things that didn't work. When going to the forum, it immediately redirects to the forum_closed.asp file and I get the Turkish Hacker screen with the forums closed for maintenance mesage at the bottom.
I ended up saving the database to another location not even on the server and deleting the entire forum directory from the server and my own computer, downloading the latest version of Web Wiz and uploading it. But when I go into the forum now, I still get the redirect to the hacked forum closed page!!
These Turks are close to putting me right off my turkey dinner tomorrow.
Anybody have any ideas?
Merry Christmas et al to all.
Alan
|
 |
cctran
Newbie
Joined: 24 December 2005
Status: Offline
Points: 9
|
Post Options
Thanks(0)
Quote Reply
Posted: 24 December 2005 at 11:37pm |
|
I hope you were joking around because I think hackers can be from any region. In any case, if you really think its from Turk hackers, block ips from that region. A lot of hosting companies block ips from china, etc. It will save you bandwidth and unless you care about that audience, then you can add a very very minor safeguard. Dump out the logs and see the regions the ip is coming from. hostip info is a good source for geolocating ips.
|
|
Gullanian
Senior Member
Joined: 04 January 2002
Location: England
Status: Offline
Points: 4373
|
Post Options
Thanks(0)
Quote Reply
Posted: 25 December 2005 at 1:23am |
|
Well considering it pointed to a turkish hacker message/screen it's pretty safe to assume the hacker was turkish.
I can't quite conclude from reading your posts if you are actually moving the DB and renaming it properly to help offer protection. If it is, then it sounds like a server security issue of the hacker actually gaining access through FTP or something.
|
|
Bluefrog
Senior Member
Joined: 23 October 2002
Location: Korea, South
Status: Offline
Points: 1701
|
Post Options
Thanks(0)
Quote Reply
Posted: 25 December 2005 at 3:28am |
 Gullanian wrote:
Well considering it pointed to a turkish hacker
message/screen it's pretty safe to assume the hacker was turkish.
I
can't quite conclude from reading your posts if you are actually moving
the DB and renaming it properly to help offer protection. If it
is, then it sounds like a server security issue of the hacker actually
gaining access through FTP or something.
|
I was thinking the same thing as I read through - sounds like a server issue with some software.
Check all the other software on the server & apply security
patches. BTW - the best thing for a compromised server is to reinstall
- not fun.
Try to see where they got in. If it's a Symantec anti-virus exploit or
an FTP server exploit - whatever it is, fix that first. If it ends up
being a WWF exploit, see if you can find where it is then email BoRg.
Do not post it back here as these are public forums that anyone can
read and you'll only end up hurting someone.
Good luck!
|
|
|
|
AlanP
Newbie
Joined: 24 December 2005
Location: Canada
Status: Offline
Points: 11
|
Post Options
Thanks(0)
Quote Reply
Posted: 25 December 2005 at 6:55pm |
Thanks for all the help. It all appears to be working well now. Don't ask me how or why.
Alan
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 27 December 2005 at 1:17pm |
The Turkish hacker is using a number of exploits to get in, he mainly
uses CSS to deface your site and place an image on there that says you have been hacked.
Please read the following on how he hacks sites and ways to prevent it:-
- He looks for older versions of Web Wiz Forums, or ones that have
not been updated correctly and then uses old exploits to get in. To
prevent this make sure you are running the latest version.
- He downloads the Access database and gets admin username and
password from that. Make sure you place the database out side of your
web site where he can not download the database see,
http://www.webwiz.net/web_wiz_forums/docs_access_move_db.asp
- He also looks for holes in the servers own security, for sites
that have not setup permissions securely and have write permissions
enabled on public files and folder, this allows a hacker to upload
his/her own files to the server to deface of hack the site. Permissions
need to be set by your web host, contact them to setup secure
permissions for your site.
- Do not enable upload features in the forum. For uploading to work
you need to make your server insecure by enabling write permissions on
the upload directory, these can be used by a hacker to hack your site (as in point 3).
Edited by -boRg- - 27 December 2005 at 1:18pm
|
|
|
|
AlanP
Newbie
Joined: 24 December 2005
Location: Canada
Status: Offline
Points: 11
|
Post Options
Thanks(0)
Quote Reply
Posted: 27 December 2005 at 2:43pm |
Thanks, boRg.
I moved the database outside the htdocs directory and into the private directory and reset the two common.asp files to the physical address e:\domains\e\domainname\user\private\newname\newname.mdb and the site works fine. But when I try to compact and back up the database I get an error message
Microsoft VBScript runtime error '800a0034'
Bad file name or number
/forum/admin/compact_access_db.asp, line 121
Line 121 reads:
objFSO.CopyFile strDbPathAndName, Replace(strDbPathAndName, ".mdb", "-backup.mdb", 1, -1, 1)
Do I need to edit something in here?
Also, when I went into the private directory with Cuteftp, I discovered that he had put a bunch of default and index files in there. The directory is set to drwx------- (owner permissions only). Does this indicate an ftp hole on the server?
Thanks,
Alan
|
|
huwnet
Senior Member
Joined: 30 May 2003
Location: England
Status: Offline
Points: 1375
|
Post Options
Thanks(0)
Quote Reply
Posted: 27 December 2005 at 6:42pm |
-boRg- wrote:
He also looks for holes in the servers own security, for sites
that have not setup permissions securely and have write permissions
enabled on public files and folder, this allows a hacker to upload
his/her own files to the server to deface of hack the site. Permissions
need to be set by your web host, contact them to setup secure
permissions for your site.
|
I have never understood how files can be uploaded to an insecure web server just using the http protocol. Or does the hacker somehow use the upload script to his advantage?
|
|
