Haxored
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=15780
Printed Date: 28 March 2026 at 9:08am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Haxored
Posted By: nolan
Subject: Haxored
Date Posted: 10 July 2005 at 6:22pm
|
Hi ya, I've seen the patch which I will apply, but the hack on my site doesn't seem to be related to the css bug. I found 'hacked by Turkish Hacker' etc etc on my front page. He had put his own default.asp/htm pages in my site! I am running web wiz forums so I can't help presume this was his way in to my site. At least he didn't remove anything, but is still very worrying! Cheers, Lee |
Replies:
Posted By: dj air
Date Posted: 10 July 2005 at 7:20pm
|
do you have a url then we can tell what it maybe? have you any posts things etc that could be exploited or any uplaoding features. |
Posted By: nolan
Date Posted: 10 July 2005 at 8:52pm
|
Sure, the url to my forum is http://www.slowdown.co.uk/forum/ - here Avatar uploading is disabled and I cannot see anything in the database that looks suspicious (it's in a hidden dir by the way). The guy names himself ENO7, if you look for him on Google you can see he has been pretty busy! I'll get the IIS logs from my host and see if there's anything that can help in there. Thanks, Lee |
Posted By: nolan
Date Posted: 10 July 2005 at 9:07pm
|
I've just been given this from a friend, maybe it was a server hack instead. http://www.zone-h.org/en/defacements/filter/filter_defacer=eno7/page=1/ - Zone-H |
Posted By: WebWiz-Bruce
Date Posted: 11 July 2005 at 4:19am
|
If he replaced the default.asp page with his own then it does sound like the server was hacked and not the forum software. Make sure that you disable write permissions on your site apart from the folder containg the database and the upload folder. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: pmormr
Date Posted: 13 July 2005 at 3:03am
|
he's only hacking Win2k3 machines... he probably wrote a script that takes advantage of unprotected shares or unpatched holes in the OS... but he's only targeting WWFs.. that leads me to think that he's hacking through a vulnerability in WWF. Anyway, it's only a matter of time before he's traced and busted... you can't f*ck up 700 websites without leaving traces. If i can find his IP address from Zone-H i'll personally report him to his ISP for you. ------------- Paul A Morgan http://www.pmorganphoto.com/" rel="nofollow - http://www.pmorganphoto.com/ |
Posted By: pmormr
Date Posted: 13 July 2005 at 3:10am
|
The attacker used the ip address 83.245.15.61 to hack your site. That IP address is registered to RIPE Network Coordination Centre in Amsterdam, which is in turn registered to RapidSwitch Ltd: Refer to http://www.ripe.net/whois?form_type=simple&full_query_string=&searchtext=83.245.15.61 - http://www.ripe.net/whois?form_type=simple&full_query_string=&searchtext=83.245.15.61 .
I complained to their abuse address for you. ------------- Paul A Morgan http://www.pmorganphoto.com/" rel="nofollow - http://www.pmorganphoto.com/ |
Posted By: WebWiz-Bruce
Date Posted: 13 July 2005 at 5:28am
|
I've checked up on this hacker and it seems that he is targeting sites
running on Windows 2000/2003 servers that have write permissions
enabled on their directories. Most of the sites he has targeted are not running Web Wiz Forums, but as Web Wiz Forums only runs on Windows 2000/2003 servers the hacker may use this to find sites running these OS's. This is not a problem with Web Wiz Forums, you need to make sure that you do not have write permissions enabled on your site for directories. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: WebWiz-Bruce
Date Posted: 13 July 2005 at 5:35am
|
This is NOT a vulnerability in Web Wiz Forums!! I've just been through 30 to 40 random sites that this hacker has hit and they are all running Windows web servers, but only 1 was running Web Wiz Forums. To prevent this hacker it's just a case of simple security measures and making sure that you do not have write permissions enabled on your site. To run web wiz forums Access version you need to have write permissions on the directory containing the Access database. This directory should be outside of your web site in a place on the server not accessible through a web browser. For more on this see the documentation that comes with Web Wiz Forums. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: pmormr
Date Posted: 13 July 2005 at 2:27pm
Anyway...
------------- Paul A Morgan http://www.pmorganphoto.com/" rel="nofollow - http://www.pmorganphoto.com/ |
Posted By: nolan
Date Posted: 15 July 2005 at 10:25am
Firstly I would like to thanks you guys for looking into this, it's great to get such a response.
I was thinking maybe it's the opposite way around, by searching for wwf's on the web they would know that a Win2k3 server is likely to be in use, so then they attack it. ? Thinking about it that does make sense as I noticed some of the other sites that had been hacked where using some sort of free asp script, so it's an easy way to find these servers. Anyway thanks again guys! Lee |
Posted By: WebWiz-Bruce
Date Posted: 15 July 2005 at 11:19am
|
Or even simpler just look for web pages that have a .asp extension as
Google shows these under the decription of the site in searches. Defacing sites that are running on servers with 'write' permissions enabled on directories within the site is a very old hacking trick and there are plenty of hacking tools to do this that are readily available. Most hackers don't even both with this type of amateurish stuff, but there are still plenty of 13 year old skript kiddies with to much time on their hands who will use these tools to over-write files on un-secured sites. Expect more of this type of thing with the summer holidays comming up. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: pmormr
Date Posted: 15 July 2005 at 3:17pm
|
it's incredibly easy to hack unprotected directories if you don't know how to secure your server... it becomes even easier if it isn't behind some type of router or firewall
considering myself a pretty good windows security person... i would lockdown your server until you disable all write permissions on everything but the absolutely necessary... and then move your database out of the root directory of your website... that way... he can't get to it without actually hacking your server ------------- Paul A Morgan http://www.pmorganphoto.com/" rel="nofollow - http://www.pmorganphoto.com/ |
Posted By: ToJaRo
Date Posted: 06 August 2005 at 10:26am
|
Hello All, I realize this topic is a few days old but thought I would throw in my 2 cents since i am just now catching up. Windows 2003 SP1 comes with a tool called the Security Configuration Wizard. I highly recommend that anyone running Windows 2003 upgrade to SP1 and run this tool. While you are running this Wizard, it will ask you if you want to remove write priviledges on web folders. It will also custom build you a Windows firewall based on the application you have installed, I DO NOT recommend this firewall be your only line of defense between you and the internet, but the more layers between you and the bad guys the better. W2K3 SP1 also improves and hardens IIS 6. So, if you run your own site and have the ability to upgrade to W2K3 SP1 and Run the Security Configuration Wizard, do so ASAP**. WWF still works perfectly after you harden your servers. You will, however, need to go back and add write permissions to the 'uploads' once you complete the wizard if you allow Image and Avatar uploads from your site, but only on the 'Uploads' folder. This will by no means make your server unhackable, but it adds another layer of complexity for anyone trying to mess it up. **As always, read up on the Security Configuration Wizard before winging the upgrade. MS has tons of articles on this... Google it and make sure you know a little more about it before hand. Never hurts. Later, ------------- ToJaRo http://www.thesoupbone.com - The SoupBone Community |
Posted By: rbird
Date Posted: 06 August 2005 at 11:04am
|
We've placed the new updates and moved the database and all is fine but no one can post now! Any clues? Registration works fine so the the db is writable. http://www.daisymuseum.com/forum - http://www.daisymuseum.com/forum |
Posted By: ToJaRo
Date Posted: 06 August 2005 at 12:12pm
|
Your site says version 7.01... did you upgrade to the 7.9 files before
applying the 7.92 files? It looks to me as if all the files have
not been updated. Just a thought, I could be wrong. Also...
make sure you post your errors so we can see them... I took the liberty
for you: Microsoft VBScript runtime error '800a01f4' Variable is undefined: 'removeLongText' /forum/post_message.asp, line 298 ------------- ToJaRo http://www.thesoupbone.com - The SoupBone Community |
Posted By: ROLAIDS
Date Posted: 15 August 2005 at 11:50am
|
I was hacked by this guy yesterday morning, while posting myself, I noticed that the Admin menu was gone and that I no longer had access to the forum. I refresh the screen and saw him hacking the forum right before my eyes, with his pro-Islamic jargon.
I simply moved the database out of the folder, so he no longer had access to it, he would have to find it first, then I took other security measures.
Interestingly, I did some googling and found his e-mail address or at least one he uses. I asked him how do I get control of my forum back and he replied:
Dont worry i didnt erase any thing only i renamed topics name... Forum Database is in my Harddisk and i have all passwords i may send you new password or all database.. But there is a condition for backing your forum... You wont say any bad words for islam and you wont do any insult about islam... if you accept this rules i will give you admin password... i am white hat hacker ENO7 |
Posted By: JJLatWebWiz
Date Posted: 15 August 2005 at 4:10pm
|
ROLAIDS, more than likely, the loser has planted a hacker tool like ASP.Ace on your server. Using that hacker tool, you could put your MDB anywhere you want, and as long as you don't change folder and file permissions, that son of a orospu will always be able get to your data. The anonymous web user (IUSR_<servername>) is a member of the special "Everyone" group in Windows and by default, the Everyone group can do just about anything on the server. The only folder(s) on your site that anonymous users should have write permissions on are (the) "upload" folder(s). All other folders should have read-only permissions. Make sure the upload folder does not give the anonymous account permission to execute, script, or browse.
By the way, people like ENO7 have no honor. They are among the least trustworthy people on earth. If you agree to his terms, he will still hack your site any time he gets the urge. He has already dishonored himself, his family, his culture, his country, his religion, and his god. If he is in fact a Muslim, he has misinterpretted the Quran in such a way that it tells him to lie to disbelievers in order to advance the cause of Allah. Such people can not be trusted at their word, and they will take advantage of you at every turn.
|
Posted By: Pros
Date Posted: 15 August 2005 at 4:36pm
|
^ thats really wierd because a "turkish" guy has hacked my forum twice today, the thing is my forum is an islamic forum.
He has deleted all our posts and now he has deleted all our members.
I'm only an admin on the forum not the owner of the site so i cant move the directory and i don't know how to disable write permission or even if i can.
|
Posted By: JJLatWebWiz
Date Posted: 15 August 2005 at 5:09pm
|
Pros, if you can't protect the files, then you can't protect the forum.
Do you have FTP permissions on the site? If you do, you can at least move the mdb and make regular backups. But, if the owner won't do anything to secure the site, the forum will continue to be hacked.
|
Posted By: sfd19
Date Posted: 15 August 2005 at 6:20pm
|
Pros is using WWF 7.6 what might also have been the reason that he was hacked. It looks like most (or even all?) hacked websites have been using outdated WWF versions. ------------- Politics, economy & social issues: http://www.studentsfordemocracy.net - StudentsforDemocracy.net |
Posted By: Pros
Date Posted: 15 August 2005 at 8:53pm
|
No i dont have FTP permissions but im trying to get in touch with someone who does. Thanx for the advice. |
Posted By: ROLAIDS
Date Posted: 15 August 2005 at 11:36pm
| I have noticed one thing about the various WWForums that have been hacked it states that the last members was mesta, thus apparently this guy joins the forum to see what happenes after he hacks into them |
Posted By: psycotik
Date Posted: 16 August 2005 at 6:44am
|
If the hacker replaced the index/default pages on your site, he could be using an automated hack. It gets in using the MDAC exploit. You can see that this is being used by looking at your server logs, you will see an entry like: [22:22:22] 111.111.11.111 222.22.22.22 PUT /file.asp Microsoft+Data+Access+Components I cant remember the exact string off the top of my head but it has a "PUT" instead of the normal "GET" and has m.d.a.c just after it. If you find this in your logs, do a search for disabling mdac in your registry and restart IIS (thats if you dont need this service). |
Posted By: jonnyboy
Date Posted: 17 August 2005 at 4:46pm
|
eno7 has hacked my forum everyday since friday.
All i have been able to do is change all passwords, delete the files he is uploading into the server and on teh occasion he deleted every file on the server, just re-upload the files and do regular backups. If anyone could give details on how to better prootect from this, please advise. |
Posted By: ToJaRo
Date Posted: 17 August 2005 at 7:53pm
|
Sounds like you need to make your hosting provider update their servers or move to a provider that keeps their servers up do date and has write access disabled for everyone except you. ------------- ToJaRo http://www.thesoupbone.com - The SoupBone Community |