New Turkish Hacker Trick.
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=16500
Printed Date: 29 March 2026 at 4:24am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: New Turkish Hacker Trick.
Posted By: Michael Mullis
Subject: New Turkish Hacker Trick.
Date Posted: 10 September 2005 at 12:34am
|
Hello gang. I know the Turkish Hacker has been making the rounds on the forums, and we've been the latest casualty, but not quite in the way everyone else has been hit.
Before the admins throw out the "it's not our forums", hear me out on this one. We are using the WWF with MS-SQL 2000. The forum directory itself has not and has never been open to write permissions for IUSR_Guest or any other guest account.
Now since the hacker could not change or take over my main pages, he was able to selectively hijack INDIVIDUAL THREADS. And on multiple page threads only the page his post was on was affected.
For example:
http://www.nlgaming.com/forums/forum_posts.asp?TID=237&PN=1 - http://www.nlgaming.com/forums/forum_posts.asp?TID=237&PN=1
That page is fine. When you go to the next page:
http://www.nlgaming.com/forums/forum_posts.asp?TID=237&PN=1&TPN=2 - http://www.nlgaming.com/forums/forum_posts.asp?TID=237&PN=1&TPN=2
I also just in case look at the forum directory and the forums_post.asp script has not been altered and the date is consistant to when I installed the forums. This is a redirection hack, and I say that because for a split second before the hack page comes up,you can see the WWF header. And again, threads he didn't touch are fine. Even though I deleted the user in question, the posts remain under the "guests" post and I can't remove them. I also can't find them in the SQL database.
I am going to first do the 7.92 update and see if that clears it up. In the meantime if anyone has any thoughts to THIS one, I'd love to hear it. He couldn't hack the entire forum, so he did his best to take a few pot shots before moving on. But he's already tried again.
|
Replies:
Posted By: WebWiz-Bruce
Date Posted: 10 September 2005 at 4:05am
|
To prevent this you need to be using the latest version of web wiz
forums, 7.92, as it has a couple of security updates to prevent this. The reason why the hacker was able to do this was because you didn't apply the security update. A small problem was found that allowed CSS to be placed into a post that would course a background image to be placed over the top of the page. The problem with CSS in some browsers is that it doesn't need to be in HTML tags for a browser to run it, which meant that the built in security filters didn't see it as HTML and therefore allowed it through. The latest version employees measures that prevent this type of inline CSS from running. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: Michael Mullis
Date Posted: 10 September 2005 at 2:37pm
|
I did that right after posting this. The trick was trying to thread through the SQL database manually to find and remove the offending posts. Today I learned a lot about the SQL structure of the Web Wiz Forums and where to find things. :)
Now, I did just the patch update which overwrote the post_message.asp and the filter script. Is that enough or do I need to redownload the entire 7.92 package?
And not to worry, I will be paying much closer attention to WWF updates and such from now on. Oh, and kudos for putting in the IP Address collector. I already forwarded it on to the proper ISP.
Thanks!
|
Posted By: gölge
Date Posted: 12 September 2005 at 7:43am
|
i hate those lamers.  they hacked my forum 3 months ago. i uploaded latest backup and update v7,92. ------------- "A lie travels round the world while Truth is putting on her boots" C.H. Sturgeon PLEASE VISIT http://www.tallarmeniantale.com - www.tallarmeniantale.com AND SEE THE TRUTH. |
Posted By: wistex
Date Posted: 17 September 2005 at 4:57pm
|
Borg, one thing that would help admins in this situation, is to turn on html editing of posts for admins only. I modified my forum so that as the admin, I could use that feature but noone else can. It's a lifesaver, especially when people copy and paste stuff into the RTE and accidentally copy a bunch of code they didn't mean to copy.
I think I mentioned this in the suggestions thread somewhere, but I thought I'd mention it again since this is a perfect example of why that feature is desperately needed. ------------- http://www.wistex.com" rel="nofollow - WisTex Solutions http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums |
Posted By: RAVALON
Date Posted: 24 September 2005 at 10:54am
|
I'm sorry borg, but i apply patch v 7,92 one month ago, after last hacker attack to my forum....
today, 24 september, turkish hacker hack my forum again......with version 7,92
Now, if i have last version of forum, what i have to do ?
|
Posted By: JJLatWebWiz
Date Posted: 24 September 2005 at 4:59pm
|
RAVALON, can you provide a link to let us see what the hack looks like? I've been browsing your forum and don't see any problems, so it's going to be hard to tell if this latest hack was another CSS attack or something else.
|
Posted By: RAVALON
Date Posted: 24 September 2005 at 7:06pm
|
i have adjust yet my site.....
Turkish hacker change me the name of forum, admin user's name and password and change the path of imagine wich is positioned at left top of forum...
if is necessary i could ask my users if someone saved some screenshot
|
Posted By: WebWiz-Bruce
Date Posted: 25 September 2005 at 7:06am
|
Some hackers are using new tricks on patched boards. If you leave write permissions enabled on your site they are using this to upload there own files to the server which they then run to hack your forum. To prevent this you need to make sure that you do not have write permissions enabled within your web site. Also you need to make sure that if you are using the Access version that you place the database outside of your web site in a folder on the web server that is not accessible via a web browser, otherwise the hacker can get in that way. Also make sure your passwords are hard to guess. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: RAVALON
Date Posted: 25 September 2005 at 8:10am
| i'll ask to server support..... |
Posted By: ramsey
Date Posted: 25 September 2005 at 12:45pm
Another trcik is used by Turkish hackers is to change passwords. If they know users e-mail or admin e-mail, they click to forgat password button and have your forum send a new password to users e-mail.
when user tried to login, he/she can ton login because their new password is sitting in their mailbox. They did samething with admin account. Then users start to send e-mail that they can not login. I have to turn off e-mail to prevent that for the time being.
here is the question.
is there a way to add a security question before password is mailed to user. ?
My admin password is being changed 5 times a day
thanks
ramsey
|
RAVALON wrote:Posted By: RAVALON
Date Posted: 25 September 2005 at 1:40pm
|
today, my site was hacked totally....if you try to go on http://www.pcprimipassi.it - www.pcprimipassi.it you could see web site is hacked and not accessible.... In my FTP i can see many files uploaded into which redirect navigation.....all site in the server was hacked, about 416 sites...
System admin are studing this case of hacking.....
Is possibible obatin FTP access with some forum bugs ?????
|
Posted By: sfd19
Date Posted: 25 September 2005 at 3:09pm
|
Qiuck fix:
Add
right after this line:
in forgotten_password.asp
'admin_name' is of course the name of your admin account. ------------- Politics, economy & social issues: http://www.studentsfordemocracy.net - StudentsforDemocracy.net |
Posted By: WebWiz-Bruce
Date Posted: 26 September 2005 at 5:23am
It is not possiable to get FTP access with Web Wiz Forums as they are two completely independent systems. The forum software is very secure and not possible to hack the server through. Hacking of this kind will be because your server has not been secured and you have write permissions on folders within your site. This is how sites and forums are generally hacked, by not securing the server (nothing to do with Web Wiz Forums software), and leaving write permissions enabled on folders within your site it allows a hacker to upload files to the server through HTTP, without the need for FTP access. They then use this to upload their own files to the server. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: RAVALON
Date Posted: 26 September 2005 at 9:12am
|
ok...i understand.....admin of server sayed no problem for permission on directory.....it sayed we have permission 644....or similar.....people could only read.... We are trying to understand something about... |
Posted By: WebWiz-Bruce
Date Posted: 26 September 2005 at 9:38am
|
It sounds like your server admin deson't know what he/she is on about. The permission 644 would be if you are using a Unix server and as Web Wiz Forums only runs on windows then a 644 permission can not be set. With a windows web server you need to set the permissions on the server. The server admin needs to make sure that the IUSR account only has read permissions on those directories that can be reached through a web browser. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: RAVALON
Date Posted: 26 September 2005 at 9:42am
|
oh.....i know we have Windows 2003....but when i login in FTP i can see UNIX string wroted....but if i have not windows ASP don't run...and ASP run perfectly |
Posted By: JJLatWebWiz
Date Posted: 26 September 2005 at 12:08pm
There is a Turkish hacking tool that appeared on one of my hosted sites a few months ago. I now use the hacker tool to test the security of all the hosts I use. I have found that on 100% (all, every, without exception) of the hosts, the anonymous IUSR_ account has write permissions on all attached drive partitions. Some individual web site folders (like my own), the administrator of that site has restricted the IUSR account to read-only permission. But, I was able to plant a test file and delete that file in the C:, C:\WINNT\ or C:\WINDOWS\, SYSTEM32, etc. etc. I had access to every single other domain on the same physical machine as my own, simply by having that hacker utility in any readable folder on my site. So, any of the 416 sites could have anonymous FTP enabled to upload the file to a Web accessible folder, or any other site could have some other upload function. Once the hacker utility is on the machine ANYWHERE, all sites are at the mercy of the hacker. Hosts I've verified vulnerable and notified are: iPowerWeb, Nevidia, and VitalStream. Hosting companies assume their systems are secure because they assume the anonymous account has no means or browsing parent folders. They're wrong.
The Access version of WWF is more vulnerable to this kind of attack because the folder in which the Access MDB is placed requires the anonymous account to have create and write permission on the folder itself. Once the anonymous user has some means of uploading to that folder, they can do anything they want to the forum. Even if you password protect the MDB, the plain text username and password are going to be stored in your ASP.
Frequent backups of the MDB is critical. Make sure the anonymous IUSR account can write only to the folder holding the MDB (which should have ONLY the MDB) and the forum Uploads folder. All other folders should allow ONLY read permission to the IUSR account. The hacker utility doesn't allow the hacker to elevate their identity beyond the anonymous IUSR account, so your main WWF ASP files will be safe WHEN the hacker does it again.
|
Posted By: RAVALON
Date Posted: 26 September 2005 at 2:02pm
|
Ohhh....and...how can i test if this is the same problem of my server ? how can i try if i could access anonymously ?
i tryed to connect with anonymous via FTP but i was refused....in this case do you think IUSR account have write permission ?
|
Posted By: JJLatWebWiz
Date Posted: 26 September 2005 at 2:49pm
Look for some strange .asp files that you don't recognize as your own. It's possible that the hacker dropped the hacking utility on your site so that he would have it available to use in case the other admins found it and removed it.
Anonymous FTP has nothing to do with the anonymous IUSR account. Your host should have some kind of control panel that will let you set permissions on the individual folders for your site. I suggest you set all folders recursively to "Read-Only" for the IUSR account and then find the forum/Uploads folder and the folder with the Access MDB and set it to "Modify" or "Write". I suggest you re-check the permissions regularly because the hosting company may reset them by mistake. |
Posted By: RAVALON
Date Posted: 26 September 2005 at 5:01pm
| ok.....but can i change this permission from my PC ? or i have to ask to server support ?? yuo say the best way is check permission .... how can i do this ? could you explain ? or write an example ? |
Posted By: JJLatWebWiz
Date Posted: 26 September 2005 at 6:56pm
|
It's practically impossible to do from your PC. File and folder permission don't survive FTP transfers and the FTP service your host runs probably won't allow you to modify permissions. The only way is through your host's administration control panel or by special request.
There is usually a web page that isn't directly associated with your domain, something like "http://ws16.myhostdomain.com:8000" or "http://cp.myhostdomain.com". They might use vDeck, ensim, plesk, hsphere, cpanel, or their own ASP.NET control panel. Look for Folder Management or Permission Management.
However, I looked at your host's home page and found this frightening statement under their list of features, "PERMISSIONS READ,WRITE in all folders (777 default)". You should ask your host if you can set the permissions on individual folders, because you never want the NT equivalent of "777". If your host won't let you change permissions, consider changing hosts, because they are the hacker's best friend, NOT yours.
|
Posted By: ramsey
Date Posted: 26 September 2005 at 10:00pm
Thank You It worked. and thanks for quick reply.
They tried to hack my forum loading files to uploads folder for avatars.
You can solve it by blocking .exe execution from that uploads folder.
ramsey
|
Posted By: RAVALON
Date Posted: 27 September 2005 at 8:36am
|
Ok JJLatWebWiz....
i ask you a last help if you could....
Tell me how can i dimostrate my folder have 777 permission, so i can ask to change to my provider with some tests....
How you understand what are you saying ?
|
Posted By: JJLatWebWiz
Date Posted: 27 September 2005 at 11:59am
The best way is to use the upload function built into WWF. The upload components, like Persits ASPUpload, are designed to store files anywhere. The easiest test would be to go into the WWF admin page and change the Upload Folder Path.
WWF is intentionally limited to child folders of the forum, but to demonstrate the anonymous user ability, change the images upload folder path from "uploads/images" to "" (blank). Now, upload a small image and us FTP or simply your browser to confirm the upload succeeded. Now change the image upload folder path to "admin" and upload another image. Confirm the upload succeeded.
If the uploads succeeded, it demonstrates the anonymous web user account has permission to upload any file to those folders. Even if you've logged into WWF as administrator, you're still an anonymous web user to the operating system. Just because WWF prevents dangerous file uploads through the forum doesn't mean the upload components can't just as easily be used to upload any file to any location the anonymous user is permitted by the operating system. Anyone else on the same server as you can upload to your folders too.
I suggest you do NOT perform tests on any folder outside of your account. Any attempt to touch files and folders outside your account folder is probably a violation of your host's acceptable usage policy and could get your account terminated.
Finally, I'm not going to show anyone how to build an ASP page or modify WWF to allow uploads of any file to any location. The fact that you can upload a file to any WWF folder is proof enough of the insecurity of ALL hosted, Windows-based, ASP applications.
|
Posted By: JJLatWebWiz
Date Posted: 27 September 2005 at 12:06pm
Isn't your avatars folder limited to "jpg;jpeg;gif;png" in the WWF Admin? How did they upload an .exe?
The hackers would have to use multiple other exploits to actually get an exe to run on the server. Maybe they could use it to attack end-users by somehow getting them to download and run that exe on their workstation.
|
Posted By: RAVALON
Date Posted: 27 September 2005 at 3:09pm
| yesterday i found in my space a file without extension....which could not be delete..... could it be a backdoor ? |
Posted By: JJLatWebWiz
Date Posted: 27 September 2005 at 3:59pm
It could be part of a backdoor, but not by itself. It's possible that it is actually a mistake by the hacker utility. The hacker tool that I have always attempts to plant a tiny text file then immediately delete that file for every folder that the user navigates to. Your mysterious file could be the result of such a test by the hacker. It's typically less than 20 bytes. If it is such a test file, it could mean that an anonymous user can write but can not delete (which is not much protection).
|
Posted By: RAVALON
Date Posted: 28 September 2005 at 2:32pm
today my provider start a legal action (denunciation) demanding me damn for hacker attack !!!! Do you think is a lagal thing ? Which could be my guilt ???
He think is my guilt if all server was hackerd because turkish hacker enter by my website bug....
Any suggest ?
|
Posted By: RAVALON
Date Posted: 28 September 2005 at 4:42pm
|
a precisation....we discovered some files in all directory of hacked site(mine for example)....
the files uploaded was:
default.htm
default.html
default.php
default.cfm
cwtest.log
index.htm
index.html
index.php
index.cfm
So....i hope that could help someone...
This upload action is possible using by http trick ?
Do you think is my guilt ? |
Posted By: JJLatWebWiz
Date Posted: 28 September 2005 at 4:59pm
Your host runs a very insecure web server. Any of the other sites on the server could have allowed the hacker to compromise the entire server. The only reasonable method a hacker could have used WWF to hack the server would have been to gain access to WWF as the forum admin. As WWF admin, the hacker could remove the file type restrictions to permit the upload of dangerous files like .asp. I know you said your forum had been broken into prior to version 7.92. Can you confirm that the file type restrictions are still set to allow only image files and .zip and .rar files? And that the upload directories are the default upload directories?
If the upload restrictions allow .asp files, then the point of origin could be your forum. HOWEVER, it was the host's POOR security configuration that allowed the rest of the server to be compromised. If not for the host's negligence, your site would have been the only one hacked (assuming your WWF forum was the point of origin).
|
Posted By: ramsey
Date Posted: 29 September 2005 at 7:22am
I am still trying to figure out how they did that. There was a new folder which was not related to any user with compressed .exe file.
|
Posted By: RAVALON
Date Posted: 29 September 2005 at 9:37am
|
Good afternoon.... i confirm my DB is on default path, so in FORUM/ADMIN/DATABASE for the permission...i confirm in my server was set write / read permission for all directorys.. provider say is not important....but i think is why hacker entered...
i confirm upload setting allow only ZIP, RAR, ACE archive...and for avatar only JPG, JPEG, GIF, PNG
But...if hacker enter from my forum....(i specify....during last attack i had 7.92 version) .. could i be responsable of entire server hacking action ?? I don't know ho dimostrate poor securuty of server if necessary in next future.... |
Posted By: jeffdaro
Date Posted: 29 September 2005 at 9:53am
Can you please clarify this? I have a heavily modded version of the forums in place, so upgrading is not possible for me. I need to make security fixes manually, and am having trouble doing so because they don't seem to be posted anywhere. What do you mean write permissions on the web site? I mean the upload folder must have write permissions correct? I am scared my your use of "web site". The whole domain? |
Posted By: WebWiz-Bruce
Date Posted: 29 September 2005 at 10:50am
|
If you look in the version history file it tells you what files have been changed. Often to make life simpler for themselves web host set permissions for your site to read and write, the problem with this is that if folder permissions allow you to write to the folder then a hacker can write his/her own files to the server to use to hack it. As far as RAVLON is concerned how his forum and server is setup is a prime example of what NOT to do!! Below are some tips for a secure forum:-
------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: RAVALON
Date Posted: 29 September 2005 at 10:54am
| Borg...what do you think about my last post? do you think i'm responsable ? |
Posted By: JJLatWebWiz
Date Posted: 29 September 2005 at 11:11am
In the WWF admin section, confirm that the file type restrictions are still set to allow the safe file types. Is the security of the rest of the forum folders set to "read-only" by the server? To allow the WWF file upload functions to work, if the rest of your site is locked down, anonymous user must still have write and create access on the uploads folder and all children. With such security, if a hacker accessed the server through one of the other hosted sites, he would be able to upload any file, but only to the forum/uploads subtree.
What is the complete path of the new folder?
I was just thinking that this is a pretty universal problem. First, in order to allow file uploads at all, the upload folder must allow anonymous file creation and writing privileges. Second, in order to use the newly uploaded file in a web page (like a forum post), anonymous users must be able to read that folder too. That means that no matter what we do as forum admins, a hosted site is as vulnerable as the least secure web site on that same machine. If someone plants a virus/trojan exe in our uploads folder, they can then send emails to 16 million of their closest friends that tricks them into running that exe. Of course, we would get the blame for that.
So how can we block write permission for the entire site, including the uploads folders and still allow users to upload files and include them in their post?
For SQL versions, the uploads could be sent to the database as a blob, but that's going to have serious speed consequences. One way might be a quarantine process where uploads are stored in a folder that can not be read from the web, then an admin or moderator must manually approve and move it to the uploads folder.
I'll tell you one thing, knowing what I've learned about the total lack of security of Windows hosts from my experience and those of others on this forum, I will be checking my entire folder structure for changes on a very regular and frequent basis. I think I'll also work on an ASP that will catalog the entire site every hour or so and alert me to every change.
|
Posted By: RAVALON
Date Posted: 29 September 2005 at 12:01pm
|
specially....do yuo think if one hacker could navigate into alla directory if security is ok? or if he hacked all directory is a problem of permission and poor security settings ? |
Posted By: WebWiz-Bruce
Date Posted: 29 September 2005 at 12:46pm
|
RAVALON, what you need to do to secure your site is to disable any uploading of files or images by users. Then all Access databases to a secure folder outside of your web site root that has read and write permissions. Then make sure your host locks down all directroies within your site so they do not have write permissions. If you don't do these things then you leave a open door to any hacker that comes along. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: RAVALON
Date Posted: 29 September 2005 at 4:31pm
|
i could surely put access db to a secure directory...but as someone explain, close write permission would say no upload....for avatar for example.....and this forum support avatar natively....or personalized images(as my modified forum)..i think is bad to deny this possibility....don't think you ?
|
Posted By: WebWiz-Bruce
Date Posted: 30 September 2005 at 10:00am
|
There are built in features for users to upload there own avatars and
images, but these are disabled by default and you are warned that if
you enable them it is a security problem. It's like with many things in computing, you have to decide if you want functionality or security. The best solution is to disable users uploading their own images and if they want to use their own avatars they can link to one of their own web space, this would be the more secure way of doing it. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: RAVALON
Date Posted: 30 September 2005 at 5:04pm
| ok...i understand.... i'm bad for have to decide to denied avatars upload ...but if is necessary... |
Posted By: Ali Bilgrami
Date Posted: 03 October 2005 at 7:23am
|
hi
i changed the path for image uploads
http://www.mywebsite.com/somefolder/upload - www.mywebsite.com/somefolder/upload
and tried to upload an image and this is what i got
Microsoft VBScript runtime error '800a004c' Path not found /forum2/functions/functions_upload.asp, line 80 i changed it to http:// http://www.mywebsite.com/somefolder/upload - www.mywebsite.com/somefolder/uploadand it says line 77 and invalid character
so does it mean that my service provider has that security of no write permissions to IUSR_ account???
|
Posted By: WebWiz-Bruce
Date Posted: 03 October 2005 at 7:35am
|
The path must be a relative server path, URL's will not work.
------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: Ali Bilgrami
Date Posted: 04 October 2005 at 4:38am
| ive asked my server guyz and they have told me that they do not use this IUSR scheme....so in this context my site and server are safe :) also ive upgraded to 7.92 :) |
Posted By: WebWiz-Bruce
Date Posted: 04 October 2005 at 6:03am
|
If they don't use the IUSR scheme then they use some other matching scheme otherwise people would be unable to view your site. What ever scheme they use you need to be sure that they don't allow write permissions on those files and directories viewable through a web browser. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: JJLatWebWiz
Date Posted: 04 October 2005 at 10:59am
|
And you should never assume your site is safe. The best secured sites in the world can be hacked given enough effort. It's very difficult to evaluate the relative security of a site that is one among hundreds hosted on the same machine.
If your host recognizes the difference between a server-wide IUSR account and user accounts unique to each virtual domain, then you're probably safer than most of us. But, did the host leave the default "Full Control" rights for the "Everyone" group in the C:\Windows\System32 folder? If so, any user able to view your site can do anything they want to that critical system folder. The list of exploitable mistakes is endless.
The most that can said about a host that uses virtual domain hosting best security practices is that WHEN one of the sites on the machine gets hacked, only that site can be hacked and the hacker can not then use that site to hack the machine or other sites on the machine. ------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |
Posted By: RAVALON
Date Posted: 04 October 2005 at 1:51pm
| WebWiz Site where are hosted ? your host take also .IT domain ? |
Posted By: Ali Bilgrami
Date Posted: 04 October 2005 at 2:53pm
|
-borg- & JJLatWebWiz this is what my server guyz sent me
By default IUSER account is disabled accross the server. Only your usage has READ/WRITE permissions on your folders. For webaccess, you are limited to READ access as well unless you specify a few folders specificly for Write access.
If your account has a script that can be used to hack your site, it will be limited to your account, not to the whole server. So as long as you keep all of your software up to date, there is nothing to worry about. now what do u think?? |
although i asked them about the everyone group permissions again lets see when do they reply to that. i'll let u know when they do :) Posted By: JJLatWebWiz
Date Posted: 07 October 2005 at 3:37pm
|
Ali Bilgrami -
It sounds like your host has a healthy understanding and respect for security, which is more than half the battle
 . Even if they have left the Everyone account as default, your site contents should be safe from a hacker attacking from a different domain on the same server. If the Everyone account still has full control on the system32 folder, a hacker could crash the operating system, but your site should still be safe even though it would be offline. Once your host recovers the OS, your site will be intact. That's because it's currently impracticle for a hacker to escalate their rights assuming the host has hardened the other attack vectors like Microsoft's FTP service, disabling unnecessary services, and installing the bundles of OS service packs and hotfixes.If you haven't made any read/write permission changes to your account folders, you can test a little of your hosts claims by changing the uploads folder in the WWF Admin control panel to blank, and each of the forum sub-folders and seeing if you can upload test files through WWF. Any folder that you can upload to explicitly allows the anonymous user of at least your domain to upload anything. That should only be true of the uploads folder(s) and the folder that holds the Access MDB.
------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |