Print Page | Close Window

Turkish Hackers

Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: General Discussion
Forum Description: General discussion and chat on any topic.
URL: https://forums.webwiz.net/forum_posts.asp?TID=17638
Printed Date: 30 March 2026 at 6:12pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com


Topic: Turkish Hackers
Posted By: AlanP
Subject: Turkish Hackers
Date Posted: 24 December 2005 at 10:42pm
I am completely flummoxed. I run a small web site for a client in England, and we put up a Web Wiz forum. It isn't very highly used, but a couple of people talk about things.
 
It got hacked last summer and I upgraded it to a new version of web wiz that was supposed to have fixed a security glitch. All was going well until we got hacked again this week.
 
To make a long story short, I tried a bunch of things that didn't work. When going to the forum, it immediately redirects to the forum_closed.asp file and I get the Turkish Hacker screen with the forums closed for maintenance mesage at the bottom.
 
I ended up saving the database to another location not even on the server and deleting the entire forum directory from the server and my own computer, downloading the latest version of Web Wiz and uploading it. But when I go into the forum now, I still get the redirect to the hacked forum closed page!!
 
These Turks are close to putting me right off my turkey dinner tomorrow.
 
Anybody have any ideas?
 
Merry Christmas et al to all.
 
Alan


Replies:
Posted By: cctran
Date Posted: 24 December 2005 at 11:37pm
I hope you were joking around because I think hackers can be from any region.  In any case, if you really think its from Turk hackers, block ips from that region.  A lot of hosting companies block ips from china, etc.  It will save you bandwidth and unless you care about that audience, then you can add a very very minor safeguard.  Dump out the logs and see the regions the ip is coming from.  hostip info is a good source for geolocating ips.

-------------
--
Charles
http://www.lunchspark.com/places.home - local restaurants

Posted By: Gullanian
Date Posted: 25 December 2005 at 1:23am
Well considering it pointed to a turkish hacker message/screen it's pretty safe to assume the hacker was turkish.

I can't quite conclude from reading your posts if you are actually moving the DB and renaming it properly to help offer protection.  If it is, then it sounds like a server security issue of the hacker actually gaining access through FTP or something.

Posted By: Bluefrog
Date Posted: 25 December 2005 at 3:28am
Originally posted by Gullanian Gullanian wrote:

Well considering it pointed to a turkish hacker message/screen it's pretty safe to assume the hacker was turkish.

I can't quite conclude from reading your posts if you are actually moving the DB and renaming it properly to help offer protection.  If it is, then it sounds like a server security issue of the hacker actually gaining access through FTP or something.


I was thinking the same thing as I read through - sounds like a server issue with some software.

Check all the other software on the server & apply security patches. BTW - the best thing for a compromised server is to reinstall - not fun.

Try to see where they got in. If it's a Symantec anti-virus exploit or an FTP server exploit - whatever it is, fix that first. If it ends up being a WWF exploit, see if you can find where it is then email BoRg. Do not post it back here as these are public forums that anyone can read and you'll only end up hurting someone.

Good luck!



-------------
http://renegademinds.com/" rel="nofollow - Renegade Minds - Guitar Software http://renegademinds.com/Default.aspx?tabid=65" rel="nofollow - Slow Down Music

Posted By: AlanP
Date Posted: 25 December 2005 at 6:55pm
Thanks for all the help. It all appears to be working well now. Don't ask me how or why.
 
Alan

Posted By: WebWiz-Bruce
Date Posted: 27 December 2005 at 1:17pm
The Turkish hacker is using a number of exploits to get in, he mainly uses CSS to deface your site and place an image on there that says you have been hacked.

Please read the following on how he hacks sites and ways to prevent it:-

  1. He looks for older versions of Web Wiz Forums, or ones that have not been updated correctly and then uses old exploits to get in. To prevent this make sure you are running the latest version.

  2. He downloads the Access database and gets admin username and password from that. Make sure you place the database out side of your web site where he can not download the database see, http://www.webwiz.net/web_wiz_forums/docs_access_move_db.asp - http://www.webwiz.net/web_wiz_forums/docs_access_move_db.asp

  3. He also looks for holes in the servers own security, for sites that have not setup permissions securely and have write permissions enabled on public files and folder, this allows a hacker to upload his/her own files to the server to deface of hack the site. Permissions need to be set by your web host, contact them to setup secure permissions for your site.

  4. Do not enable upload features in the forum. For uploading to work you need to make your server insecure by enabling write permissions on the upload directory, these can be used by a hacker to hack your site (as in point 3).


-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: AlanP
Date Posted: 27 December 2005 at 2:43pm
Thanks, boRg.
I moved the database outside the htdocs directory and into the private directory and reset the two common.asp files to the physical address e:\domains\e\domainname\user\private\newname\newname.mdb and the site works fine. But when I try to compact and back up the database I get an error message
 

    Microsoft VBScript runtime error '800a0034'

    Bad file name or number

    /forum/admin/compact_access_db.asp, line 121

    Line 121 reads:
    objFSO.CopyFile strDbPathAndName, Replace(strDbPathAndName, ".mdb", "-backup.mdb", 1, -1, 1)
    Do I need to edit something in here?
    Also, when I went into the private directory with Cuteftp, I discovered that he had put a bunch of default and index files in there. The directory is set to drwx------- (owner permissions only). Does this indicate an ftp hole on the server?
    Thanks,
    Alan

Posted By: huwnet
Date Posted: 27 December 2005 at 6:42pm
Originally posted by -boRg- -boRg- wrote:


He also looks for holes in the servers own security, for sites that have not setup permissions securely and have write permissions enabled on public files and folder, this allows a hacker to upload his/her own files to the server to deface of hack the site. Permissions need to be set by your web host, contact them to setup secure permissions for your site.


I have never understood how files can be uploaded to an insecure web server just using the http protocol.

Or does the hacker somehow use the upload script to his advantage?

Posted By: masterxcom
Date Posted: 27 December 2005 at 8:24pm
i can understand you perfectly because i am from turkey and everyday they try to hack my web site....
let me give you some advises
1)Change your forum database path and name
2)Lots of hacker try to deface your web-site with Css..
They use it in their signiture and if you do not clouse HTML tags use it in their post....
3)Some kind of hackers create mass users and writing mass messages and try to full your database...My suggestion is use security images in register and login users.....

i hope you solve your problem

Posted By: WebWiz-Bruce
Date Posted: 28 December 2005 at 2:14pm
Originally posted by huwnet huwnet wrote:

Originally posted by -boRg- -boRg- wrote:


He also looks for holes in the servers own security, for sites that have not setup permissions securely and have write permissions enabled on public files and folder, this allows a hacker to upload his/her own files to the server to deface of hack the site. Permissions need to be set by your web host, contact them to setup secure permissions for your site.


I have never understood how files can be uploaded to an insecure web server just using the http protocol.

Or does the hacker somehow use the upload script to his advantage?


No hackers don't need to use upload scripts to do this, it's even simpler than that.

Hacking sites by using HTTP to upload files to sites with write and modify permissions enabled is simple.

I'm not going to go into it here as I do not like hacking, but just look on any hacking site.

There are loads of tools to do this, I was even taught how to use hacking tools like this as part of a University course, so that server admins know the security risks and how to prevent them.

The ADO.Stream object, part of ADO on windows servers makes uploading via HTTP even simpler.

Most hackers who do this are usually 14 year olds with to much time on their hands and download simple hacking tools and think it's cool to go around defacing sites, as if it is somthing new.


-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: huwnet
Date Posted: 28 December 2005 at 6:04pm
Thanks for the information.

Didn't know things like that where even possible.

Posted By: Ninjai
Date Posted: 30 December 2005 at 11:53am
Wow, didn't realise it was that easy to hack and deface. I've moved and renamed the database and run latest versions but still seems abit of a worry.

Suppose best thing is not to make yourself a target by running old versions and allowing guest post etc..


Print Page | Close Window

Forum Software by Web Wiz Forums® version 12.08 - https://www.webwizforums.com
Copyright ©2001-2026 Web Wiz Ltd. - https://www.webwiz.net