General Discussion - Hackers are .... $&%#$*$!!

Print Page | Close Window

Hackers are .... $&%#$*$!!

Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: General Discussion
Forum Description: General discussion and chat on any topic.
URL: https://forums.webwiz.net/forum_posts.asp?TID=19023
Printed Date: 30 March 2026 at 11:03am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: Hackers are .... $&%#$*$!!

Posted By: MadDog
Subject: Hackers are .... $&%#$*$!!
Date Posted: 28 March 2006 at 8:50pm

I hate hackers!

Last night someone uploaded a asp file through a online demo of my portal that replaced all default.asp files with "hacked by" in it.

Now this morning I have to spend all freaking day repairing the damage.

Note to self: Setting "Administrator" in the IIS in the Authentication is a very bad idea! I need to learn more about IIS... im just a coder, not a server administrator

-------------
http://www.iportalx.net" rel="nofollow">

Replies:

Posted By: the boss
Date Posted: 29 March 2006 at 8:51am

why leave your cheese on the table and complain about mice!! LOL

-------------
http://www.web2messenger.com/theboss">

Posted By: Mikey
Date Posted: 29 March 2006 at 12:41pm

Sorry to hear that Maddog,

A few times these {insert rude word here} have got me and it does make you wonder what the point is? I mean are they gonna gain notoritey or anything of any use from hacking my little East London Skateboard site???? I think not....

-------------
Handyman man?

Posted By: WebWiz-Bruce
Date Posted: 29 March 2006 at 1:15pm

Security can never be overlooked, I've spent months on it and it's a pain.

A few more pointers to prevent this type of thing:-

1. Only allow users to brows your site through the IUSR account
2. Set the IUSR account to have read only permissions on all public folders inside your web site except the upload directory (this would prevent this hack)
3. Alter your upload application to not allow unsafe file types (.asp, .aspx, .php, etc)

For the last point I did this in version 7.97 of Web Wiz Forums as I found that if a hacker gained access to the forums admin section they could change the allowed file uploads to allow ASP files to be uploaded, then upload an ASP file to the server through the upload tools to hack the entire site.

If you checkout the 'admin/upload_configure.asp' file in web wiz forums 7.97 you will see a whole list of un-safe file types that you should not allow as upload types.

I spent the best part of a weekend coming up with the list from both online sources and a list of un-safe file types that Microsoft issued.

If you're developing applications for the web madDog it is well worth doing allot of research on both server hacking, XSS hacking, SQL injections, etc. as it is the only way to make sure that your applications that you develop are truly hacker proof.

Posted By: WebWiz-Bruce
Date Posted: 29 March 2006 at 1:18pm

By the way here is the list of unsafe file extensions for IIS, I've placed it into an array:-

'ISAPI and CGI web page extensions (can be used to hack site)
    saryBadFileTypes(0) = "asax"
    saryBadFileTypes(1) = "ascx"
    saryBadFileTypes(2) = "ashx"
    saryBadFileTypes(3) = "asmx"
    saryBadFileTypes(4) = "aspx"
    saryBadFileTypes(5) = "asp"
    saryBadFileTypes(6) = "asa"
    saryBadFileTypes(7) = "asr"
    saryBadFileTypes(8) = "axd"
    saryBadFileTypes(9) = "cdx"
    saryBadFileTypes(10) = "cer"
    saryBadFileTypes(11) = "cgi"
    saryBadFileTypes(12) = "class"
    saryBadFileTypes(13) = "config"
    saryBadFileTypes(14) = "com" 
    saryBadFileTypes(15) = "cs"
    saryBadFileTypes(16) = "csproj"
    saryBadFileTypes(17) = "cnf"
    saryBadFileTypes(18) = "dll"
    saryBadFileTypes(19) = "edml"
    saryBadFileTypes(20) = "exe"
    saryBadFileTypes(21) = "idc"
    saryBadFileTypes(22) = "inc"
    saryBadFileTypes(23) = "isp"
    saryBadFileTypes(24) = "licx"
    saryBadFileTypes(25) = "php3"
    saryBadFileTypes(26) = "php4"
    saryBadFileTypes(27) = "php5"
    saryBadFileTypes(28) = "php"
    saryBadFileTypes(29) = "phtml"
    saryBadFileTypes(30) = "pl"
    saryBadFileTypes(31) = "rem"
    saryBadFileTypes(32) = "resources"
    saryBadFileTypes(33) = "resx"
    saryBadFileTypes(34) = "shtm"
    saryBadFileTypes(35) = "shtml"
    saryBadFileTypes(36) = "soap"
    saryBadFileTypes(37) = "stm"
    saryBadFileTypes(38) = "vsdisco"
    saryBadFileTypes(39) = "vbe"
    saryBadFileTypes(40) = "vbs"
    saryBadFileTypes(41) = "vbx"
    saryBadFileTypes(42) = "vb"
    saryBadFileTypes(43) = "webinfo"
    saryBadFileTypes(44) = "cfm"
    saryBadFileTypes(45) = "ssi"
    saryBadFileTypes(46) = "swf"
    saryBadFileTypes(47) = "vbs"
    saryBadFileTypes(48) = "tpl"
    saryBadFileTypes(49) = "cfc"
    saryBadFileTypes(50) = "jst"
    saryBadFileTypes(51) = "jsp"
    saryBadFileTypes(52) = "jse"
    saryBadFileTypes(53) = "jsf"
    saryBadFileTypes(54) = "js"
    saryBadFileTypes(55) = "java"
    saryBadFileTypes(56) = "wml"

This list may need to be altered if any unusual extensions are support on the server.

Posted By: Mikey
Date Posted: 29 March 2006 at 1:23pm

-boRg- wrote:

This list may need to be altered if any unusual extensions are support on the server.

...and they're not unusual LOL

-------------
Handyman man?

Posted By: the boss
Date Posted: 29 March 2006 at 1:46pm

well how about blocking every extension execpt the on explictly in the list.. and then add only jpg files.. also add size limit bcuz some clever ass can inject code in an image file and execute it..

hackers do the hacking for the sake of gaining momentum in their social circles.. it doesnt matter what site they have hacked as long as they have got a change to use their nimblest skills

-------------
http://www.web2messenger.com/theboss">

Posted By: Gullanian
Date Posted: 29 March 2006 at 5:39pm

Wouldn't it be easier to list the allowed filetypes as supposed to dissalowed? Theres only a few allowed, Jpg, jpeg, gif, png, bmp etc etc.

Posted By: MadDog
Date Posted: 29 March 2006 at 8:58pm

-boRg- wrote:

If you're developing applications for the web madDog it is well worth doing allot of research on both server hacking, XSS hacking, SQL injections, etc. as it is the only way to make sure that your applications that you develop are truly hacker proof.

I have done a lot of research on all that kind of hacking. What i dont know much about is IIS and all that stuff. They didnt use a whole in the portal security. They used a whole in the way i setup IIS (i used Administrator as the IIS security account).

-------------
http://www.iportalx.net" rel="nofollow">