| Author |
 Topic Search  Topic Options
|
racekites 
Newbie
Joined: 18 November 2004
Status: Offline
Points: 33
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: hacked forum... please help...
Posted: 04 April 2008 at 10:16pm |
Hey guys...
I'm running webwiz over on www.racekites.com however someone has just hacked the forum and SQLServer database.... i'm on WW 8.03
it looks like someone has inserted javascript throughout the forum
link to javascript file removed by admin
I've replaces s with $
any idea how they are doing this ?? and more importantly how i can fix it ??
looks like i need to restore from a backup as the damage is pretty comprehensive....
Please help
Cheers
A
Edited by WebWiz-Bruce - 04 April 2008 at 10:45pm
|
 |
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 04 April 2008 at 10:44pm |
|
This is an an Cross Site Scripting hack (XSS), usually written to exploit vulnerabilities in IE.
You should be able to log into your forum using Firefox which is usually no vulnerable to delete any posts with this javascript in them.
Then to make sure it doesn't happen again upgrade to the latest version whhich will protect against this.
New XSS hacks come out all the time main using vulnerabilities in browsers, so we monitor security web sites and do monthly audits, if we see any potential issues a new version of Web Wiz Forums is released. For this reason you should always make sure you are running the latest release.
|
|
|
|
racekites
Newbie
Joined: 18 November 2004
Status: Offline
Points: 33
|
Post Options
Thanks(0)
Quote Reply
Posted: 04 April 2008 at 10:51pm |
cheers B
It looks like they have updated all the posts.... looks like a restore from backup time....
we do have a backup don't we..... 
how does this exploit work, is it an issue with SQLServer or the forum code ??
I've done lots of customisation on the forum so upgrading is a big job....
Cheers
A
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 04 April 2008 at 11:05pm |
|
If they have updated every post then it suggests that the issue has more to do with weak admin, FTP, and/or SQL Server passwords.
If an exploit like this existed in web wiz forums we would certainly know about it.
You should make sure all your passwords are alphanumerical, update your forum to the latest release, make sure that there are no usual files on your web server that the hacker is using as a back door to your site, and make sure there are no usual back door admin accounts created to your forum.
|
|
|
|
racekites
Newbie
Joined: 18 November 2004
Status: Offline
Points: 33
|
Post Options
Thanks(0)
Quote Reply
Posted: 05 April 2008 at 12:36am |
|
Cheers Bruce
All passwords have been updated as recommended... (they were all originally a mix of characters/numbers and shift characters...)
I purchased the full version, does this mean i can upgrade to 9 or will i need to pay an upgrade fee ??
So, when looking for a rouge admin user is there any way of masking the user group, or will anyone with admin rights have to be in the admin group ??
Is there anything else i need to look for while locking the website down... ?
Also, could it be that the webserver/dbserver needs patching ??
Cheers and thanks for the help
A
Edited by racekites - 05 April 2008 at 12:44am
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 05 April 2008 at 10:01am |
|
If you look in the members list it should list anyone in the admin group.
To ensure your web site is secure you should check that there are no rouge files on the server that a hacker is using as a backdoor to gain access to your site. You should also have it so that write and modify permissions are removed and you only have read permissions. The exception to this is if you allow users to upload files in which case you need to set read, write, and modify permissions on those folders only.
I could not comment if the web server you are using needs patching or is locked down securely as I don't know what security measures your host puts in place, however, security for both web and databases servers is quite complex, so hopefully they will have knowledgeable engineers who have locked down the servers.
Upgrading depends on the type of license you have, you should contact sales and accounts if you have licensing questions.
|
|
|
|
gringolalo
Newbie
Joined: 05 April 2008
Location: Washington Stat
Status: Offline
Points: 3
|
Post Options
Thanks(0)
Quote Reply
Posted: 05 April 2008 at 7:09pm |
Bruce:
Thank you for what you do. I have a web site in which I run my business using a password protected admin side. It is written using the old asp tecnology and we keep our data in an SQL database.
Since last night, something happened that appears to be the attack you are talking about here with reference to a forum.
I am not a technician but have been cutting and pasting code for many yers. I have a back up of my programs and code on my home computer and put them into a sub directory to see if the problem still exists. It does. Is the malicious code which is causing the problem in my code or in the SQL database?
Thanks.
|
|
gringolalo
Newbie
Joined: 05 April 2008
Location: Washington Stat
Status: Offline
Points: 3
|
Post Options
Thanks(0)
Quote Reply
Posted: 05 April 2008 at 7:17pm |
Bruce:
I failed to mention, I found this forum by searching on nmidahena virus and I tried accessing my material using Firefox as you suggested. It works fine. We just changed our email access in Outlook yesterday to IMAP from POP 3. Could that be where I got it . Is it likely part of an email message I received? Do I need to delete emails??
Thanks
|
|
