Coffeehouse Thread

39 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Request for help: Stalking Hacker

Back to Forum: Coffeehouse
  • User profile image
    jamie

    www.jgrant.com
    **edit - manip removed pirate graphic and post later in thread


    my silly little family portal keeps getting hacked by "MD Mad Hacker" from kuwait

    he's somehow getting into to the "Grin" asp portal i hobbled together out of free asp stuff..

    Anyone that has some spare time - that feels like helping out i would appreciate it - as there is no way i could figure out a security hole in asp code
    ( its about 6 or 7 pages.. )

    The guy keeps wiping out all posts with his inane comments
    Ive changed the passwords over and over

    can anyone bust in and let me know?

    * you can also download the portal foryourself - or to check - click on the GrinInc tab - and go to Family Portal

    thanks in advance for any help...
    j

  • User profile image
    Keskos

    jamie wrote:
    www.jgrant.com

    my silly little family portal keeps getting hacked by "MD Mad Hacker" from kuwait

    he's somehow getting into to the "Grin" asp portal i hobbled together out of free asp stuff..

    Anyone that has some spare time - that feels like helping out i would appreciate it - as there is no way i could figure out a security hole in asp code
    ( its about 6 or 7 pages.. )

    The guy keeps wiping out all posts with his inane comments
    Ive changed the passwords over and over

    can anyone bust in and let me know?

    * you can also download the portal foryourself - or to check - click on the GrinInc tab - and go to Family Portal

    thanks in advance for any help...
    j


    I would love to help, but I have no asp knowledge. Did you check out security stuff on the google about this particular portal? Especially look at google groups. Also where did you get your copy from? Is it reliable? Is it the latest version of that portal software? These are the first things to check out.

  • User profile image
    jamie

    i think it was web wizard forum or something
    its basically the simplist free one i could find..
    ..obviously it's too simple

  • User profile image
    eagle

    Here's the site were your hacker is coming from:

    http://madoz.jeeran.com/hack.gif 


    Registrar: ENOM, INC. Whois-Server:whois.enom.com Contact: webmaster@jeeran.com Visit: http://www.jeeran.com Domain name: jeeran.com Registrant Contact: Jeeran Inc. NA NA (NA) NA Fax: PO BOX 9162 NA, US Administrative Contact: NA Omar Koudsi (webmaster@jeeran.com) 9626 5335152 ex. 13 Fax: 9626 5335152 ex. 13 Jeeran Inc. AMM 939 Jamaica, NY 11434 US Technical Contact: NA Omar Koudsi (webmaster@jeeran.com) 9626 5335152 ex. 13 Fax: 9626 5335152 ex. 13 Jeeran Inc. AMM 939 Jamaica, NY 11434 US

  • User profile image
    Manip2

    Jamie, I am not an ASP.net programmer.. but this:

    If Session("blnIsUserGood") = False or IsNull(Session("blnIsUserGood")) = True then
     'Redirect to unathorised user page
      Response.Redirect"unauthorised_user_page.htm"
    End If

    Shouldn't that read:

      Response.Redirect"unauthorised_user_page.htm"
      End

    Or whatever you use to end the execution of the asp.net script? It would be trivial to write a custom browser or proxy that ignores the redirect and continues to load the page.

  • User profile image
    jamie

    i wouldnt know..

    manip2??

    ill wait a bit and then try changing it if there are no further comments.

    thanks manip2??

  • User profile image
    jamie

    KESKOS...

    i love your new avatar Smiley

  • User profile image
    Manip2

    Yeah.. My computer has died so I borrowed another one. Only problem is this doesn't have my encrypted password database on it.. So I will use this account until I get my original machine up and running again and then ask Lenn to remove this account.


    Lenn: Please don't delete either yet.

  • User profile image
    Manip2

    Jamie. My point is, that your protection statement relies on the users *browser*. If after you send that statement they don't disconnect then your page will simply continue to load as if you hadn't sent it.

    Imagine if you removed that redirect line.. that is effectively what they are doing.

  • User profile image
    Keskos

    jamie wrote:
    KESKOS...

    i love your new avatar Smiley


    It scales the images. Damn it. My original image is 2KB the scaled version is 5KB and uglier. It is the same with their original avatars. They scale stuff and mess up gif images.


  • User profile image
    jamie

    ha - look at the forum Smiley
    Eagle - aka mad hacker lol

    when c9 gets as many members as slashdot id ask you all to "C9 the guy!" - ie; "his site got slashdotted" 

    its very weird to be hijacked on the internet
    thanks eagle/keskos

    just want my relatives to stop asking who Mad Hacker is..

  • User profile image
    jamie

    i agree 100%

    this was something i put in the wiki the first day i was here
    STOP resizing avatars - or post real un-screwed dimensions

    never changed

    the wiki is dead... long live the wiki Wink

    * animated gifs - or even flash (although i wouldnt use it) should also be an option if it isnt already..

    anyway - mad hacker from kuwait...  bleugh ( rolls eyes)

  • User profile image
    astorrs

    Found your problem. The /journal/journal.mdb file is downloadable directly from the webserver. Unless you move the file to a place outside of the webserver directory and change the scripts appropriatly mr hacker will always be able to login no matter what you change the password to.

    See the bulletin here:
    http://secunia.com/advisories/9641/

    Let me know if you get stuck making the changes.

    Andrew

  • User profile image
    Zzzzzzz

    You dont seem to have locked down your web server. Directory listings are allowed for instance. www.jgrant.com/database. Dont expose unneccesary virtual directories. You have a ton.

  • User profile image
    astorrs

    Move it completely out of inetpub to be safe.

    Also as Zzzzz suggested make sure you completely turn off directory listings.

  • User profile image
    jamie

    Andrew thanks!

    this reminds me of Droiyan at max web portal always giving me heck over having the MWP DB on the root of my max portal versions

    so moving it up a level ( out of root) would actually help?


    EDIT
    RE:  ZZZZ  -  hmm obviously not lol

    so its an iis issue on server?

    i have 2 firewalls - but ya - all the "set this to write" is from the code instructions - or usually the free asp i make graphics for doesnt work

  • User profile image
    Jeremy W

    Jamie, is this a server you have complete control over? If so, I can give you a fairly concise guide to locking it down (without getting into the NSA recommendations). It's surprisingly simple, actually.

  • User profile image
    jamie

    * working on moving db up a level

    re - Directory listings...

    if you turn them off the asp stuff stops working?
    or is there a way to turn off "showing them" ?

    sorry in advance for the ineptitude

    * running my own server and portal is new to me... always did it for clients (graphics-wize)- trying to understand code ;p

    ** all i know is i hate php  .. blame me OR frontpage for that Smiley

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.