If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Messages posted by: Trevor
Forum Index » Profile for Trevor » Messages posted by Trevor
Author Message
Hopefully someone can help me with this...

I've been fixing some hacked guestbooks and want to track down the IP addresses of the hackers.

I can get the same sort of info as...

18.west-valley-02rh15rt.ut.dial-access.att.net
or
cache-dtc-ac17.proxy.aol.com


But how do you turn that into an IP address?

Any help would be much appreciated.

You can mail me if you want guestbook at kahlil dot org.

Thanks
Hi JTD,

I know what you mean. I think some people come on here, don't read any posts, submit their own question and expect a dozen replies within 5 minutes. I don't mind spending a bit of time writing these things if it helps people.

What I can't get over is a) how easy it is to hack into guestbooks and b) the number of people who've done nothing about it.

All the best,

Trevor
Ahroo,

Just posted this... <<<http://proxy2.de/forum/viewtopic.php?t=3475>>>, you might find it useful.

To answer your questions...

How do people find these guestbooks to hack into in the first place


Search engines mainly

and is it just guestbooks from proxy2.de that are being hacked into or is this something that all guestbooks are at risk for?


Version 2.2 is particularly vulnerable but if someone's clever enough and determined enough they could probably get into pretty much any guestbook they wanted

Do these hackers lurk on these forums and attack guestbooks that have had URLs for them posted here or do they have a more devious way of finding them (like doing a google search for guestbook)?


Lurking on forums would be one way but why bother when any search engine will throw up thousands of results. Use a robots.txt file to prevent your guestbook being indexed by search-bots.

In order for me to upload my files to my server via FTP, I have to have a user name and password - how does a hacker get this info or do they have a way of bypassing it (in which case, why do I have to bother with it if it can be gotten around so easily)?


As JTD said - it's not your ftp password, it's the password that you use to access the guestbook admin panel - there's a known vulnerability which can be exploited allowing anyone with a certain password to access unprotected guestbooks.

I have read that it is version 2.2 which is most suseptible to hacking


Judging by the posts on this forum then - yes.

others have said that 2.3.1 is also at risk


Maybe but to a much lesser extent. No doubt someone, somewhere is trying to expose any weaknesses but at present there's no major issues that I'm aware of.

others have said it is the webhosts php version which is the culprit.


Could be in some cases - depends on the version but the weak point in the majority of cases is the ease with which the admin panel in version 2.2 can be accessed.

And are other scripts, such as forums, equally at risk?


It's a bit like asking how long's a piece of string. Depends on the forum, some are more at risk than others. I guess the more popular ones are most likely to be the target of people looking for weaknesses but on the other hand, it's likely that the more popular ones are the better developed ones anyway.

In general do the following...
Go for version 2.3.1
Read the post mentioned above
Restrict access with a .htaccess file
Use noindex / nofollow in robots.txt
Rename admin.php (change all links to it as well)
Remove the 'administration' link from the view and sign pages of the guestbook

Hope this helps,

Trevor
INTRO
Thought I'd post this as it's an important security issue for anyone with Advanced Guestbook version 2.2. Basically the problem is that these guestbooks are extremely easy to hack into.

I've written this in simple language so everyone can understand it - hopefully (sounds better than the truthful reason which is that I'm not at all technical).

HOW EASY IS IT TO HACK?
I've just visited about 20 guestbooks and got straight into the majority of them. Only one or two had taken steps to address the vulnerability and several had already been targetted by malicious hackers. (Don't worry - I didn't do anything except mail the webmaster with suggestions and offer to repair hacked guestbooks).

HOW DO THEY GET HACKED?
Very easily - 'nuff said.

WHAT DO THE HACKERS DO?
Depends, pretty much what they want. Of the ones I've just visited that were hacked, there was the usual display or pro and anti slogans, adverts and URLs for questionable sites and a young man displaying his affections for the lady of his life by hacking sites and professing his love for her.

CAN A HACKED SITE BE FIXED?
Again - it depends. If the entries have been deleted and the coding screwed around with then no, if it's just a case of changed settings then usually yes.

HOW CAN IT BE FIXED?
First thing is to regain access (as mentioned - passwords and usernames are often changed), with access restored it may simply be a case of deleting the offending entries and resetting changes that have been made.

HOW TO REGAIN ACCESS
Problem - if I say how it's done then less scrupulous people could use it for malicious pruposes.
Solution 1 - Search this forum, it's a subject that's been covered many times.
Solution 2 - If that fails send me an email to guestbook at kahlil dot org and I'll have a go at doing it for you. Then just login using the new username and password and off you go. You'll need to tell me the URL of the guestbook, once accessed (if it can be done), I'll mail you back with the new username and password which you can then change to whatever.

PREVENTING HACKERS IN THE FIRST PLACE

UPGRADE TO VERSION 2.3.1 IF YOU CAN, this is more secure and addresses other problems with version 2.2. Info about upgrading is here <<<http://proxy2.de/forum/viewtopic.php?t=2595>>>

If you can't upgrade or want to make version 2.3.1 more secure then here's some suggestions (search this site for more detailed info)...

Carbonize has an excellent forum on his site including a very simple yet effective fix for the version 2.2 exploit... <<<http://www.carbonize.co.uk/Board/viewforum.php?f=10>>>

Here's another fix for version 2.2. but it's more complicated...<<<http://proxy2.de/forum/viewtopic.php?t=3283>>>

Check out the following post by Carbonize, it adds another layer to the password security in version 2.2 and is an easy and effective solution...<<<http://proxy2.de/forum/viewtopic.php?t=3343>>>

Ptotect your files with .htaccess - there's a tutorial on the subject here... <<<http://httpd.apache.org/docs/howto/htaccess.html>>>

There's a security patch courtesy of Becki which you can get here... <<<http://www.beckspaced.com/gb_fix/index.php>>>, it's designed for 2.3.1 so I don't know how well (if at all) it will work with 2.2.

Perhaps the easiest way for a hacker to find a guestbook is via a search engine so consider blocking search-bots in your robots.txt file. More about robots.txt files here... <<<http://www.robotstxt.org/wc/exclusion.html>>>

Most hackers will target the file called admin.php so think about renaming it, you'll have to change anything that links to it and I don't know how big a job that is.

Remove the 'administration' link from the top of the guestbook pages. There's two pages to change, one's called body.php and the other is form.php, both are in the templates folder. For both pages look for the following...



...and either delete it or comment it out (you could also keep it in and mess about creating transparent gif's and null messages).

THE BIT AT THE END
Several options to go at, using one or more of them should make your guestbook more secure. I'd say that if you can upgrade to version 2.3.1 then go for it but if you can't then get some security in place before it's too late.

That's it.

Trevor
Sheryl,

One possible cause - have you deleted the footer.php file (i.e. removed the 'powered by Advanced Guestbook' from the bottom of the page)?

If so, that could be the cause of the problem, it's returning the error because footer.php now has a file size of 0.

Put something in your footer.php file - anythhing will do, even balnk spaces. If you've deleted the file this is what it originally contained...



Try doing this and if it doesn't work post another message and include the URL to your guestbook.

P.S. The info above came from posts by Carbonize and JTD so any credit goes to them.

Regards,

Trevor
Michelle,

Try doing this...

In case it goes wrong make back-ups of these two files first...

form.php in the templates sub-directory
english.php in the lang sub-directory


TO REMOVE THE PRIVATE MESSAGE BOX

You need to edit the file called form.php in the templates sub-directory. About 12 lines from the bottom you should fine this...



You can either delete it and get shut of it for good, or comment it out in case you want to bring it back later.

That's it, save it and you're done - no more private message option.

TO CHANGE THE MESSAGE AT THE TOP OF THE PAGE

All the messages are contained in the file called english.php in the lang sub-directory. Open it and scroll down to about line 28 and look for this...



Change the message to whatever you want. Save it and you're done.

A SUGGESTION

You're running guestbook version 2.2, you might want to consider changing to 2.3 as it's a more secure version with less chance of being hacked etc (check out the number of posts on this forum about hacked version 2.2 guestbooks) - just a thought.

Also, just to reiterate what JTD said - your guestbooks right down at the bottom of the page - make it kind of hard to view it.

If you come unstuck post another message or email me <guestbook at kahlil dot org> and I'll see what I can do.

Trevor
Not a common problem.

Which links are broken and what happens when you click them?

Also, whats the URL of your guestbook?

Trevor
Try this post...

<<<http://proxy2.de/forum/viewtopic.php?t=2877>>>.

You should be able to figure a solution, if not, post a message or email to guestbook at kahlil dot org and I'll try and look at it over the weekend.

Trevor
Hi,

If you're wanting to change the text / images / links etc in the footer just open footer.php in the templates sub-directory and make whatever changes you want. Very simple version of footer.php below creates 2 text links at the foot of the page to Yahoo and Google...



Hope this is what you were asking about,

Trevor
Hi Michelle,

Instruction manual for Advanced Guestbook can be found here...

<<<http://www.geocities.com/nathalonia/gbpoll>>>

There's also instructions for Advanced Poll.

They're written by Jam'n and Auron.

Hope this helps.

Trevor
Thanks for the above ideas - it sounds feasible enough. Slight problem at the moment in that the webhosting's gone down

As soon as it's up and running again I'll give it a go and let you know how I get on.

Many thanks again.

Trevor
Hi Lloyd,

I love what you've done with your guestbook - it looks great.

I'd be interested to know what you did to incorporate the same page header in your guestbook as the other pages on your site. I use a dynamic drop down java menu at the top of all my pages and would like to include this in the guestbook.

The 'instructions' for the menu are written into the html header on each page, it checks the users browser then pulls in the appropriate file from the root directory.

Any pointers as to how to include the 'instructions' in the guestbook would be much appreciated.

Regards,

Trevor
Hi,

I don't know but maybe the problem with the images is that you've got a sub-domain and it's screwing with the base_url. Have you tried manually linking instances of <img src =xxxxx>?

I'm getting permission errors but you said you've got them all set to 777!

This is what I get when I add an entry (which included a picture)...

Warning: unlink(index.html): Permission denied in /home/aestar/public_html/eric/guestbook/lib/add.class.php on line 80

Warning: copy(/home/aestar/public_html/eric/guestbook/public/img-1088836559.jpg): failed to open stream: Permission denied in /home/aestar/public_html/eric/guestbook/lib/add.class.php on line 161

Warning: getimagesize(/home/aestar/public_html/eric/guestbook/public/img-1088836559.jpg): failed to open stream: No such file or directory in /home/aestar/public_html/eric/guestbook/lib/add.class.php on line 258
Guestbook
.

About changing the drop down menu - the quote from one of my other posts won't work, it was a fix for someone who was already part way there. Try this instead... <<<http://proxy2.de/forum/viewtopic.php?t=3315>>>

Like to help more but you've got some weird stuff going on and apart from the above - it's beyond me.

Hope you get it sorted.

Trevor
This subject seems to come up quite a bit and has caused a few problems of late. So... instructions to add links to the drop down menu, it works in versions 2.2 and 2.3 - don't know about other versions.

Quick Instructions - if you're familiar with this sort of stuff, Step By Step Instructions (further down) if you're not.

QUICK INSTRUCTIONS

1: Insert the following right at the begining of the header.php file...

<script language="Javascript">
<!--
function urlJump(target,selObj) {
var optionValue = selObj.options[selObj.selectedIndex].value;
var isURL = /http:/;
var regMatch = isURL.test(optionValue);
if(regMatch == true) {
eval(target+".location='"+selObj.options[selObj.selectedIndex].value+"'");
}
}
// -->
</script>


2: Go to where the jump menu is generated in the gb.class.php file (about line 60) and make the changes so it reads as below. The blue bit is the code that was already there, the red bit is what you've just added...

function generate_JumpMenu() {
$menu_array[] = "<select name=\"entry\" onChange=\"urlJump('self',this)\" class=\"select\">";
$menu_array[] = "<option value=\"http://www.yahoo.com\" class=\"select\">Yahoo</option>";
$menu_array[] = "<option value=\"http://www.google.com\" class=\"select\">Google</option>";

$menu_array[] = "<option value=\"0\" selected>".$this->db->LANG["FormSelect"]."</option>";

3: Edit the Yahoo and Google bits to whatever suits.

4: Any links you add at this stage don't require the 'go' button as they're jump links. But... as the number of entries in your guestbook grows more pages will be added with links automatically added to the menu.

If you want to make all menu entries into jump links you'll need to edit the script where menu items are added and change the onChange=\"urlJump part. You then don't need the 'go' button. Delete the following if you want to remove it...

$menu_array[] = "<input type=\"submit\" value=\"".$this->db->LANG["FormButton"]."\" class=\"input\">";



STEP BY STEP INSTRUCTIONS

1: You'll change the following files so good idea to make backups first: gb.class.php in the lib subdirectory and header.php in the templates subdirectory.

2: Open header.php. Copy and paste the following right at the begining (even before the metatags).

<script language="Javascript">
<!--
function urlJump(target,selObj) {
var optionValue = selObj.options[selObj.selectedIndex].value;
var isURL = /http:/;
var regMatch = isURL.test(optionValue);
if(regMatch == true) {
eval(target+".location='"+selObj.options[selObj.selectedIndex].value+"'");
}
}
// -->
</script>


3: Save the changes. Now open gb.class.php. These changes add two links, details later about how to add more or less.

4: Scroll down to the following line (with line numbering on it's somewhere around line 60)...

function generate_JumpMenu() {

5: Copy and paste the following so it starts on a new line after the script quoted above (don't worry about the Yahoo and Google bit for now)...

$menu_array[] = "<select name=\"entry\" onChange=\"urlJump('self',this)\" class=\"select\">";
$menu_array[] = "<option value=\"http://www.yahoo.com\" class=\"select\">Yahoo</option>";
$menu_array[] = "<option value=\"http://www.google.com\" class=\"select\">Google</option>";


6: OK, now you should have the following - the blue bit is the code that was already there, the red bit is what you've just added...

function generate_JumpMenu() {
$menu_array[] = "<select name=\"entry\" onChange=\"urlJump('self',this)\" class=\"select\">";
$menu_array[] = "<option value=\"http://www.yahoo.com\" class=\"select\">Yahoo</option>";
$menu_array[] = "<option value=\"http://www.google.com\" class=\"select\">Google</option>";


7: Now delete the 'old' part of the script. That's the bit that comes after what you've just copied and pasted and BEFORE the following...

$menu_array[] = "<option value=\"0\" selected>".$this->db->LANG["FormSelect"]."</option>";

8: All being well you've now got the following (blue was already there, red is what you've added)...

function generate_JumpMenu() {
$menu_array[] = "<select name=\"entry\" onChange=\"urlJump('self',this)\" class=\"select\">";
$menu_array[] = "<option value=\"http://www.yahoo.com\" class=\"select\">Yahoo</option>";
$menu_array[] = "<option value=\"http://www.google.com\" class=\"select\">Google</option>";

$menu_array[] = "<option value=\"0\" selected>".$this->db->LANG["FormSelect"]."</option>";

9: If you want to check it at this point then save the changes (don't close the file as there's more changes to make), view your guestbook page and check the Yahoo and Google links in the menu.

10: If you only want to add one link then delete the following...

$menu_array[] = "<option value=\"http://www.yahoo.com\" class=\"select\">Yahoo</option>";

11: If you want to add more than 2 links then copy and paste the following as many times as you want...

$menu_array[] = "<option value=\"http://www.yahoo.com\" class=\"select\">Yahoo</option>";

For example, the following allows you to add 5 links (blue is original text, orange is what you added earlier, red is what you need to add now)...

function generate_JumpMenu() {
$menu_array[] = "<select name=\"entry\" onChange=\"urlJump('self',this)\" class=\"select\">";
$menu_array[] = "<option value=\"http://www.yahoo.com\" class=\"select\">Yahoo</option>";
$menu_array[] = "<option value=\"http://www.google.com\" class=\"select\">Google</option>";

$menu_array[] = "<option value=\"http://www.yahoo.com\" class=\"select\">Yahoo</option>";
$menu_array[] = "<option value=\"http://www.yahoo.com\" class=\"select\">Yahoo</option>";
$menu_array[] = "<option value=\"http://www.yahoo.com\" class=\"select\">Yahoo</option>";

$menu_array[] = "<option value=\"0\" selected>".$this->db->LANG["FormSelect"]."</option>";

12: OK, you've now got as many new links on the menu as you want - just go through the script you've added and replace any instances of yahoo.com and google.com with the URL's you want to link to. Make sure there's a backslash at the end of the URL (e.g. http://www.yahoo.com\ is correct, http://www.yahoo.com isn't).

13: Go back through the script and replace instances of Yahoo and Google with appropriate descriptions for the links.

14: An example of an edited line that links to my-web-site.com/home from a menu entry that says Home Page would look like...

$menu_array[] = "<option value=\"http://www.my-web-site.com/home\" class=\"select\">Home Page</option>"; .

15: What you've got now is a jump menu - when you click one of the entries you've just added you go straight to the page without needing to hit the go button. However, the guestbook will automatically add more links to the menu as your guestbook grows and entries are displayed on more than one page. To link to these pages you'll need to hit the 'go' button.

16: That's it. Save it and test it. If it all works then fine, if not then check it and if still no joy then reinstate the original versions which you backed up earlier, resign yourself to not having links in your menu, grab a cold beer and chill out by watching some really funny toons here <<<http://www.weebls-stuff.com/toons>>>

=======================================================================

Questions, problems, comments about the above? E-mail to guestbook at kahlil dot org, if I've got a bit of spare time I'll try and help.

Trevor
Hi Mike,

I'm FAR from an expert, I just bumble around with the script and see what happens - what I've picked up has been more through trial and error than anything, but I'll see if I can help.

OK, it looks like you've got 2 GIF files - camera.gif and guestbook.gif. When I looked at your guestbook neither were displaying on either the view or sign pages (didn't matter if I went forward or backward between the pages). I guess they're still loaded on the server?

Looking at the html everything's OK apart from null strings where IMG SRC should be. I put some test graphics in and everything worked fine.

Problem could be in the script of body.php, it should look something like (it's pretty close to the top)...

<tr><td align="center" class="font2"><a href="http://www.your-domain.com/home"><img src="$GB_PG[base_url]/img/your-logo.gif" width="197" height="40" border="0"></a><br>


The alignment, width, height, URL, name of graphic etc may be different but the general syntax should be the same, you might also have a load of nbsp's in the script (they're irrelevant).

Have a look at your body.php file and see if it's all in order. If you can't get it working I don't mind having a look at the file for you - can you mail me a copy of your body.php file, the guestbook.gif and camera.gif would be useful too. E-mail addy is: guestbook at kahlil dot org.

Regards,

Trevor
 
Forum Index » Profile for Trevor » Messages posted by Trevor
Go to:   
Based on the open source JForum