If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Adv Guestbook 2.3.1 - hacked  XML
Forum Index » Support Forum
Author Message
Anonymous



I upgraded to 2.3.1 because 2.2 was hacked. Had the endless admin loop login problem, so used the 'fix' someone suggested, replacing the 2.3.1 session.class.php with the 2.2 version. Fixed the admin login. Thought all was right with the world. But somebody hacked my 2.3.1 g'book last night. I've reparied the damage and made admin.php unavailable for now until a better solution comes along.

-Jack
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

Your best bet is to get intouch with Carbonize here on the forums.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Bactrian
Beginner

Joined: 15/07/2004 23:46:29
Messages: 10
Location: So. Ca.
Offline

My 2.2 guestbook has been hacked; I get this (This Site Hacked By BLaCk ScorPioN) along with a photo and some more text. I found out that my server had a setup for upgrading it to 2.3.1 so I did that but I still have the hack problem. I have been trying to find the right file to see if I could fix it but have had no luck.
If anyone has some ides on how to remove this hack I would really be very grateful!!!

This is the link to the guestbook;
http://www.camelphotos.com/guestbook/index.php

Thanks to all for any help
[WWW]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

ROFLMAO Iam sorry I know its not funny but I found it just by looking at your source code. Look for that in your files. By the way here is there Ip information and there ISP server In Finland.
http://www.mbnet.fi/mbinternet/
Name: www.mbnet.fi
IP Address: 194.100.161.11
Location: Vantaa (60.178N, 24.933E)
Network: RIPE-CBLK2

<div align="center"><br />
<div align="center" style="width: 790; height: 2000"><br />
<br />
<br />
<p align="center"><font color="red" size="10"><b>This Site Hacked By <br />
BLaCk ScorPioN <br />
<p align="center"><img border="0" src="http://koti.mbnet.fi/sna/mortalkombat/images/mk5char/scorpion.jpg" width="300" height="300"></p><br />
¤BLaCk ScorPioN ¤</i></font></p><br />
<p align="center"><font color="red"><span style="BACKGROUND-COLOR: blck"><br />
<p align="center"><font color="red" size="6"><i><br />
My Team rEd ScorPioN & ELsa7er hackEr Muslim<br />
<p align="center"><font color="red" size="5"><i><br />
Website U.S WwW.hakr.tk</span></font></p><br />
<p align="center"><font color="red"><span style="BACKGROUND-COLOR: #000000"><br />
<p align="center"><font color="RED">black_scorpion_xp10@HotMail.com</font></p><br />
<p align="center"><font color="red"><span style="BACKGROUND-COLOR: #000000"><br />
<p align="center"><font color="RED"><br />
My Masseaeg>>> Fuck You Admin<br />
I'm Not Sorry Hacked Your Site BY<br />
Red Scorpion Taem We Arab Hackers We Well Fuck Evreyone From Usa Or Israel<br />
Fuck Usa And Fuck Israel<br />
lOl>>>>>>><br />
¤Mr 3aDeL_hackEr¤</font></p>

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Anonymous



The first thing I did was look at the source code but I can’t find the file it is in, and I have looked at all the files more than once with no luck. Usely I can find my way around and it looked like it should be under gb_entries but I can’t find that file.

Looking at other guestbook’s I found others that have the same hack on them and have already received an email from someone that is having the same problem.

Thanks for any help
Anonymous



You can remove the hack entry by going into MySQL Admin and deleting the entry that has all that code in it. In my g'book, they 'corrupted' an existing entry, rather than creating a fresh entry, so I wasn't sure how much of the domain & ISP info was the hacker's and how much was from the original poster.

That doesn't FIX the overall problem though. I disabled admin.php so that even I can't get into admin w/o replacing it.

SitePoint has an article about SQL injection attacks but I'm not sure how to apply the ASP code to the guestbook php files. Maybe somebody here with a little more php/mySQL savvy can 'convert' that fix for us. Hint, hint.

-Jack
Bactrian
Beginner

Joined: 15/07/2004 23:46:29
Messages: 10
Location: So. Ca.
Offline

One of the first thing I tried was going to Guestbook Admin, Easy Admin. The hack pops up there too and there is no way of deleting it. The delete and edited buttons for it are gone.

Going into (pulic_html/guestbook/admin) I don’t see the file there I’m looking for.

I know this should be an easy one, but I just can’t find the file it's under.

If nothing else I’m having a little fun searching around and learning some new things.
[WWW]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

Gee I posted the code for you in the above post. Try index.php. And if all else fails if you make regular backups like everyone should then just do a backup install to a clean version. Also might help to get your isp to update there version of php. GB version 2.3.1 shouldnt be affected my the exploit if php is updated. Unless someone just outright hacked your username and password. In which case you must use real simple ones.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

All entries and settings are stored in SQL so simply reupload the complete lib and template folders
also reupload index.php. I'm guessing you had write access granted on the files and they changed them by logging into your admin.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Actually it looks like they just got admin access then put in a post directly thereby bypassing anti html script. If you want you can contact me and I can log in and delete the entry for you.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
aluminumlady
Beginner

Joined: 24/07/2004 22:16:39
Messages: 22
Offline

I had my guestbook hacked the second day I put it up. At first I was shocked. I could not get in to the admin page because my password was changes. I found a generic code ( I think I found it on this site)
') OR ('a' = 'a
that the hacker probably used. I used it to acess my easyadmin to delete the posting. If you can't see the delete button, left click and slide across the page to highlight all the words. The delete button is over to the right. He changed the background and text to all black and the text to 0. I changed it all back including my password. However, then I placed a gif as the background in the body.php
Type <body background="img/yourwallpaper.gif"> at the top of the body.php in admin files for your site (not the simple admin page). Upload the wallpaper for the background for the guestbook. That way at least the entire guestbook page in not turned black.
I don't think I will upgrade the guestbook because this problem maybe annoying but it is easy to fix.

Recycling - The ability to see good in everything
[WWW]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

Dont get overly confident. There are a few of those hackers out there that can do enough damage you wont be able to fix it. Best to upgrade.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Anonymous



Same "scorpion" attacked one of the voluneteer sites I built.. I deleted the entry through the sql. But now I need to try to recover the password

Heres the ips he used on his 2 posts:

217.197.78.11
217.94.165.170
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

How do you know they are the IP's they used? They just go in and edit a post so the IP in the post is that of the original poster and not the "hacker". Just to add these people are not hackers but children seeking attention. Yes they do seem obsessed with the name scorpion, most of the ones I have fixed have been by one scorpion or another. Funny how these people are always claim to be from middle eastern countries.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

JasonD wrote:Same "scorpion" attacked one of the voluneteer sites I built.. I deleted the entry through the sql. But now I need to try to recover the password

Heres the ips he used on his 2 posts:

217.197.78.11
217.94.165.170


Use the same hack and change the password and login. Then upgrade to 2.3.1

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
 
Forum Index » Support Forum
Go to:   
Based on the open source JForum