Welcome, Guest. Please login or register.
Amiga Kit Amiga Store Iridium Banner AMIStore App Store A1200/A600 4xIDE Interface

AuthorTopic: Hollywood forum hacked?  (Read 3980 times)

0 Members and 1 Guest are viewing this topic.

Offline Templario

Re: Hollywood forum hacked?
« Reply #15 on: March 20, 2011, 10:34:47 AM »
Quote from: CodePoet;623232
Sounds like an XSS "hack" - Comes down to bad sanity checking of user input, allowing the douche attacker to post content that immediately redirects you to another page
The problem now is different, but still exists.
The PC hackers don't respect to the computer minorities.
Amiga 500 with ROMs 1.3-2.05 and M-Tec AT 500 with hard disk and 4MB Ram.
WinUAE + Original OS 3.5&3.9
Sam440ep 800 MHZ + OS 4.1 F.E.
Sam460ex 1 GHz + OS 4.1 + Update 6. K.O.
MacMini 1.5 GHz + MorphOS 3.9
PowerBook G4 1.65 + MorphOS 3.9
 

Offline nicholas

Re: Hollywood forum hacked?
« Reply #16 on: March 20, 2011, 02:38:41 PM »
Quote from: pan1k;623227
What the hell was that video?! LOL!!


National Anthem of Livingston.
“Een rezhim-i eshghalgar-i Quds bayad az sahneh-i ruzgar mahv shaved.” - Imam Ayatollah Sayyed  Ruhollah Khomeini
 

Offline Mazze

Re: Hollywood forum hacked?
« Reply #17 on: March 20, 2011, 02:58:22 PM »
Unbelievable. I searched for "aros" and got pharmacy spam :hammer:

Offline Franko

Re: Hollywood forum hacked?
« Reply #18 on: March 20, 2011, 05:07:50 PM »
Quote from: nicholas;623269
National Anthem of Livingston.


:lol:

Nah... Livingston is the Scottish version of Milton Keynes with twice as many roundabouts... :)

This is Livis National Anthem...

[youtube]LNXHblt025o[/youtube]

PS: I thought everyone had seen The Firms - StarTreking Video... It was Number one int the British charts in 87... :D
 

Offline nicholas

Re: Hollywood forum hacked?
« Reply #19 on: March 20, 2011, 05:19:23 PM »
My Dad was on a course with the union up in Glasgow in 87 and bought me the 7 inch of Star Trekkin while he was there.
“Een rezhim-i eshghalgar-i Quds bayad az sahneh-i ruzgar mahv shaved.” - Imam Ayatollah Sayyed  Ruhollah Khomeini
 

Offline Franko

Re: Hollywood forum hacked?
« Reply #20 on: March 20, 2011, 05:24:19 PM »
Quote from: nicholas;623293
My Dad was on a course with the union up in Glasgow in 87 and bought me the 7 inch of Star Trekkin while he was there.


Ahh... you Dad must be a very wise man indeed then, Nowhere better to learn about a Trade Union than Glasgow (especially in the Thatcher era) plus he bought you The Firms best (only) ever single... that's what I call a very clever man with good taste...:)
 

Offline Piru

  • \' union select name,pwd--
  • Hero Member
  • *****
  • Join Date: Aug 2002
  • Posts: 6946
  • Total likes: 0
    • http://www.iki.fi/sintonen/
Re: Hollywood forum hacked?
« Reply #21 on: March 21, 2011, 02:19:21 PM »
Quote from: CodePoet;623232
Sounds like an XSS "hack" - Comes down to bad sanity checking of user input, allowing the douche attacker to post content that immediately redirects you to another page

Quick analysis of the situation

This most certainly isn't an Cross-Site Scripting (XSS) vulnerability. All non-existing URLs (404) redirect to the spam site as well. No reflected or stored XSS can do that.

The server running the forum hosts gazillion other sites as well: http://www.robtex.com/ip/80.237.132.227.html

After quickly testing the other sites they don't seem to be suffering from the same problem. This leads me to believe that the problem has been contained to hollywood-mal.com alone. If I'd have to guess someone has gained access to the control panel / admin interface used to manage the virtual hosting and has managed to modify either the apache2 config itself or .htaccess or other files.

Ramifications

From the looks of it it does appear that someone is only using the gained access to spam. It however isn't safe to assume this and for instance the phpbb forum user credentials should be considered compromised (that is: everyone should be damned sure they don't use same password elsewhere...). Sure, the passwords are hashed with a pretty good algo these days (salt & slow) but simple passwords are still trivial to crack with wordlists.

Additionally any confidential material (such as private keys, passwords etc) stored on the affected site should be considered tainted.

Incident response

The only reliable way to mitigate the issue would be to try to find out how the takeover / modifications to the site happened. Only then will it be possible to fix the problem and avoid any future takeover. It could be just easily guessable password for the control panel or something as silly. If there are access logs to the control panel / site admin interface those would be my first interest. That failing it'd have to be mapping all possible access points and then trying to find out if there are logs for those, and checking everything.

In the worst case scenario the access point can never be determined (due to missing/ lacking logging for instance) in which case it can be only matter of time before the site gets owned again.

Of course I can't possibly know of the tools, technologies or software used with this hoster or the particular site (except for the phpbb) and much of this is just huge bunch of guesses.

Example of the redirect follows:
Code: [Select]

$ echo -e 'GET /x HTTP/1.1\r\nHost: www.hollywood-mal.com\r\n\r' | nc www.hollywood-mal.com 80
HTTP/1.1 302 Found
Date: Mon, 21 Mar 2011 14:15:04 GMT
Server: Apache/2.2
Location: http://tabl[censored]eds.com
Content-Length: 285
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC &quot;-//IETF//DTD HTML 2.0//EN&quot;>
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href=&quot;http://tabl[censored]eds.com&quot;>here</a>.</p>
<hr>
<address>Apache/2.2 Server at www.hollywood-mal.com Port 80</address>
</body></html>