iSoaker.net :: Soaking the world!

I seemed to have logged on during a bot attack.



After it was over, a new piece of coding has been inserted into the page source.

Code: Select all

<iframe src='http://doiop.com/banner_small' width=1 height=1 style='visibility:hidden'></iframe>

How annoying...

DX, upgrade the board as soon as possible. I don't have the time to clean these up every few weeks.

I've removed the injected code and have changed the copyright notice so the version number doesn't show. Hopefully this will advert attacks. I do know that the majority of these attacks use Google to find boards and they search by board version, so hopefully this will help us in that respect.

Something I thought I'd point out:

Terms of use:
Using doiop.com for spamming and/or illegal purposes is strictly forbidden and any such use will be reported to all ISPs involved and to the proper governmental agencies. This service is provided without warranty of any kind.

@Ben: Thanks for fixing it so quickly!

@C-A_99: the irony is sickening. Then again, there's no definite proof that the ones running doiop.com are the ones actually responsible for the bots (though there's a good chance they are).

Sadly, WWc has been hacked again (same doiop.com link inserted). Not sure if anyone knows how the bot is managing to insert something into the scripts. That said, until that board is patched and security tightened, I do not presently recommend using that site unless you have Ad-Block up and running, verifying that no weird links or scripts are being loaded while browsing that board.

I'm going to disable the board until DX can patch the board or give me the details to patch the board. If I had FTP access and a copy of the server logs, I could figure out what's going on and likely make a patch of my own, but I don't have access to that.

While I'm not completely sure, I'm fairly confident the problem is this one: http://www.securityfocus.com/bid/18836

Hmm...since it's the same cracker, removing the IPB version number isn't going to help. Thankfully, IPS fixed the problem for version 2.2.

so, if the problem is the one Ben has mentioned, then we can't really be safe, unless we use a board that is not an invision board?

Is it possible to block sql injections into the forum, or is that simply impossible?
The Doiop.com link leads to google, for those that are wondering (just followed the link myself)

The bug report page doesn't mention a vulnerability in either IPB 2.2 or 2.3. But doiop knows WWC uses 2.1. We need to get the boards updated.

Any forum and any version can be cracked...for each one, it's always a race to stay ahead. There are tons of different holes that get discovered and blocked. The best boards are either proprietary ones (like vBulletin and IPB) whose source code is hidden and thus safer, and less-popular ones (like YaBB, SMF, and way too many to mention) that don't attract much attention. By that logic, phpBB is the worst...although it updates often, they have to because it's so easy to crack. Which makes it a pain for administrators.

The doiop link probably redirects and does some crap to your computer before redirecting to Google. In my opinion, it doesn't really matter...it's more important to remove the link in the first place.

I'll explain SQL injection attacks for those those don't understand them. They're a result of bad programming and can be easily prevented.

Websites often pass variables to scripts in the URL or via post data. You've probably seen URLs here like the below.

Code: Select all

http://www.isoaker.net/isnet/posting.php?mode=reply&f=48&t=3083

The numbers let the script know which posts and thread you want to post in. The database itself is accessed with a command something like this if you were reading a thread:

Code: Select all

$query = "SELECT * FROM posts WHERE threadid='".$thread."';"

The URL might look something like this:

Code: Select all

http://www.website.com/forum/thread.php?thread=128

That would return a list of posts in threadid $thread. But, unless some other code was added, this makes the script very open to attacks. If someone tried a URL like below:

Code: Select all

http://www.website.com/forum/thread.php?thread=128';DROP TABLE posts;--

Then the query for the SQL server would look like this:

Code: Select all

SELECT * FROM posts WHERE threadid='128';DROP TABLE posts;--';

The semicolon means "new command" to SQL. The -- means everything after this on this line is a comment. So the query is valid SQL, but as described it will erase the posts table, so the board will be "hacked." This is where the name SQL injection comes from. Another SQL command is "injected" into the query.

Smart scripts "sanitize" the information coming in to prevent SQL injection attacks. For example, it would remove any non-numbers if it expects a number.

Interestingly, I researched some other boards here that are prone to SQL injection, and the old iSoaker.com forums are. I tried something out that would break the query and it did. Good thing that board isn't used any longer. SSC and iSoaker.net are both fine as far as SQL injection attacks are concerned.

Just in case that wasn't clear, the ' symbol and the ; do have meaning in SQL (and in most languages). A pair of ' is used to surround a string of characters that form the text that's being entered. The ; signals the end of the current statement. So SQL, the language that works with data in the database, doesn't treat such characters like text.

As Ben mentioned, good programmers should check the input to make sure no illegal characters go through. But people can get careless or lazy.

I've changed the settings for WWC so that logging in is required rather than simply turning the board off. Hopefully this will deter the hackers. If it doesn't, I'll turn off the board again. WWC is nearly dead sadly, and I don't imagine it will continue very well. This is just a sad ending though...

DX, if you give me FTP access I will patch the board with my own code to prevent SQL injections. Let me know. It's a rather easy patch from what I've read about it.