SMF Support > SMF 2.0.x Support
OMG
MrPhil:
1. "OMG" is a useless topic subject. Please use something useful like "All avatars changed by hacker!"
2. Are the avatar files themselves changed (I think the names are encrypted), or are the member database entries pointing to the new avatar(s)? In the former case, it may be that the hacker did nothing to the database, just the files. Just saying, so you keep and open mind on this and don't chasing this rabbit down the wrong hole (assuming SQL injection, which SMF 2 should not be vulnerable to).
Texan78:
--- Quote from: MrPhil on May 25, 2012, 12:22:27 PM ---1. "OMG" is a useless topic subject. Please use something useful like "All avatars changed by hacker!"
--- End quote ---
I agree, "All avatars changed by hacker!" is more useful compared to a OMG which is useless yes, but effective. Look at the responses he's getting.
Back on topic, Mr Phil brings up a good point. While it may be easy to resolve the issue, you need to troubleshoot why this happen so to prevent it in the future. Like he suggested, check the database and see if all the members are pointing to the same avatar file location. If so you know it was a the files that were hacked. If SQL Injection each user will have it's own entry for each avatar. Regardless, removing them from the database will rid the avatars from displaying. After that you need to investigate how the hack was accomplished, but make note of how the entries were in the DB before you empty the column.
MrPhil:
--- Quote from: Texan78 on May 25, 2012, 03:44:32 PM ---I agree, "All avatars changed by hacker!" is more useful compared to a OMG which is useless yes, but effective. Look at the responses he's getting.
--- End quote ---
Hmm. Maybe next time I open up a topic I'll try "Pictures of beautiful naked women!" for a subject.
--- Quote ---if all the members are pointing to the same avatar file location. If so you know it was a the files that were hacked. If SQL Injection each user will have it's own entry for each avatar.
--- End quote ---
Actually, my guess is that it would be the other way around. If I wanted to screw up a members database, I'd point each entry to the same file (one DB query). Of course, the offensive avatar has to be loaded up in the first place, and its hashed name known to the hacker, so maybe they actually got signed on as site owner at some point? Otherwise, if they were doing remote SQL work, I suppose they could query the name of their own (offensive) avatar and then set everyone else to point to that name. Something like that. But the bottom line is that the hacker either pulled off an SQL injection (meaning SMF has a security hole), or got signed on as the site owner (usually through theft of password on their PC).
Texan78:
I like your theory and I definitely agree. I may have worded my last post backwards. Definitely check your DB it will be a tell all. If all the members avatars are the same file you will know it was a SQL injection. If they are all different then it was a file injection and they are ether hosting the image off-site or found some way to to upload it to your site. If you haven't deleted it yet, right click on the avatar and find the file path to the image. That will tell you if it is hosted on your server or offsite. I know you mentioned you deleted all the avatars from your folder and it still was visible. That tells me one, it is hosted off-site, or they have hidden in a different directory. Right clicking the avatar and checking the file path will tell you where it is coming from.
BTW, I would absolutely read a post if it had a topic like that! Hey, what guy is going to turn down pictures of beautiful naked women! ;D
Navigation
[0] Message Index
[*] Previous page
Go to full version