Honesty Rocks! truth rules.

Hacked By...who?

HOME      >>       Staff Room


Did I miss something here; http://forums.xisto.com/no_longer_exists/

Hacked by DumansaLÅ  2005 ~ 2008 - All Rights Reserved

Fatal error: Invalid Database Type in /home/thecred/public_html/inc/db.php on line 41

Or has it been like that and I'm just stupid....Click the FAQ link at the top of the forum.


Seems like quite a few people are getting that message on their sites:


Security looks like it needs to be tighted up pretty quickly, and I hope someone was taking backups...?


Good catch! OpaQue has been notified. Let's hope that he sees it soon.I wonder what was the vulnerability?


The same hacker got the AEF Forum Board which is hosted on the Xisto - Web Hosting system a few sundays ago.Nasty stuff. But only a defacement. No DB stuff got hurt.


The credit system's site FAQ script and AEF script must have something in common--along with all the other sites this hacker defaced.Which means something with SQL injection, PHP ini file hack or the combination of two. Because, AEF and FAQ script shares no common function except SQL and PHP index. And the fact that only the defacement suggest the ability to modify index.php only...


I don't think we should worry too much about these people, they just want a lot of google results to show off their skills.


I remember someone from a different community telling me about an html script that will deface a website if it has some sort of submission method...not sure if this could be it, it's fairly old. From someone named Kerion, he may be from Xisto but I'm not sure.


Yeah, I remember the Cutenews security issue a while back...Cutenews' search function allowed anyone with a decent skill to wipe out news.txt, which holds Cutenews' posts and inserts a new post. This search function allowed a registered member (via submit) to self-promote to be an admin account, that allowed to delete existing posts and insert a new one.So something similar to submit, posting and account privilege.


Wait so the credit system uses cutenews? That's cool haha, I thought it would be some pro mysql thing written by OpaQue :).


No, what I meant to say was that Cutenews was also hacked with similar fashion--defacing and changing just the index.php file through the vulnerability of search function. When PHP script is written--without constant checking--it allows a hole that allows remote file change.Credit system is in PHP...and perhaps MySQL as far as I know.