HOME       >>       Staff Room

Hacked By...who?


Kubi

Did I miss something here; http://forums.xisto.com/no_longer_exists/

Hacked by DumansaLŠ 2005 ~ 2008 - All Rights Reserved

Fatal error: Invalid Database Type in /home/thecred/public_html/inc/db.php on line 41


Or has it been like that and I'm just stupid....Click the FAQ link at the top of the forum.

rvalkass

Seems like quite a few people are getting that message on their sites:

https://www.google.co.uk/webhp?hl=en&gws_rd=ssl=

Security looks like it needs to be tighted up pretty quickly, and I hope someone was taking backups...?


BuffaloHelp

Good catch! OpaQue has been notified. Let's hope that he sees it soon.I wonder what was the vulnerability?


jlhaslip

The same hacker got the AEF Forum Board which is hosted on the Xisto - Web Hosting system a few sundays ago.Nasty stuff. But only a defacement. No DB stuff got hurt.


BuffaloHelp

The credit system's site FAQ script and AEF script must have something in common--along with all the other sites this hacker defaced.Which means something with SQL injection, PHP ini file hack or the combination of two. Because, AEF and FAQ script shares no common function except SQL and PHP index. And the fact that only the defacement suggest the ability to modify index.php only...


Dooga

I don't think we should worry too much about these people, they just want a lot of google results to show off their skills.


Kubi

I remember someone from a different community telling me about an html script that will deface a website if it has some sort of submission method...not sure if this could be it, it's fairly old. From someone named Kerion, he may be from Xisto but I'm not sure.


BuffaloHelp

Yeah, I remember the Cutenews security issue a while back...Cutenews' search function allowed anyone with a decent skill to wipe out news.txt, which holds Cutenews' posts and inserts a new post. This search function allowed a registered member (via submit) to self-promote to be an admin account, that allowed to delete existing posts and insert a new one.So something similar to submit, posting and account privilege.


Dooga

Wait so the credit system uses cutenews? That's cool haha, I thought it would be some pro mysql thing written by OpaQue .


BuffaloHelp

No, what I meant to say was that Cutenews was also hacked with similar fashion--defacing and changing just the index.php file through the vulnerability of search function. When PHP script is written--without constant checking--it allows a hole that allows remote file change.Credit system is in PHP...and perhaps MySQL as far as I know.



VIEW DESKTOP VERSION REGISTERGET FREE HOSTING

Xisto.com offers Free Web Hosting to its Members for their participation in this Community. We moderate all content posted here but we cannot warrant full correctness of all content. While using this site, you agree to have read and accepted our terms of use, cookie and privacy policy. Copyright 2001-2019 by Xisto Corporation. All Rights Reserved.