Coreye Posted February 9, 2009 Share Posted February 9, 2009 Any body else getting redirected there when on the forums? <META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://xsaimex.net"> is in the code like 7 times... Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/ Share on other sites More sharing options...
RichardRotterdam Posted February 9, 2009 Share Posted February 9, 2009 yup me. I thought to myself Is this for real whats going on. So pressed escape before the redirect and the checked the html source and found this in phpfreaks html <body> <META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://xsaimex.net"> Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758563 Share on other sites More sharing options...
corbin Posted February 9, 2009 Share Posted February 9, 2009 Yeah, happening to me too. Infact, using Web Developer bar in Firefox to disable meta redirects now. Is this XSS or an error? Or what's going on? Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758565 Share on other sites More sharing options...
Daniel0 Posted February 10, 2009 Share Posted February 10, 2009 Fucking took me, Tom and Tony two hours to track down. Then the stupid MySQL server crashed... Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758568 Share on other sites More sharing options...
premiso Posted February 10, 2009 Share Posted February 10, 2009 Was it an XSS exploit or a server hack? Just out of curiosity, was it a flaw in the new SMF code? Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758569 Share on other sites More sharing options...
Daniel0 Posted February 10, 2009 Share Posted February 10, 2009 We thought it was a flaw in SMF. Eventually we found out that one of the admin accounts on the forums had been used by an IP address in Latvia to modify the ads to have the meta redirects instead. Bloody idiots could at least have done it during day hours instead of in the middle of the night (for me)... Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758570 Share on other sites More sharing options...
serverman Posted February 10, 2009 Share Posted February 10, 2009 http://www.xroxy.com/proxy-country-LV.htm did they proxy? Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758573 Share on other sites More sharing options...
Daniel0 Posted February 10, 2009 Share Posted February 10, 2009 Dunno if it was a proxy. I guess I'll check that tomorrow later today. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758575 Share on other sites More sharing options...
serverman Posted February 10, 2009 Share Posted February 10, 2009 Is this XSS couldnt it have been xss to get password/user? Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758577 Share on other sites More sharing options...
corbin Posted February 10, 2009 Share Posted February 10, 2009 Typically cookies or something are required to steal passwords with XSS. So uhh.... how did the Latvian get into an admin account? Odd. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758597 Share on other sites More sharing options...
steelmanronald06 Posted February 10, 2009 Share Posted February 10, 2009 I'm curious as to how they got an admin account without SOME type of exploit in SMF code. my password is a random mixture of letters, numbers, and symbols. and there are no english words or dates/years in my password. I'm fairly sure the other admins passwords are of similar caliber, which makes me believe it is possibly a flaw in SMF source Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758625 Share on other sites More sharing options...
corbin Posted February 10, 2009 Share Posted February 10, 2009 It has to be an SMF flaw. I'm sure if it is, y'all will either find it or it will come out publically. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758635 Share on other sites More sharing options...
fenway Posted February 10, 2009 Share Posted February 10, 2009 Yet another reason to possibly switch forum software? this isn't their first time. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758747 Share on other sites More sharing options...
Daniel0 Posted February 10, 2009 Share Posted February 10, 2009 I'm not sure if the login was possible due to a flaw in SMF's code or because the passwords were retrieved from another place. It happened to two admin accounts though. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758751 Share on other sites More sharing options...
gevans Posted February 10, 2009 Share Posted February 10, 2009 SMF does seem a bit buggy from time to time. I think a change in forum software could be a good call, lots of work.. but would be good to try another bit of software on a board of this size. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758801 Share on other sites More sharing options...
serverman Posted February 10, 2009 Share Posted February 10, 2009 well if they can get into Mysql and figure out salt then they could dehash your passwords that website had music downloads... now they are gone lol but now it has a lot of script kiddie tools so i would bet that it was not the owner of the website but it was a user of it and might have used some of the tools off that site. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758861 Share on other sites More sharing options...
premiso Posted February 10, 2009 Share Posted February 10, 2009 I'm curious as to how they got an admin account without SOME type of exploit in SMF code. my password is a random mixture of letters, numbers, and symbols. and there are no english words or dates/years in my password. I'm fairly sure the other admins passwords are of similar caliber, which makes me believe it is possibly a flaw in SMF source Reminds me of the movie hackers.... GOD is the number 1 password used, how dumb is that. lol Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758877 Share on other sites More sharing options...
tomfmason Posted February 10, 2009 Share Posted February 10, 2009 Although this current incident is not directly related to SMF I am still for a switch. Believe me when I say I tried to make a connection to SMF but I really don't think there is one. It doesn't appear that they brute forced their passwords either. So it could still end up being some unknown exploit in SMF but I don't think that is the case. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758892 Share on other sites More sharing options...
Daniel0 Posted February 10, 2009 Share Posted February 10, 2009 Another scenario could be that the passwords were retrieved from somewhere else, i.e. a vulnerability on another site revealed the passwords. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758895 Share on other sites More sharing options...
premiso Posted February 10, 2009 Share Posted February 10, 2009 Another scenario could be that the passwords were retrieved from somewhere else, i.e. a vulnerability on another site revealed the passwords. What about the option that SMF coded a "sleeper" in their code? Someone who found it or knew about it used to exploit it. I know VBB code's sleeper's in their code, maybe SMF did the same? Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758899 Share on other sites More sharing options...
Daniel0 Posted February 10, 2009 Share Posted February 10, 2009 Sleeper code? As in a trojan? I doubt it. It's open source and someone would eventually find it. It would instantly ruin their reputation. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758912 Share on other sites More sharing options...
premiso Posted February 10, 2009 Share Posted February 10, 2009 Sleeper code? As in a trojan? I doubt it. It's open source and someone would eventually find it. It would instantly ruin their reputation. I take it SMF is free? I guess I never looked into it. I know VBB does it so they can "thwart" people from using it who did not pay for it. I do not know if they still practice it, but I know at one point they had that in their code. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758919 Share on other sites More sharing options...
mat-tastic Posted February 10, 2009 Share Posted February 10, 2009 I disagree. SMF is a brilliant piece of software. I highly doubt that SMF has an exploit in it. If htey managed to log in it can't be session stealing or some kind of XSS as SMF asks for verification of password when someone logs in. It is possible though, another site got attacked that the admin in question was a member of and someone managed to get their password? Either that or careless password management. Either way, I will bet my house on the fact it is not a security flaw in SMF. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758945 Share on other sites More sharing options...
premiso Posted February 10, 2009 Share Posted February 10, 2009 I am not, but my supporter status gives me ad-free browsing, someone is causing some headaches. EDIT: I am an idiot w00t! Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758948 Share on other sites More sharing options...
mat-tastic Posted February 10, 2009 Share Posted February 10, 2009 Sleeper code? As in a trojan? I doubt it. It's open source and someone would eventually find it. It would instantly ruin their reputation. I take it SMF is free? I guess I never looked into it. I know VBB does it so they can "thwart" people from using it who did not pay for it. I do not know if they still practice it, but I know at one point they had that in their code. I know they had a callback function to see if someone paid, then if they didn't they changed a setting to close the board and bring up the "unlicensed" message. However I very much doubt they coded a backdoor so they could access the site. Quote Link to comment https://forums.phpfreaks.com/topic/144551-xsaimexnet/#findComment-758952 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.