xsaimex.net

[Coreye]

Any body else getting redirected there when on the forums?

 

<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://xsaimex.net">

is in the code like 7 times...

[RichardRotterdam]

yup me. I thought to myself Is this for real whats going on.

So pressed escape before the redirect and the checked the html source and found this in phpfreaks html

<body>
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://xsaimex.net">

[corbin]

Yeah, happening to me too.  Infact, using Web Developer bar in Firefox to disable meta redirects now.

 

 

 

Is this XSS or an error?  Or what's going on?

[Daniel0]

Fucking took me, Tom and Tony two hours to track down. Then the stupid MySQL server crashed...

[premiso]

Was it an XSS exploit or a server hack?

 

Just out of curiosity, was it a flaw in the new SMF code?

[Daniel0]

We thought it was a flaw in SMF. Eventually we found out that one of the admin accounts on the forums had been used by an IP address in Latvia to modify the ads to have the meta redirects instead. Bloody idiots could at least have done it during day hours instead of in the middle of the night (for me)...

[serverman]

http://www.xroxy.com/proxy-country-LV.htm

did they proxy?

 

[Daniel0]

Dunno if it was a proxy. I guess I'll check that tomorrow later today.

[serverman]

Is this XSS 

couldnt it have been xss to get password/user?

 

 

 

[corbin]

Typically cookies or something are required to steal passwords with XSS.

 

 

 

 

So uhh....  how did the Latvian get into an admin account?  Odd.

 

 

 

 

[steelmanronald06]

I'm curious as to how they got an admin account without SOME type of exploit in SMF code.  my password is a random mixture of letters, numbers, and symbols.  and there are no english words or dates/years in my password. I'm fairly sure the other admins passwords are of similar caliber, which makes me believe it is possibly a flaw in SMF source

[corbin]

It has to be an SMF flaw.

 

 

I'm sure if it is, y'all will either find it or it will come out publically.

[fenway]

Yet another reason to possibly switch forum software? this isn't their first time.

[Daniel0]

I'm not sure if the login was possible due to a flaw in SMF's code or because the passwords were retrieved from another place. It happened to two admin accounts though.

[gevans]

SMF does seem a bit buggy from time to time. I think a change in forum software could be a good call, lots of work.. but would be good to try another bit of software on a board of this size.

[serverman]

well if they can get into Mysql and figure out salt then they could dehash your passwords

 

that website had music downloads... now they are gone lol but now it has a lot of script kiddie tools so i would bet that it was not the owner of the website but it was a user of it and might have used some of the tools off that site.

[premiso]

I'm curious as to how they got an admin account without SOME type of exploit in SMF code.  my password is a random mixture of letters, numbers, and symbols.  and there are no english words or dates/years in my password. I'm fairly sure the other admins passwords are of similar caliber, which makes me believe it is possibly a flaw in SMF source

 

Reminds me of the movie hackers....

 

GOD is the number 1 password used, how dumb is that. lol

[tomfmason]

Although this current incident is not directly related to SMF I am still for a switch. Believe me when I say I tried to make a connection to SMF but I really don't think there is one. It doesn't appear that they brute forced their passwords either. So it could still end up being some unknown exploit in SMF but I don't think that is the case.

 

 

[Daniel0]

Another scenario could be that the passwords were retrieved from somewhere else, i.e. a vulnerability on another site revealed the passwords.

[premiso]

Another scenario could be that the passwords were retrieved from somewhere else, i.e. a vulnerability on another site revealed the passwords.

 

What about the option that SMF coded a "sleeper" in their code? Someone who found it or knew about it used to exploit it.

 

I know VBB code's sleeper's in their code, maybe SMF did the same?

[Daniel0]

Sleeper code? As in a trojan? I doubt it. It's open source and someone would eventually find it. It would instantly ruin their reputation.

[premiso]

Sleeper code? As in a trojan? I doubt it. It's open source and someone would eventually find it. It would instantly ruin their reputation.

 

I take it SMF is free? I guess I never looked into it.

 

I know VBB does it so they can "thwart" people from using it who did not pay for it. I do not know if they still practice it, but I know at one point they had that in their code.

[mat-tastic]

I disagree.

 

SMF is a brilliant piece of software.

 

I highly doubt that SMF has an exploit in it.

 

If htey managed to log in it can't be session stealing or some kind of XSS as SMF asks for verification of password when someone logs in.

 

It is possible though, another site got attacked that the admin in question was a member of and someone managed to get their password?

 

Either that or careless password management.

 

Either way, I will bet my house on the fact it is not a security flaw in SMF.

[premiso]

I am not, but my supporter status gives me ad-free browsing, someone is causing some headaches.

 

EDIT:

I am an idiot w00t!

[mat-tastic]

Sleeper code? As in a trojan? I doubt it. It's open source and someone would eventually find it. It would instantly ruin their reputation.

 

I take it SMF is free? I guess I never looked into it.

 

I know VBB does it so they can "thwart" people from using it who did not pay for it. I do not know if they still practice it, but I know at one point they had that in their code.

 

I know they had a callback function to see if someone paid, then if they didn't they changed a setting to close the board and bring up the "unlicensed" message.

 

However I very much doubt they coded a backdoor so they could access the site.