Options
Someone is deleting my account on my site
Basically, we were four guys who developed our final year project. Out of this, two of us (me and pranav) bought a domain and put the site online. Now this 3rd guy (say, "B") comes in ans asks for username/pwd for the project. I provide him one. After a few days I find more than 10 new accounts and hence decide to put remove all but 2 of our accounts (me and the other guy who bought domain)
(Note: When you login, you can see the password of all accounts in plaintext. So anyone who can login once can have a look at everyone's account )
On the morning of 27th Oct, my friend Pranav tried logging through his account but couldn't so he asked me for my account. He tried mine but that didn't work either. When I accessed my site through FTP account and downloaded the MDB (MS Access DataBase) file, I was shocked to see that my password was changed and Pranav's account deleted. I informed Pranav about this and recreated his account. Took a look at the HTTP access logs and they showed that someone from hyderabad (a city here) did that. Also there was an IP from chennai (another city) that was pretty frequent during the whole time. The "B" guy was in hyderabad at that time.
On 2nd-Nov, the file got changed again. Exactly same, my account's password changed and Pranav's deleted. I got mad and deleted all accounts from the MDB file and created a user account with random username and random password (Even I don't know the username/password). But to my amazement it changed again when I checked today. The logs show the change yesterday (5th Nov) When I checked the access logs I found 2 IPs pretty frequent - one from chennai and another from Bangalore. (the "B" guy is in bangalore currently)
I analyzed the logs and came to know that he was logging on using the provided login box. Moreover, it looked like he got through in just one or two attempts. Can anyone explain how this could happen?
I believe the Chennai guy is helping him out. I even found a cookie in the first line when it all started happening on 5th Nov.
The cookie >>
And the user-agent string on 27th Oct for chennai guy was
Havent analyzed the access logs for 2nd Nov yet
If anyone needs logs I can provide.
Thanks in advance
(Note: When you login, you can see the password of all accounts in plaintext. So anyone who can login once can have a look at everyone's account )
On the morning of 27th Oct, my friend Pranav tried logging through his account but couldn't so he asked me for my account. He tried mine but that didn't work either. When I accessed my site through FTP account and downloaded the MDB (MS Access DataBase) file, I was shocked to see that my password was changed and Pranav's account deleted. I informed Pranav about this and recreated his account. Took a look at the HTTP access logs and they showed that someone from hyderabad (a city here) did that. Also there was an IP from chennai (another city) that was pretty frequent during the whole time. The "B" guy was in hyderabad at that time.
On 2nd-Nov, the file got changed again. Exactly same, my account's password changed and Pranav's deleted. I got mad and deleted all accounts from the MDB file and created a user account with random username and random password (Even I don't know the username/password). But to my amazement it changed again when I checked today. The logs show the change yesterday (5th Nov) When I checked the access logs I found 2 IPs pretty frequent - one from chennai and another from Bangalore. (the "B" guy is in bangalore currently)
I analyzed the logs and came to know that he was logging on using the provided login box. Moreover, it looked like he got through in just one or two attempts. Can anyone explain how this could happen?
I believe the Chennai guy is helping him out. I even found a cookie in the first line when it all started happening on 5th Nov.
The cookie >>
http://mail.google.com/mail/?ui=1&ik=e94bc1b1d7&view=cv&search=chats&th=115c8384091e7b11&ww=779&cvap=43&qt=&zx=e1xkgvqdhsc6I know its a link to someone's account and possibly linked to a chat session but it wasin the cs-cookie column. Is there any way I can find the email ID of the person to which this link belonged?
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)+;+.NET+CLR+1.1.4322;+MEGAUPLOAD+2.0was the user-agent string of the chennai guy in 5th Nov's log. Does "MEGAUPLOAD" hint that he provided a file through megaupload recently before he came to my site? Or does it mean he's using Alexa toolbar?
And the user-agent string on 27th Oct for chennai guy was
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+S. No MegaUpload this time. Both times, the ISP of the IP was VSNL
Havent analyzed the access logs for 2nd Nov yet
If anyone needs logs I can provide.
Thanks in advance
Comments
-
Options
seuss_ssues
Member Posts: 629
The first things that come to mind are:
A. You may have an authentication mechanism that is easy to bypass. For example javascript logins or you may have the file containing the user/pass as world readable.
B. He could have hard coded himself a user somewhere in the source code. If you can check hashes of a "secure" copy verses the copy you are running that would help you determine.
granted that is only 2 possibilities, but i see lots of web authentication mechanisms that take less than 10 minutes to bypass. -
OptionsseXie
Member Posts: 5 ■□□□□□□□□□
I guess he's using SQL injection
protected void ImageButton1_Click(object sender, ImageClickEventArgs e) { DatabaseConnection dc = new DatabaseConnection(); string s = "select * from login where username=" + "'"+TextBox1.Text +"'"+ "and password=" + "'"+TextBox2.Text+"'"; DataTable t; t= dc.fetchdata(s); if (t.Rows.Count > 0) { Session["username"] = t.Rows[0][0]; Response.Redirect("admin.aspx"); } else { Label1.Text = "Invalid User And Password"; } }
This is my code.
And he has access to the source code. He was in the development team afterall. And no he hasn't hardcoded a user. And erm, I ain't using JS.
Can someone analyze and tell how someone can bypass the validation? There are three rows in the login table: username, password and author-type. (author-type must be A to login successfully). I feel he doesn't know about the third field, cuz we modified the code a bit and added that field.