Somebody hacked my App

Scriptcase 7 Discussion
#1

Hi people, 2 days ago, i can’t access my app
there was a message: Se produjo un error al conectar con la base de datos:
Access denied for user ‘Hacked Turkishattack’@‘localhost’ (using password: YES)

I access the Production Environment, and it was with the default password (scriptcase)
i enter and check the conection paramters.

the user was: Turkishattack and fortunately he can’t access the database.

does anybody has trouble like this??

is there any security advice?

what could happend?
i work with scriptcase 6.00.0039

Thanks …

#2

You admin was with default password scriptcase? That should be the first thing to change. Appearantly the hacker has compromised your admin section.

#3

A tip for managing admin passwords: Write it down and put in an envelope and store it in two safety boxes: one should be local and the other remote, just in case of disaster at your location… and change it regularly and follow the password storing process again.

#4

You know, I can see how people accidentally forget to either run the configuration or leave the password the default. It seems like SC could make it look for a config file with your admin password encrypted in it, or maybe a project specific (better) password you would configure in the deploy screens inside SC.
Just some thoughts.
Hope you can recover OK.
Jamie

#5

Hi People, thanks for your answers.

the first time i publish my app, i change the default password of the production enviroment.
today i check my app and again it was hacked. same situation
when i enter to the production enviroment it was like if was publish it with the defaultpassword (scriptcase)

is there any thing i forget to set?
is this an exploit of ScriptCase Security?
how hackers can change the connection database properties?

Any Advice???

Thanks

#6

What you’re talking about has two different things
I was under the impression you were talking about the security module
But now it looks like you’re talking about the database connections

When you go to Lib directory on the Web server it’ll bring up the database connection dialog
If they’re changing the database connection that’s the only place that they can change that connection
Unless there’s some other way that I’m not aware of

My two cents

Kevin

#7

Thanks for your answers.

i don’t understand how an external person, can change de database conection properties.
does some body knows where is stored the conection parameters and how to protect it ?

thanks

#8

Are the DB setting changed? That is weird and scarry if so.
I am just a fellow SC user, but here are my thoughts:

  1. escalate this to the support or email SC directly, then post what you find here. They may or may not read each forum post. They seem to but never know - this is critical path!!!
  2. Maybe there is a hole in that login, but I have not heard of such till now.
  3. It could be some kind of security setting on the folder? Maybe they are not getting into the Production Environment login itself, but directly into some config file?

Is the change to a bad setting or erased or what?

  1. If it is the Production Environment they are getting into, perhaps you could deploy the app, then immediatelly change the file name to the login. going to www.yourdomain.com/_lib/ triggers the login screen for it. Perhaps using WinSCP or something and changing the file name a bit will be enough to stop the a-hole from getting in. I have not tried that,but seems like once you are set up, you never need go back in there. You can always rename it later to make it work…

Again, I think we would all like to know your findings here, so please followup. Good luck. A million curses on the #$%$$6 hacker :frowning:

#9

Are you sure that sc is the leak and not your (ftp) account? Since only the db settings are changed and the password reset (?) I think that the hacker might has access and is able to remove the settings causing the default password to re-appear. I would try the following: after renaming the connection I would rename this _lib application or even delete it. I would change the password of your ftp account and your basic control-panel account. But I agree with onmountain. This needs to be taken care of by scriptcase. I reported this thread through my channel with sc.