> > instead of the actual site being loaded, there is a replacement page with > junk in there saying that site has been hacked. they are not getting in via > ftp or any other way and i am sus about it being only flah sites that it is > happening to
The way I understand what you have said, the index or default site page is being physically replaced by some other page containing hacked content - is that right, or is it that redirect being put in place ? What kind of flash page(s) do you have there ? - are they just movies or do they have a form with bunch of actionscript talking to some web services on your site ? - do they have forms submittal functionality ? File upload perhaps ? Do they have AS code in them that might require elevated privilege perhaps, but makes use of an upload capability. You do know that just about anyone can dissect your SWF files and look directing at the AS code ? (There are many and various SWF reverse engineering tools out there). The various flash pages you mention - do they have anything in common ? Like the man said - have you looked at the web server logs ? What web server is it anyway - iiS ? Apache ? - is it a windows server or a linux server ? Have you looked at the web server configuration(s) - have you accidentally opened up directory scanning or some other permission that is allowing your hacker to get into your site ? Does the flash application have a backend web service ? If so what does it consist of (CF ?). What kind of things is that backend WS programmed to do ? Does it expose a public method that can write back files to the server perhaps ? Does the backend WS insist upon security validation for every request made to it or is it using session vars on the server to hold security validation state ? OR Does the flash file store some security validation token that might be hackable perhaps ? Or in other words are you trusting the flash modules delivered by your site perhaps a little too much ? Cheers, Bryn --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
