Is this an attack? Curious log entries...

[shawnb61]

All -

My site appears to be operating perfectly.  No spam, no instability, CPU normal.   

However...  I think my log holds an unsuccessful intrusion attempt.  I'd like to know if that's the case or if I'm just being paranoid.   

Within ~15 seconds, I have well over 3000 curious log entries from yesterday.  All posted as "Guest" but with no IP address, which is unusual.   I don't recall seeing entries in my log without an IP address before or after this 15 second period... 

Should I be concerned?  Anything specific I should be doing?

I have about 50 of these (Guest, no IP, same 15 seconds):

Sorry, but you've reached your login attempts threshold. Please wait 30 seconds and try again later.

Over 1000 of these (Guest, no IP, same 15 seconds), code references security.php, note slight variations:

2: in_array() [<a href='function.in-array'>function.in-array</a>]: Wrong datatype for second argument

2: array_intersect() [<a href='function.array-intersect'>function.array-intersect</a>]: Argument #2 is not an array

And over 2000 of these (Guest, no IP, same 15 seconds):

8: Undefined index: permissions   (security.php, line 834)

8: Undefined index: permissions   (security.php, line 831)

[KnownSyntax]

Looks like someone was trying to gain access by using old flaws or security holes, not sure what they hoped to gain however. The only reason is because of what they are trying to inject and also by using the same few .php files to do this through.

[iain sherriff]

I got pretty much the same thing overnight !!

Code Select Expand

Apply Filter: Only show the error messages of this member Guest
Apply Filter: Only show the error messages of this IP address   
  Reverse chronological order of list Today at 01:03:49 AM
Apply Filter: Only show the error messages of this session 5c4dd976e26bb3893d6c1c924439146e
Apply Filter: Only show the errors of this type Type of error: General
Apply Filter: Only show the error messages of this URL
http://dsdglobalsupport.com/index.php?http://dsdglobalsupport.com/undefined
Apply Filter: Only show the errors with the same message
2: array_intersect() [<a href='function.array-intersect'>function.array-intersect</a>]: Argument #1 is not an array
Apply Filter: Only show the errors from this file
File: /home3/f1162343/public_html/dsdglobalsupport.com/Sources/Subs-UltimateMenu.php
Line: 37

Code Select Expand

Apply Filter: Only show the error messages of this member Guest
Apply Filter: Only show the error messages of this IP address   
  Reverse chronological order of list Today at 01:03:49 AM
Apply Filter: Only show the error messages of this session 5c4dd976e26bb3893d6c1c924439146e
Apply Filter: Only show the errors of this type Type of error: General
Apply Filter: Only show the error messages of this URL
http://dsdglobalsupport.com/index.php?http://dsdglobalsupport.com/undefined
Apply Filter: Only show the errors with the same message
2: in_array() [<a href='function.in-array'>function.in-array</a>]: Wrong datatype for second argument
Apply Filter: Only show the errors from this file
File: /home3/f1162343/public_html/dsdglobalsupport.com/Sources/Security.php
Line: 831

Code Select Expand

Apply Filter: Only show the error messages of this member Guest
Apply Filter: Only show the error messages of this IP address   
  Reverse chronological order of list August 18, 2015, 10:51:45 PM
Apply Filter: Only show the error messages of this session 7572183096ac4cbf6eb57a82f293aacb
Apply Filter: Only show the errors of this type Type of error: Undefined
Apply Filter: Only show the error messages of this URL
http://dsdglobalsupport.com/index.php?http://dsdglobalsupport.com/undefined
Apply Filter: Only show the errors with the same message
8: Undefined index: mod_cache
Apply Filter: Only show the errors from this file
File: /home3/f1162343/public_html/dsdglobalsupport.com/Sources/Load.php
Line: 1585

3000+ log entries within 90mins.  90% of them are
Security.php Line: 831 or 834

[iain sherriff]

http://www.simplemachines.org/community/index.php?topic=531974.0

Looking through the forum it is more likely to be  bad mod than a hack ?

[KnownSyntax]

Weird, if it is a module than what would cause for it to act up in a 15 minute window and cause so many errors? Wouldn't it be acting up whenever the module was called (or whenever it was triggered if you will)?

[iain sherriff]

could it be connected with this ?
http://www.simplemachines.org/community/index.php?topic=512098.0

[shawnb61]

Iain sheriff, that sure like like it!    A bug in smf caused by stale cookies across certain patch install dates, after a system restore.   

In my instance, however, there was no restore.  We patched from 2.0.4 to 2.0.10 in early July.   This occurred ~2 days later.

No recurrence.   

[iain sherriff]

My board was recently restored but, same as you this happens sporadically.
Have you had Tapatalk installed in the past but not  now ?

[shawnb61]

We haven't seen this issue again.

We have a very old, less intrusive version of Tapatalk.  Not sure I like the hooks in the latest versions.

Occasionally they crawl us very aggressively.   Very annoying.  Identical to the report in this link:
https://support.tapatalk.com/threads/dos-attack-through-mobiquo.27211/
   
I've been thinking of abandoning it altogether. 

[iain sherriff]

I can trigger  the errors by trying to login with my VPN switched on ?

[iain sherriff]

shawnb61..................... have you got Ultimate Menu installed ?

[shawnb61]

No, we don't have that mod.

[iain sherriff]

hmm
I disabled it a last week (after reading in one of the other many topics that this could be a Mod related issue). Haven't had the errors since and wondering if any of the additional menu links I had where the thing being called before the guest has logged in.

Have to wait and see what happens