News:

Join the Facebook Fan Page.

Main Menu

Possible Security Issue

Started by shadav, October 17, 2021, 10:21:34 PM

Previous topic - Next topic

shadav

ok this is all gibberish to me but I got an email from my host and well I'm sure someone here can make heads or tails of it
I'm using 2.0.18, granted heavily modified (like over 150 mods)
but this is the first that this has come up

Dear Customer,

Our server monitoring systems detected malicious requests to your www.shadav.com site. To protect your site, we blocked the 85.237.61.86 IP address.

Below is an excerpt from the web logs:

shadav.com 85.237.61.86 - - [17/Oct/2021:21:16:11 -0400] "GET /forum/riverdale/?PHPSESSID=b5e2704a2ae6bb3b0ebfa2da7d06ade41111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45)%20--%20%20/* HTTP/2.0" 200 10250 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0" 0 0 "on:TLSv1.3:TLS_AES_256_GCM_SHA384" 450 10556646 192.252.151.124 www.shadav.com redirect-handler - 162.158.91.98

It appears that your forum software is vulnerable to SQL injection attacks. We strongly recommend that you update it to the latest version available.

Best Regards,
Incident Response Team
SureSupport.com

in my admin in the error logs I have a lot of these type errors for said IP address

Apply Filter: Only show the error messages of this URLhttps://shadav.com/forum/index.php?action=media;sa=;in=;&PHPSESSID=b5e2704a2ae6bb3b0ebfa2da7d06ade499999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x

8: Undefined index: lab360_cad
File: SERVERPATH/forum/Themes/Dani/BoardIndex.template.php
Line: 253
and
Line: 245

#0 /Sources/Load.php(2393): template_main()
#1 /Sources/Subs.php(2991): loadSubTemplate(string)
#2 /index.php(212): obExit(NULL, boolean, boolean)
#3 {main}

I'm not really concerned about the undefined index but the url seems iffy to me

attached my logs from today, er the file is to large to upload so I've temporarily uploaded it here
http://shadav.com/oct17.log :laugh: I do see some idiot rooting around looking for wordpress files  :laugh: idiot

Sir Osis of Liver

Not getting any security alerts on your forum.  Malicious requests doesn't necessarily mean they're actually getting in.  Could be a vulnerability in a mod, but if you're not seeing garbage posts or anything unusual in your database it's probably just the usual bots poking at the forum.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

shadav

looked quickly in my db not sure what or where I'm looking but just looking at table names not seeing anything out of the ordinary
and na no crap posts, lol that forum only has 2 members, well 1  :laugh: myself and I don't know who the other is
 :laugh: not an active forum  :P it's fine, the forum was more for fun and to replace the crappy comment script I was trying to use.

Aleksi "Lex" Kilpinen

At first glance that looks like there's proof of an attempt, and then a pretty bold claim of an actual vulnerability based on that. Have you found any evidence that they were actually successful? Do look for it, that is a good idea, but if you can't find anything I'd say the odds are good that it was just an attempt that got noticed and automatically banned. Of course, this isn't really my area of expertise yet - ask me again in a few years :P
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

shadav

I'm not seeing any odd files or anything so guess it was just someone trying their hand, apparently enough times in a row that my host took notice

Quote from: Aleksi "Lex" Kilpinen on October 18, 2021, 12:08:47 AMOf course, this isn't really my area of expertise yet - ask me again in a few years :P
:laugh:  ;D

Aleksi "Lex" Kilpinen

The undefined index is probably from this mod if you have it installed - the lab360 part sounds familiar
https://custom.simplemachines.org/index.php?mod=1691

The iffy url is the attempt itself, I don't think it's proof of anything more, and the undefined index is probably a coincidence of sorts.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Illori

personally, if my host told me my forum/webserver was able to be hacked due to an attempt that may not be successful, i would be looking for a new host ASAP as they apparently cannot verify what is going on before putting you on alert.

Kindred

really?  That's from SureSupport?

I'm disappointed. They've never made such an assumption on my accounts -- and I get hundreds of attacks on my sites every day.

Yeah, the ATTEMPT was made with that URL/arguments.
SMF doesn't track 404s.... it just bounces them back to the index.php within the code - but unless they have evidence that the attempt actually SUCCEEDED, the statement that "your script has SQL injection vulnerabilities" is flawed.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Sesquipedalian

Kindred is exactly correct. That leap in logic is a complete non sequitur. My guess is that the email was written by some new trainee or somebody who really shouldn't have skipped their morning coffee. 
I promise you nothing.

Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

Chief of Nothing

Geez they hammered you! If it didn't work the first few times I wonder why they thought it might work the next 500 times they tried. There's a few different SQL queries from the same address in the log, one of which I haven't decoded but I don't see any evidence of actually trying to inject anything which gives weight to the answer given in this one single post about the exact query on StackOverflow (https://stackoverflow.com/questions/17439121/sql-injection-char45-120-49-45-81-45) that it was testing for injection vulnerability.


shadav

thanks for putting my concerns to rest and yeah kindred that was SureSupport which is why I was a bit worried, but given their statement of updating to the latest version didn't make sense

Advertisement: