ok this is all gibberish to me but I got an email from my host and well I'm sure someone here can make heads or tails of it
I'm using 2.0.18, granted heavily modified (like over 150 mods)
but this is the first that this has come up
Our server monitoring systems detected malicious requests to your www.shadav.com site. To protect your site, we blocked the 126.96.36.199 IP address.
Below is an excerpt from the web logs:
shadav.com 188.8.131.52 - - [17/Oct/2021:21:16:11 -0400] "GET /forum/riverdale/?PHPSESSID=b5e2704a2ae6bb3b0ebfa2da7d06ade41111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45)%20--%20%20/* HTTP/2.0" 200 10250 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0" 0 0 "on:TLSv1.3:TLS_AES_256_GCM_SHA384" 450 10556646 184.108.40.206 www.shadav.com redirect-handler - 220.127.116.11
It appears that your forum software is vulnerable to SQL injection attacks. We strongly recommend that you update it to the latest version available.
Incident Response Team
in my admin in the error logs I have a lot of these type errors for said IP address
Apply Filter: Only show the error messages of this URLhttps://shadav.com/forum/index.php?action=media;sa=;in=;&PHPSESSID=b5e2704a2ae6bb3b0ebfa2da7d06ade499999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x
8: Undefined index: lab360_cad
#0 /Sources/Load.php(2393): template_main()
#1 /Sources/Subs.php(2991): loadSubTemplate(string)
#2 /index.php(212): obExit(NULL, boolean, boolean)
I'm not really concerned about the undefined index but the url seems iffy to me
attached my logs from today, er the file is to large to upload so I've temporarily uploaded it here
http://shadav.com/oct17.log :laugh: I do see some idiot rooting around looking for wordpress files :laugh: idiot
Not getting any security alerts on your forum. Malicious requests doesn't necessarily mean they're actually getting in. Could be a vulnerability in a mod, but if you're not seeing garbage posts or anything unusual in your database it's probably just the usual bots poking at the forum.
looked quickly in my db not sure what or where I'm looking but just looking at table names not seeing anything out of the ordinary
and na no crap posts, lol that forum only has 2 members, well 1 :laugh: myself and I don't know who the other is
:laugh: not an active forum :P it's fine, the forum was more for fun and to replace the crappy comment script I was trying to use.
At first glance that looks like there's proof of an attempt, and then a pretty bold claim of an actual vulnerability based on that. Have you found any evidence that they were actually successful? Do look for it, that is a good idea, but if you can't find anything I'd say the odds are good that it was just an attempt that got noticed and automatically banned. Of course, this isn't really my area of expertise yet - ask me again in a few years :P
I'm not seeing any odd files or anything so guess it was just someone trying their hand, apparently enough times in a row that my host took notice
Quote from: Aleksi "Lex" Kilpinen on October 18, 2021, 12:08:47 AMOf course, this isn't really my area of expertise yet - ask me again in a few years :P
The undefined index is probably from this mod if you have it installed - the lab360 part sounds familiar
The iffy url is the attempt itself, I don't think it's proof of anything more, and the undefined index is probably a coincidence of sorts.
personally, if my host told me my forum/webserver was able to be hacked due to an attempt that may not be successful, i would be looking for a new host ASAP as they apparently cannot verify what is going on before putting you on alert.
really? That's from SureSupport?
I'm disappointed. They've never made such an assumption on my accounts -- and I get hundreds of attacks on my sites every day.
Yeah, the ATTEMPT was made with that URL/arguments.
SMF doesn't track 404s.... it just bounces them back to the index.php within the code - but unless they have evidence that the attempt actually SUCCEEDED, the statement that "your script has SQL injection vulnerabilities" is flawed.
Kindred is exactly correct. That leap in logic is a complete non sequitur. My guess is that the email was written by some new trainee or somebody who really shouldn't have skipped their morning coffee.
Geez they hammered you! If it didn't work the first few times I wonder why they thought it might work the next 500 times they tried. There's a few different SQL queries from the same address in the log, one of which I haven't decoded but I don't see any evidence of actually trying to inject anything which gives weight to the answer given in this one single post about the exact query on StackOverflow (https://stackoverflow.com/questions/17439121/sql-injection-char45-120-49-45-81-45 (https://stackoverflow.com/questions/17439121/sql-injection-char45-120-49-45-81-45)) that it was testing for injection vulnerability.
thanks for putting my concerns to rest and yeah kindred that was SureSupport which is why I was a bit worried, but given their statement of updating to the latest version didn't make sense