News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

butchs

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

TheMortician4

awesome will set it up tonight

ljunatic

butchs,
Here is a log from a legitimate member, and the action was that he registered to my forum and then returned to verify the email account used.  #55 is another association's registration confirmation page on my Joomla site that links to my SMF forum registration. #56 is the registration request to my forum. #57 is the verification of the email address used when registering. (This is a 1.1.13 smf site)

Can someone point out to me the parts of the log that indicate a Hack attempt? 

I am hesitant to turn on blocking if it will stop valid registrations. Can I modify a setting to prevent this issue? All my forum registrations must be approved, and then activated via email verification


57   75.135.29.164    2011-03-08 19:04:04    GET /forum/index.php?action=verificationcode;rand=xxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.6; SearchToolbar 1.2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729) http://www.nebraskafirepower.com/forum/index.php?action=register [nofollow]    Hack: Repeated!

56    75.135.29.164    2011-03-08 19:04:01    GET /forum/index.php?action=register HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.6; SearchToolbar 1.2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729) http://www.nebraskafirepower.com/forum/index.php?action=register%22 [nofollow]    Hack: Repeated!

55    75.135.29.164    2011-03-08 19:03:44    GET /forum/index.php?action=register%22 HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.6; SearchToolbar 1.2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729) http://nefirearm.com/index.php?option=com_content&view=article&id=11&Itemid=25 [nofollow]    Hack: %22!

butchs

Here is the problem "Hack: %22!"  Where your member entered "%22" and was caught by the "Injection List" while logging on.  That is not normal.

The mod can be edited if you so desire.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

ljunatic

#284
I Thought that might be it , but that string  was not entered by the member, it was generated by the forum when the link was clicked.


here is a log that was saved when I tried to register from my laptop...

   76.84.105.198    2011-03-09 21:32:00    GET /forum/index.php?action=register%22 HTTP/1.1 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 ( .NET CLR 3.5.30729; .NET4.0C) http://www.simplemachines.org/community/index.php?topic=417490.msg2983217    Hack: %22!


Not sure about the source, but it is being generated by my SMF registration


ETA I will edit the SQL injection list for now,

Thanks again

ljunatic

Hmmmm...default theme is the only one loaded.

I am just about to go live on my upgrade to 2.0 rc5, so it may not be worth the effort to fix this. :-\

busterone

Maybe the upgrade will repair it. The default theme is replaced during the upgrade.

Xarcell

this mod looks good, but I'm afraid I'll break my site with it, lol.

butchs

If it ain't broke don't fix it.  One less support question for me.  :)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Xarcell

Quote from: butchs on March 12, 2011, 06:47:12 AM
If it ain't broke don't fix it.  One less support question for me.  :)

lol...

butchs

Quote from: ljunatic on March 10, 2011, 10:40:24 PM
I Thought that might be it , but that string  was not entered by the member, it was generated by the forum when the link was clicked.

Who knows, your site could have been compromised for years?

The mod does not generate any extra code it simply looks at the incoming traffic.  So it seems to me that a wipe out and full install is in order.   :(
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Xarcell

I have a feature request, but I reckon it's not likely.

In the past I've had malicious characters manually register on my site and put scrap in there signatures, try to upload avatars with scripts in it, etc etc.

So my request is to have an option to prune members with 0 posts after a set number of days(like 30 or 365).

I know it's not a major security thing, but I thought I would ask.

Kindred

You can already do that sort of thing in SMF core
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

TheMortician4


Bigguy

Go to your forum maintenance and then to members.

Xarcell

Quote from: Kindred on March 13, 2011, 01:19:18 PM
You can already do that sort of thing in SMF core

I didn't see it at first, but I see it now. Thanks.

RvG

Quote from: Arantor on March 11, 2011, 02:51:59 AM
It implies there's something wrong with your theme if it has extra " characters in it.

I am afraid I am having this problem, crip blackrain's theme.

busterone

Crip made several versions of Black Rain. It may be better to go to the correct topic for that particular variant.

TheMortician4

Quote from: Bigguy on March 13, 2011, 04:16:23 PM
Go to your forum maintenance and then to members.

Could you be a little more definitive on how?

butchs

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Advertisement: