Odd recurring errors on honeypot forum

[JBlaze]

So, I run a vanilla SMF install that acts as a honeypot of sorts. It allows registration immediately and I let all the spambots and heathens run wild with their posts. But I've been noticing a number of recurring errors that seem alarming, almost as if someone or something is trying to find a SQL injection weakness.

Error
Type of error
Database
Error message
Database Error: Incorrect string value: '\xEF\xBF?rar...' for column 'data' at row 1
File
/var/www/html/Sources/Session.php
Line
187
URL of page causing the error
https://example.com/index.php
Backtrace information
#0: smf_db_error()
Called from /var/www/html/Sources/Subs-Db-mysql.php on line 494
#1: smf_db_query()
Called from /var/www/html/Sources/Subs-Db-mysql.php on line 802
#2: smf_db_insert()
Called from /var/www/html/Sources/Session.php on line 187
#3: sessionWrite()
Called from unknown on line -1

Error
Type of error
Database
Error message
Database Error: Incorrect string value: '\xEF\xBF?zip...' for column 'data' at row 1
File
/var/www/html/Sources/Session.php
Line
187
URL of page causing the error
https://example.com/index.php
Backtrace information
#0: smf_db_error()
Called from /var/www/html/Sources/Subs-Db-mysql.php on line 494
#1: smf_db_query()
Called from /var/www/html/Sources/Subs-Db-mysql.php on line 802
#2: smf_db_insert()
Called from /var/www/html/Sources/Session.php on line 187
#3: sessionWrite()
Called from unknown on line -1

Error
Type of error
General
Error message
2: Unknown: Cannot call session save handler in a recursive manner
File
Unknown
URL of page causing the error
https://example.com/index.php
Backtrace information
#0: smf_error_handler()
Called from unknown on line -1

What worries me is the appended \xEF\xBF?zip. Seems like someone is fishing for an injection weakness.

[Oldiesmann]

The "data" is a serialized version of $_SESSION. The actual error basically means that the character set/collation of that table doesn't support the character that's attempting to be inserted. It's hard to say exactly what they're attempting to do without seeing a full value of the data that's causing the error. It should be safe to ignore though.

[Arantor]

Question: what collation are all the columns set to? I seem to remember 2.1 using utf8mb4 if it was available.

[shawnb61]

Note: 2.1 sets everything to utf8_general_ci.  No mb4 yet.

[Arantor]

Ah, so $db_mb4 is predominantly for Postgres and opting out of the hacky behaviour because it's only ever true UTF-8 there, and the horrible compat layer I wrote years ago for SMF 2.0 is still mainstream.

In which case it's something trying to use real UTF-8 that isn't going through $smcFunc['htmlspecialchars'] causing the OP's problem.

[shawnb61]

Except \xEFBF is not valid utf8.  And since we're running in strict mode, it *should* error out as above.

The real question is where did that string come from - and how it ended up in a session.

I would first comfirm all columns are actually utf8_general_ci as expected.

What is the value for session.save_handler in php.ini?

I seem to recall limitations with some configs...

[JBlaze]

Sorry for the delay in responding.

Database collation is all set to utf8_general_ci

session.save_handler is set to files

[shawnb61]

What is session.serialize_handler set to?

You have database sessions set in smf, correct? 

Do you have any mods or custom code that updates the session?

[JBlaze]

What is session.serialize_handler set to?

You have database sessions set in smf, correct? 

Do you have any mods or custom code that updates the session?

- session.serialize_handler is set to php_serialize
- Database sessions is enabled
- No mods or custom code. It's a vanilla install.

[Oldiesmann]

So it's using serialize() to encode the session data like usual. It would be interesting to see what's being included in there.

[JBlaze]

Sidenote: GoAccess is such an awesome tool 

These are the URLs being accessed. Looks like someone is trying to pass these vars in a HEAD request.

You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.

[shawnb61]

Are these getting posted from a guest or from a logged in user?

I can't tell from the screenshots, but the responses are all 404s, right?

[shawnb61]

Another question:  You're on 2.1.1, correct?