News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Odd recurring errors on honeypot forum

Started by JBlaze, March 25, 2022, 11:54:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

JBlaze

March 25, 2022, 11:54:14 PM
So, I run a vanilla SMF install that acts as a honeypot of sorts. It allows registration immediately and I let all the spambots and heathens run wild with their posts. But I've been noticing a number of recurring errors that seem alarming, almost as if someone or something is trying to find a SQL injection weakness.

QuoteError
Type of error
Database
Error message
Database Error: Incorrect string value: '\xEF\xBF?rar...' for column 'data' at row 1
File
/var/www/html/Sources/Session.php
Line
187
URL of page causing the error
https://example.com/index.php
Backtrace information
#0: smf_db_error()
Called from /var/www/html/Sources/Subs-Db-mysql.php on line 494
#1: smf_db_query()
Called from /var/www/html/Sources/Subs-Db-mysql.php on line 802
#2: smf_db_insert()
Called from /var/www/html/Sources/Session.php on line 187
#3: sessionWrite()
Called from unknown on line -1
QuoteError
Type of error
Database
Error message
Database Error: Incorrect string value: '\xEF\xBF?zip...' for column 'data' at row 1
File
/var/www/html/Sources/Session.php
Line
187
URL of page causing the error
https://example.com/index.php
Backtrace information
#0: smf_db_error()
Called from /var/www/html/Sources/Subs-Db-mysql.php on line 494
#1: smf_db_query()
Called from /var/www/html/Sources/Subs-Db-mysql.php on line 802
#2: smf_db_insert()
Called from /var/www/html/Sources/Session.php on line 187
#3: sessionWrite()
Called from unknown on line -1
QuoteError
Type of error
General
Error message
2: Unknown: Cannot call session save handler in a recursive manner
File
Unknown
URL of page causing the error
https://example.com/index.php
Backtrace information
#0: smf_error_handler()
Called from unknown on line -1

What worries me is the appended \xEF\xBF?zip. Seems like someone is fishing for an injection weakness.
Jason Clemons
Former Team Member 2009 - 2012

Oldiesmann

#1
March 26, 2022, 01:31:33 AM
The "data" is a serialized version of $_SESSION. The actual error basically means that the character set/collation of that table doesn't support the character that's attempting to be inserted. It's hard to say exactly what they're attempting to do without seeing a full value of the data that's causing the error. It should be safe to ignore though.

Arantor

#2
March 26, 2022, 07:15:35 AM
Question: what collation are all the columns set to? I seem to remember 2.1 using utf8mb4 if it was available.
Holder of controversial views, all of which my own.

shawnb61

#3
March 26, 2022, 11:05:36 AM
Note: 2.1 sets everything to utf8_general_ci.  No mb4 yet.
A question worth asking is born in experience & driven by necessity. - Fripp

Arantor

#4
March 26, 2022, 11:46:06 AM
Ah, so $db_mb4 is predominantly for Postgres and opting out of the hacky behaviour because it's only ever true UTF-8 there, and the horrible compat layer I wrote years ago for SMF 2.0 is still mainstream.

In which case it's something trying to use real UTF-8 that isn't going through $smcFunc['htmlspecialchars'] causing the OP's problem.
Holder of controversial views, all of which my own.

shawnb61

#5
March 26, 2022, 12:21:13 PM
Except \xEFBF is not valid utf8.  And since we're running in strict mode, it *should* error out as above.

The real question is where did that string come from - and how it ended up in a session.

I would first comfirm all columns are actually utf8_general_ci as expected.

What is the value for session.save_handler in php.ini?

I seem to recall limitations with some configs...
A question worth asking is born in experience & driven by necessity. - Fripp

JBlaze

#6
March 30, 2022, 12:34:31 AM
Sorry for the delay in responding.

Database collation is all set to utf8_general_ci

session.save_handler is set to files
Jason Clemons
Former Team Member 2009 - 2012

shawnb61

#7
March 30, 2022, 12:56:09 AM
What is session.serialize_handler set to?

You have database sessions set in smf, correct? 

Do you have any mods or custom code that updates the session?

A question worth asking is born in experience & driven by necessity. - Fripp

JBlaze

#8
March 30, 2022, 08:10:25 PM
Quote from: shawnb61 on March 30, 2022, 12:56:09 AMWhat is session.serialize_handler set to?

You have database sessions set in smf, correct? 

Do you have any mods or custom code that updates the session?
- session.serialize_handler is set to php_serialize
- Database sessions is enabled
- No mods or custom code. It's a vanilla install.
Jason Clemons
Former Team Member 2009 - 2012

Oldiesmann

#9
March 31, 2022, 12:22:14 AM
So it's using serialize() to encode the session data like usual. It would be interesting to see what's being included in there.

JBlaze

#10
March 31, 2022, 12:44:23 AM
Sidenote: GoAccess is such an awesome tool  ;)

These are the URLs being accessed. Looks like someone is trying to pass these vars in a HEAD request.

You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.
Jason Clemons
Former Team Member 2009 - 2012

shawnb61

#11
March 31, 2022, 01:02:03 AM
Are these getting posted from a guest or from a logged in user?

I can't tell from the screenshots, but the responses are all 404s, right?
A question worth asking is born in experience & driven by necessity. - Fripp

shawnb61

#12
March 31, 2022, 09:40:34 PM
Another question:  You're on 2.1.1, correct?
A question worth asking is born in experience & driven by necessity. - Fripp
Print
Go Up Pages1
User actions
Advertisement: