Interpret for Error Log needed

MaryLouW · November 25, 2017, 06:36:26 PM

In checking my error log today, I found four entries all on the same date (different times) but I do not understand what the error means. The person who's name was on the log joined last April but has never posted a message or anything. I have never seen a message like this on my error log so it somewhat worries me. Can anyone help? Tell me what this means, please?

Kindred · November 25, 2017, 07:41:24 PM

Looks like some sort of mod which allows you to reorganize the admin section....

MaryLouW · November 25, 2017, 07:47:29 PM

That was my conclusion but how did this person manage to do that? It doesn't look like he was successful but, how did he get that kind of access?

Kindred · November 25, 2017, 07:51:11 PM

He doesn't have that access, unless you have messed up permissions...

But lack of access does not stop someone from inputting a url...

MaryLouW · November 25, 2017, 08:11:25 PM

I have not changed my permissions in years - but my question here is, how did this get on my error log? Is this a person that I should perhaps ban? He was somewhere in the system for this to show up on my error log.

drewactual · November 25, 2017, 08:32:27 PM

it doesn't look like he/she was in... it looks like they were attempting to enter the manage attachments area and hoping your permissions or sessions challenge was not working...

by all means, ban that IP. it can't hurt anything.

MaryLouW · November 25, 2017, 08:38:14 PM

Thank you! That's exactly what I plan to do. He has been on my forum since last April. Visits often but has never posted a message. It appeared to me that he was trying to hack into my system for some reason. He was on-line today - maybe coming back to try again ? Anyway, I think a ban is the way to go.

drewactual · November 25, 2017, 08:51:01 PM

he may not be the person who registered... he may have just gained access to the person who registered.

send the registered person's provided email a message asking what is going on... you may find they aren't the same. and if so, you'll retain a member while ferreting out a hacker.

MaryLouW · November 25, 2017, 09:29:31 PM

This person was just on-line so I sent him a message asking why he was trying to hack my system. He said he wasn't, he was just clicking links here and there. So, I asked him exactly what links he was clicking. He said the Admin link. That took him to the control panel. He was clicking on the links that show past versions, updates, etc. However, when clicking on the links beyond that, such as boards, permissions, and such, that took him right back to where he was - the intro area when you click the admin button.

I don't recall this every happening before and it should NOT happen. So, I logged out and logged back in as a regular user. Sure enough, when I clicked on the Admin link, I was taken to the "welcome admin" area. Fortunately, he was not able to "break" anything but he generated those error messages by clicking in the links that were available there.

How can I prevent that from happening?

drewactual · November 25, 2017, 09:54:50 PM

scour your permissions and only grant the ones needed for each group... i'd rather users have too little than too much, but that's just me...

MaryLouW · November 25, 2017, 10:04:53 PM

I already did that. As a regular user, I can still access the admin area. I can't find anywhere that would allow that to happen. I only have a regular group, staff group, and admin group. I've checked all of them and cannot see anything that would allow them to access the admin area other than those who are supposed to have access (staff and admin). Did't help.

drewactual · November 25, 2017, 10:31:46 PM

yup... you're right... but... how did this member know where to find "attachments"? is that option available to them? or... are they familiar with SMF enough to request that function via URL?

i'd watch that rascal.

MaryLouW · November 25, 2017, 10:43:03 PM

I have no idea - he said he was just clicking around on various links because they were available to him. He was exploring. He should NOT have been able to even get that far to start with and I don't see any way to disallow it.

drewactual · November 25, 2017, 10:48:41 PM

you can't stop someone who knows (likely) valid links from typing them in... for instance, i know what version of SMF you run... all i need to know is your web address to try to touch files i know are in your site, because they're in mine, too...

there is nothing for you to worry about with that attempted entry... your machine did what it was supposed to do which is deny, and make note of it. he/she would need to be a lot more clever to get in- and that isn't as easy as it sounds.

MaryLouW · November 25, 2017, 10:53:18 PM

Maybe so but NO user should be able to access the Admin area if they are not authorized.

drewactual · November 25, 2017, 10:55:40 PM

so they'll see the credits... that's pretty much all they get.

Sir Osis of Liver · November 25, 2017, 11:10:27 PM

Thought I had access to your forum, can't find it. If you cam pm admin access I'll take a look.

Sir Osis of Liver · November 26, 2017, 12:25:29 AM

Something's broken. Created a regular member account, I see Admin link. Didn't try all links in ACP, most revert to main admin page, but I can get into News and Newsletters. Don't see anything amiss in permissions. I would try uninstalling SMF 2.1-style Admin Area mod. Offhand I'd guess Harvey wasn't screwing around, just curiousity seeing Admin link. I'd probably do same thing.

MaryLouW · November 26, 2017, 12:43:46 AM

Do you know if anyone else is having this problem?? Not sure what to uninstall.... but I think this leaves me open to a lot of trouble.

Sir Osis of Liver · November 26, 2017, 12:44:42 AM

Can you attach your /Sources/Subs.php?

MaryLouW · November 26, 2017, 01:04:59 AM

Yes - the one without the ~ after the name.

Sir Osis of Liver · November 26, 2017, 01:18:23 AM

You need to do a full backup of your forum files, then uninstall SMF 2.1-style Admin Area mod in Package Manager. It's not showing any errors, should uninstall cleanly. Don't know if that will fix it, but it's most likely suspect for starters. If you don't want to try it yourself, pm FTP access (server/username/password). Going offline shortly, won't get to it until tomorrow.

MaryLouW · November 26, 2017, 01:27:07 AM

I am pretty much a chicken when it comes to doing anything other than the normal every day stuff. I will send you a PM with ftp access... THANKS!!!!

Arantor · November 26, 2017, 03:17:48 AM

Also did you do something to the post count groups so there isn't a group starting at 0 posts?

MaryLouW · November 26, 2017, 01:52:26 PM

Not that I know of. When things are working right, I don't mess with them. I haven't changed anything at all in a very long time other than the SMF updates.

Sir Osis of Liver · November 26, 2017, 04:52:35 PM

Very strange forum.

Uninstalled 2.1 admin area mod, no change, reinstalled it. Made a 2.0.15 test install (it's in /public/testforum/), same problem running Curve, so it's something in database. Took Arantor's hint and looked at 0 post group. It's there, permissions set for 'Use unique permissions' (believe that's default). Changed it to 'Inherit From: Regular Members', that fixed problem. Changed it back, still fixed. Now username is not being displayed in user info block in header in PIRC Blues theme (never touched theme). Ran repair_settings.php several times back and forth from forum to test install, now it's working.

Anyway, seems to be ok. I uninstalled the 2.1 admin area mod, parts of it don't work (you don't need it). Emptied /cache and disabled caching (you don't need it). Deleted two repair_settings.php files that had been renamed in forum root (security risk). Leave the test install until you're sure everything's ok, then you can delete it.

Not really comfortable fixing a problem without knowing why, keep an eye on things.

MaryLouW · November 26, 2017, 05:32:16 PM

Wow, that's a lot of strange things! I am so grateful that you were able to fix everything because I don't get into areas that I do not understand. I have installed and uninstalled many different mods over the years and it's possible that something did't do what it should have.

Thank you so much!! Another Hero added to my list! The best part of using this software is, there is always someone here who is willing to help. For "every day non-geek" people like me, we could not have a forum otherwise. I can only manage what is visible. I have been wanting to change the birthday message for years but not sure where to find that but that's okay. At this time of year, I'm happy that everything is running as it should. I am leaving your account as is just in case!

You and all the other good people here are greatly appreciated! Thank you again!

Sir Osis of Liver · November 26, 2017, 05:43:34 PM

Birthday message is in Admin -> Mail -> Settings.

Good luck with your forum.

MaryLouW · November 26, 2017, 05:47:17 PM

Thank you!! Will definitely check that out. Thanks again for all you did to keep things running as they should on my forum. The link to the admin section is no longer visible when a regular user logs in.

MaryLouW · November 28, 2017, 09:15:41 PM

I think I might have another problem. I was checking out my Christmas Theme today and later, was checking the error log. There were error messages generated while I was in the Christmas Theme. All had something to do with the greeting. Is this something I can fix myself? If I leave it go, I"m sure that we'll have hundreds of error pages by the end of the holiday season.

I am posting the error message here.

If this happens in my Christmas Theme, it most likely happens in my ones for Valentine's Day, St. Pat, etc.

Sir Osis of Liver · November 28, 2017, 10:52:49 PM

Not on my computer, will have a look when I'm on tomorrow.

MaryLouW · November 28, 2017, 10:55:36 PM

You won't see the error message unless you change your theme to Christmas. It is fine when using the one I have up right now. I don't plan to put the Christmas one up until Friday.. Thanks!!!!!

SaltedWeb · November 28, 2017, 11:06:09 PM

Might want to make a note of location, IP and email used by this person.
They may try and come back using a Tor or mask the IP.
Depends how much this is automated by them and how much it is trying to only get access\
on your site only.

Sir Osis of Liver · November 28, 2017, 11:29:17 PM

Quote from: SaltedWeb on November 28, 2017, 11:06:09 PM
Might want to make a note of location, IP and email used by this person.
They may try and come back using a Tor or mask the IP.
Depends how mush this is automated by them and how much it is trying to only get access\
on your site only.

WTF?

MaryLouW · November 28, 2017, 11:38:54 PM

Quote from: SaltedWeb on November 28, 2017, 11:06:09 PM
Might want to make a note of location, IP and email used by this person.
They may try and come back using a Tor or mask the IP.
Depends how mush this is automated by them and how much it is trying to only get access\
on your site only.

The problem has been fixed by Sir Osis of Liver.

The guy was not a hacker, he just saw a link and clicked on it - it was a link that he should not have been able to see. That has all been taken care of. Thanks again Sir Osis!!!

SaltedWeb · November 28, 2017, 11:40:21 PM

Cool.

Sir Osis of Liver · November 28, 2017, 11:46:28 PM

Fixed your Xmas theme, it was a minor glitch. Cleared error log, keep an eye on it, you're getting other errors.

MaryLouW · November 28, 2017, 11:49:49 PM

Okay!! That was FAST!!! Will keep an eye on things - hopefully nothing serious. Really appreciate you!!!

News:

Interpret for Error Log needed