YaBB Community and Support Forum
YaBB Home About YaBB Download YaBB YaBB Support Customize Your Forum Development Contribute to the Project
  Welcome, Guest. Please Login or Register


 
Pages: 1 2 3 
Topic Tools
 
Board hacked - how to solve this Safety-Issue? (Read 5,356 times)
 Aug 6th, 2012 at 4:17am
There are no actions to perform.  

GT-Eins 
YaBB Newbie
*
Offline
Posts: 34
Garbsen, Hannover, Germany


None
Board hacked - how to solve this Safety-Issue?
Hi Guys
Since 3 weeks our board is for each user individually temporarly blocked for several hours.
After the login instead of the screen with the Subforums the following message appears:

...

After 2-3 hours the login works again.

Does anyone know this ? If Yes How did you get rid of it?

A Colleague suspected a code-injection - but I did not find any updated files in our Yabb-Folder on the server yet (hornestly I did not know where to search particulary.)

In the last year we had a rising number of Crowdturfers which I had to eliminate regulary. Maybe one was able to hack the code - but I don´t know where & when. His ID is obvoiously deleted.

Any help is welcome!
 
WWW  
IP Logged  
 Reply #1 - Aug 6th, 2012 at 4:24am
There are no actions to perform.  

GT-Eins 
YaBB Newbie
*
Offline
Posts: 34
Garbsen, Hannover, Germany


None
Re: Board hacked - how to solve this Safety-Issue?
Admins: please move the topic to the "Anti-Spam" -Forum if more suitable
Sorry did not discover that at the 1st view  Roll Eyes
 
WWW  
IP Logged  
 Reply #2 - Aug 6th, 2012 at 4:31am
There are no actions to perform.  

Alejandro Raggio 
YaBB Newbie
*
Offline
Posts: 10


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
I'll be interested in reading the answer as well, as I probably had a similar issue with another software and want to be cautious to avoid that happening to my boards as well (actually I had plenty of bots registering, but they never got that far).
 
 
IP Logged  
 Reply #3 - Aug 6th, 2012 at 4:50am
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,863
Earth


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
It looks like the login script is trying to access bogus spammy memberfiles. Check your ./Members/ directory , especially membersinfo.txt While this may not explain why the members are locked out then things clear up, this is at least a place to start. The code looks like someone managed to put urls into somewhere they don't belong.
 
WWW  
IP Logged  
 Reply #4 - Aug 6th, 2012 at 1:19pm
There are no actions to perform.  

xnoddyx 
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline
Posts: 1,552
UK:Scotland/livingston


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
what version of yabb are you running and have you any mods installed also check the .htaccess in the cgi-bin/yabb/ or cgi-bin/yabb2/ folder if this is clean then can you make me a admin ac send this and your ftp info in a pm to me  please Smiley
« Last Edit: Aug 6th, 2012 at 1:21pm by xnoddyx »  
YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
WWW xnoddyx xnoddyx1  
IP Logged  
 Reply #5 - Aug 6th, 2012 at 6:31pm
There are no actions to perform.  

GT-Eins 
YaBB Newbie
*
Offline
Posts: 34
Garbsen, Hannover, Germany


None
Re: Board hacked - how to solve this Safety-Issue?
Our current version is YaBB 2.3.1
No mods installed
I´ll try to check the files now
 
WWW  
IP Logged  
 Reply #6 - Aug 6th, 2012 at 7:04pm
There are no actions to perform.  

GT-Eins 
YaBB Newbie
*
Offline
Posts: 34
Garbsen, Hannover, Germany


None
Re: Board hacked - how to solve this Safety-Issue?
.htaccess is full of entrys as I tried to rise the guardian Level in the last days to get a thumb on the problem.
Think we cannot find anything here.

 
WWW  
IP Logged  
 Reply #7 - Aug 6th, 2012 at 7:19pm
There are no actions to perform.  

JonB 
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 3,625
Land of the Blazing Sun!


None
Re: Board hacked - how to solve this Safety-Issue?
I think I know what the problem is:

Look at the very end of the error message. It ends in '.pre', then you get the 'File not found'

I think a huge string was pasted into the membername field @ registration - its sitting in ./Members. as an unvalidated member. When a login has to happen, the member-locator-search trips logic over it. (it probably evaluates the filenames in the ./Members folders) There's so many rule-breakers in the string with escaped characters its hard to say how its actually read in.

So I agree with Dandello on the basic problem.

Roll Eyes

Good Luck

« Last Edit: Aug 6th, 2012 at 7:26pm by JonB »  
I find your lack of faith disturbing.
jonbservergeek  
IP Logged  
 Reply #8 - Aug 6th, 2012 at 7:35pm
There are no actions to perform.  

GT-Eins 
YaBB Newbie
*
Offline
Posts: 34
Garbsen, Hannover, Germany


None
Re: Board hacked - how to solve this Safety-Issue?
Thanks
How can I locate the unvalidated Member-file?
e.g. Download all from the last 4 weeks and open them?
 
WWW  
IP Logged  
 Reply #9 - Aug 6th, 2012 at 7:41pm
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,863
Earth


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
Doh!

And that would be ./Members/ too. I always forget that one. As I recall .pre is the interim file between registering and approval if you're using either admin approval or email activation for registration, and because of all the garbage it was never written - because YaBB kicked them.

You should also be seeing this in your error logs - along with an IP address for the miscreant trying to login using garbage.

Of course, the next question is, why does this seem to be locking up the login script when it really shouldn't be.

Edited:
Look and see if you have any .pre files in ./Members/ But I'm betting it's not there. What I think is happening is someone is trying to log in using garbage and naturally YaBB can't find a file whose name is 500+ characters of garbage.  I see this from time to time in the error logs on my own boards. Of course, the question then becomes, what's going on to lock up the log in script when someone tries to log in with real credentials?  In the meantime - ban the IPs you find in your error log.

« Last Edit: Aug 6th, 2012 at 7:48pm by Dandello »  
WWW  
IP Logged  
 Reply #10 - Aug 6th, 2012 at 7:44pm
There are no actions to perform.  

GT-Eins 
YaBB Newbie
*
Offline
Posts: 34
Garbsen, Hannover, Germany


None
Re: Board hacked - how to solve this Safety-Issue?
Dandello wrote on Aug 6th, 2012 at 4:50am:
It looks like the login script is trying to access bogus spammy memberfiles. Check your ./Members/ directory , especially membersinfo.txt While this may not explain why the members are locked out then things clear up, this is at least a place to start. The code looks like someone managed to put urls into somewhere they don't belong.

Memberfiles.info checked - its clean so far (no buggy names)
 
WWW  
IP Logged  
 Reply #11 - Aug 6th, 2012 at 8:00pm
There are no actions to perform.  

GT-Eins 
YaBB Newbie
*
Offline
Posts: 34
Garbsen, Hannover, Germany


None
Re: Board hacked - how to solve this Safety-Issue?
JonB wrote on Aug 6th, 2012 at 7:19pm:
I think I know what the problem is:

Look at the very end of the error message. It ends in '.pre', then you get the 'File not found'

I think a huge string was pasted into the membername field @ registration - its sitting in ./Members. as an unvalidated member. When a login has to happen, the member-locator-search trips logic over it. (it probably evaluates the filenames in the ./Members folders) There's so many rule-breakers in the string with escaped characters its hard to say how its actually read in.

So I agree with Dandello on the basic problem.

Roll Eyes

Good Luck



Thanks JonB!!!
Would it help to kick out all .pre-files which are obviously from bots?
(I would keep a copy of these for further examination of the problem)
 
WWW  
IP Logged  
 Reply #12 - Aug 6th, 2012 at 8:31pm
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,863
Earth


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
I'm not up on 2.31 but I think you should be able to clear the bot pre registrations out from the Admin's registration log.

But I'm also kind of thinking that particular file was never even written - someone is trying to use that string or something like it to get through YaBB's security  - maybe trying to emulate a mySQL injection? And choking the login script.

But checking through the various member*.* files and .pre files won't hurt.

Like I indicated, I've seen strings like that in my error logs - I go and ban the IPs.
« Last Edit: Aug 6th, 2012 at 8:31pm by Dandello »  
WWW  
IP Logged  
 Reply #13 - Aug 6th, 2012 at 9:02pm
There are no actions to perform.  

xnoddyx 
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline
Posts: 1,552
UK:Scotland/livingston


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
Dandello wrote on Aug 6th, 2012 at 8:31pm:
someone is trying to use that string or something like it to get through YaBB's security  - maybe trying to emulate a mySQL injection? And choking the login script.

do you think setting Activate scripting blocking, UNION Blocking, CLIKE Blocking "The Guardian™" will help this i have all the "The Guardian™" items on
 
YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
WWW xnoddyx xnoddyx1  
IP Logged  
 Reply #14 - Aug 6th, 2012 at 10:15pm
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,863
Earth


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
It's my understanding that those will only help if you're actually using mySQL. (It looks like those features simply came from the original Guardian script as a one-size-fits-all thing.)

My feeling is what's happening in this case is someone is repeatedly trying to login and/or register with garbage strings. Possibly as a DOS attack.

I know that from my own 2.5 error logs, once a bot has tried to register - even if it's been blocked by StopForumSpam or the other spam catchers, and even though I have Admin approval turned on, there are repeated attempts to login with the bad credentials within seconds of the first attempt to register.

Which is why I recommended banning the IP address if possible.

I'm not sure if the lock-up issue is one that was taken care of in 2.4/2.5 - but I do know that I see this in my error log and I haven't had reports of people getting weird screens instead of their usual issues in logging in.

Since YaBB 2.31 is flat-file, a mySQL injection attack simply isn't going to work - there's no mySQL to attack. But the bots don't know that.
« Last Edit: Aug 6th, 2012 at 10:21pm by Dandello »  
WWW  
IP Logged  
Pages: 1 2 3 
Topic Tools
 

Get Yet another Bulletin Board at SourceForge.net. Fast, secure and Free Open Source software downloads Support This Project BoardMod - YaBB features and templates YaBB Codex - support on installation and usage YaBB Toolbar for your browser

YaBB Facebook Group Page

Vulnerability Scanner

Valid RSS Valid XHTML Valid CSS Powered by Perl
YaBB Chat and Support Community » Powered by YaBB 3.0 Beta!
YaBB Forum Software © 2000-2011. All Rights Reserved.