Page Index Toggle Pages: 1 [2] 3 
Topic Tools
Very Hot Topic (More than 25 Replies) Board hacked - how to solve this Safety-Issue? (Read 6,692 times)
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,272
Location: Earth

YaBB 2.6.1
Re: Board hacked - how to solve this Safety-Issue?
Reply #22 - Aug 8th, 2012 at 6:11pm
Post Tools
The next question - is it one login attempt causing the board to misbehave or is it multiple attempts?

I'm thinking what we may need is a mod that captures undesirable strings or overlong strings during the login/registration process and blocks them before they even get to the rest of the process. And adding parts of the domain name listed in the string to your Guardian Environment String Blocking probably wouldn't hurt.

The reason I keep talking about login is that the process goes like this:
Someone registers under email verification and/or Admin Approval. Their registration info is written to a .pre file and into membership.inactive. When their account is verified, that .pre file is replaced with a .vars file and the info in membership.inactive gets split into memberinfo.txt and memberlist.txt. BUT bad characters are supposed to go through a replacement process to protect the system.

AND between those two events, if someone tries to login before getting verified, the system looks in the memberinfo.txt  for the  .vars for the member with those credentials, then through the membership.inactive for the name on the .pre file, then the .pre file, before deciding that 'user' doesn't exist.

Now, for whatever reason,  the login process is getting  bogged - maybe during the check of membership.inactive since the .pre file doesn't match.

Just a thought - have you checked the membership.inactive file through either your host file manager or FTP?


Just double checked LogInOut to find the logic path.

And there IS a difference between. 2.3.1 and 2.5 in LogInOut.pl .

So an upgrade to 2.5 will probably stop this.

Int the meantime, open LogInOut.pl in a good text editor and find:
Code
Select All
	&fatal_error("invalid_character","$loginout_txt{'35'} $loginout_txt{'241r'}") if ($username =~ /[^\w\+\-\.\@]/);
 



Replace it with:
Code
Select All
	&fatal_error("invalid_character","$loginout_txt{'35'} $loginout_txt{'241r'}") if $username =~ /[^ \w\x80-\xFF\[\]\(\)#\%\+,\-\|\.:=\?\@\^]/;
 


This filter has to be passed before the program starts looking for the member files and should (I hope) help you out by blocking super-strings with bad characters in them.
« Last Edit: Aug 8th, 2012 at 8:56pm by Dandello »  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
GT-Eins
YaBB Newcomer
*
Offline



Posts: 34
Location: Garbsen, Hannover, Germany
Re: Board hacked - how to solve this Safety-Issue?
Reply #21 - Aug 8th, 2012 at 5:09pm
Post Tools
They seem to change IP constantly - getting fed up with these! Angry
  
Back to top
WWW  
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,272
Location: Earth

YaBB 2.6.1
Re: Board hacked - how to solve this Safety-Issue?
Reply #20 - Aug 8th, 2012 at 3:24pm
Post Tools
Odd that the other errors you're describing aren't showing up in the error log since they should.

Anything that throws an error to the screen should be written into the error log - unless the error log is full. (I have mine set to 500 - that's about the number of errors I see on my sites in 1-2 days depending on traffic. You may want to set yours to a higher limit and keep checking it.)

I'm still betting that a bot is trying to log in with a 'super-string' and either there's something in that string that isn't being properly caught (or was caught and removed) so it's locking up the program or they're doing it repeatedly making it look like it's locked up.

BUT, the good news is your forum probably hasn't been hacked as the error being thrown won't let them in (otherwise it wouldn't be an error.) When you catch the IP addresses of the culprits, add them to your banned IP list to keep them from trying this BS again - until they change IPs.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
GT-Eins
YaBB Newcomer
*
Offline



Posts: 34
Location: Garbsen, Hannover, Germany
Re: Board hacked - how to solve this Safety-Issue?
Reply #19 - Aug 8th, 2012 at 2:38pm
Post Tools
On 2 occasions now I found the following string in the error-log of the admin-site:
Quote:
out#radbom[a..z]qo
(5.39.218.236)      

Fehler: Ein ungültiges Zeichen ist im Benutzername Feld. Gültige Zeichen sind Buchstaben (A-Z,a-z), Zahlen (0-9), Leerzeichen und ( + - . @ _ )

http://www.gt-eins.at/cgi-bin/GT1-Forum/YaBB.pl?board=&action=login2

Obvoiusly a bot trying to register with not supported Characters.
  
Back to top
WWW  
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,272
Location: Earth

YaBB 2.6.1
Re: Board hacked - how to solve this Safety-Issue?
Reply #18 - Aug 7th, 2012 at 3:23am
Post Tools
I can go for months without seeing one of the super-strings in my error log, then three will show up in one day.

Of course, of greater concern for the OP is why 2.3.1 seems to have this vulnerability. I wouldn't want to recommend upgrading to 2.4 or 2.5 unless we're quite sure this is something that doesn't hit newer boards, especially as it looks like there's not much difference between the code in LogInOut.pl 2.3.1 and 2.5AE.

Or is the OP's board being hit repeatedly by the same spammer so it just looks like it's locked up. Need to see the error log to check out that one.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,587
Location: UK:Scotland/livingston

None
Re: Board hacked - how to solve this Safety-Issue?
Reply #17 - Aug 7th, 2012 at 12:25am
Post Tools
JonB wrote on Aug 6th, 2012 at 10:48pm:
@xnoddyx

Quote:
It's my understanding that those will only help if you're actually using mySQL. (It looks like those features simply came from the original Guardian script as a one-size-fits-all thing.)


Dandello is exactly correct - pure 'anti-MySQL-injection' tools.

Here's something else that might be the case - it could be that the bot is trying to validate itself - that would go with the 'can't be found' as the 'written' file's name was truncated by all the escaped characters.

I think we need to ask 'what is the registration method'?

and look at when the .pre file is written and what opens or evaluates it.

Wink

its just that i have never had any string urls in any of my forums and thats from 2.3.1 and up and also on test forums where i have put the url up on spam traps and was just thinking it was stoping it in some way
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,616
Location: Los Angeles

YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
Reply #16 - Aug 6th, 2012 at 11:24pm
Post Tools
Dandello wrote on Aug 6th, 2012 at 10:15pm:
... someone is repeatedly trying to login and/or register with garbage strings ...

... I'm not sure if the lock-up issue is one that was taken care of in 2.4/2.5 ...

If it helps to know, I can confirm that garbage strings that have shown up in our 2.4 errors logs have not locked up anyone's ability to log in to our forum; thankfully.

I didn't know this about MySQL, but it makes sense. Good to know.

« Last Edit: Aug 6th, 2012 at 11:34pm by Bill Myers »  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,821
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Board hacked - how to solve this Safety-Issue?
Reply #15 - Aug 6th, 2012 at 10:48pm
Post Tools
@xnoddyx

Quote:
It's my understanding that those will only help if you're actually using mySQL. (It looks like those features simply came from the original Guardian script as a one-size-fits-all thing.)


Dandello is exactly correct - pure 'anti-MySQL-injection' tools.

Here's something else that might be the case - it could be that the bot is trying to validate itself - that would go with the 'can't be found' as the 'written' file's name was truncated by all the escaped characters.

I think we need to ask 'what is the registration method'?

and look at when the .pre file is written and what opens or evaluates it.

Wink
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,272
Location: Earth

YaBB 2.6.1
Re: Board hacked - how to solve this Safety-Issue?
Reply #14 - Aug 6th, 2012 at 10:15pm
Post Tools
It's my understanding that those will only help if you're actually using mySQL. (It looks like those features simply came from the original Guardian script as a one-size-fits-all thing.)

My feeling is what's happening in this case is someone is repeatedly trying to login and/or register with garbage strings. Possibly as a DOS attack.

I know that from my own 2.5 error logs, once a bot has tried to register - even if it's been blocked by StopForumSpam or the other spam catchers, and even though I have Admin approval turned on, there are repeated attempts to login with the bad credentials within seconds of the first attempt to register.

Which is why I recommended banning the IP address if possible.

I'm not sure if the lock-up issue is one that was taken care of in 2.4/2.5 - but I do know that I see this in my error log and I haven't had reports of people getting weird screens instead of their usual issues in logging in.

Since YaBB 2.31 is flat-file, a mySQL injection attack simply isn't going to work - there's no mySQL to attack. But the bots don't know that.
« Last Edit: Aug 6th, 2012 at 10:21pm by Dandello »  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,587
Location: UK:Scotland/livingston

None
Re: Board hacked - how to solve this Safety-Issue?
Reply #13 - Aug 6th, 2012 at 9:02pm
Post Tools
Dandello wrote on Aug 6th, 2012 at 8:31pm:
someone is trying to use that string or something like it to get through YaBB's security  - maybe trying to emulate a mySQL injection? And choking the login script.

do you think setting Activate scripting blocking, UNION Blocking, CLIKE Blocking "The Guardian™" will help this i have all the "The Guardian™" items on
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,272
Location: Earth

YaBB 2.6.1
Re: Board hacked - how to solve this Safety-Issue?
Reply #12 - Aug 6th, 2012 at 8:31pm
Post Tools
I'm not up on 2.31 but I think you should be able to clear the bot pre registrations out from the Admin's registration log.

But I'm also kind of thinking that particular file was never even written - someone is trying to use that string or something like it to get through YaBB's security  - maybe trying to emulate a mySQL injection? And choking the login script.

But checking through the various member*.* files and .pre files won't hurt.

Like I indicated, I've seen strings like that in my error logs - I go and ban the IPs.
« Last Edit: Aug 6th, 2012 at 8:31pm by Dandello »  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
GT-Eins
YaBB Newcomer
*
Offline



Posts: 34
Location: Garbsen, Hannover, Germany
Re: Board hacked - how to solve this Safety-Issue?
Reply #11 - Aug 6th, 2012 at 8:00pm
Post Tools
JonB wrote on Aug 6th, 2012 at 7:19pm:
I think I know what the problem is:

Look at the very end of the error message. It ends in '.pre', then you get the 'File not found'

I think a huge string was pasted into the membername field @ registration - its sitting in ./Members. as an unvalidated member. When a login has to happen, the member-locator-search trips logic over it. (it probably evaluates the filenames in the ./Members folders) There's so many rule-breakers in the string with escaped characters its hard to say how its actually read in.

So I agree with Dandello on the basic problem.

Roll Eyes

Good Luck



Thanks JonB!!!
Would it help to kick out all .pre-files which are obviously from bots?
(I would keep a copy of these for further examination of the problem)
  
Back to top
WWW  
IP Logged
 
GT-Eins
YaBB Newcomer
*
Offline



Posts: 34
Location: Garbsen, Hannover, Germany
Re: Board hacked - how to solve this Safety-Issue?
Reply #10 - Aug 6th, 2012 at 7:44pm
Post Tools
Dandello wrote on Aug 6th, 2012 at 4:50am:
It looks like the login script is trying to access bogus spammy memberfiles. Check your ./Members/ directory , especially membersinfo.txt While this may not explain why the members are locked out then things clear up, this is at least a place to start. The code looks like someone managed to put urls into somewhere they don't belong.

Memberfiles.info checked - its clean so far (no buggy names)
  
Back to top
WWW  
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,272
Location: Earth

YaBB 2.6.1
Re: Board hacked - how to solve this Safety-Issue?
Reply #9 - Aug 6th, 2012 at 7:41pm
Post Tools
Doh!

And that would be ./Members/ too. I always forget that one. As I recall .pre is the interim file between registering and approval if you're using either admin approval or email activation for registration, and because of all the garbage it was never written - because YaBB kicked them.

You should also be seeing this in your error logs - along with an IP address for the miscreant trying to login using garbage.

Of course, the next question is, why does this seem to be locking up the login script when it really shouldn't be.

Edited:
Look and see if you have any .pre files in ./Members/ But I'm betting it's not there. What I think is happening is someone is trying to log in using garbage and naturally YaBB can't find a file whose name is 500+ characters of garbage.  I see this from time to time in the error logs on my own boards. Of course, the question then becomes, what's going on to lock up the log in script when someone tries to log in with real credentials?  In the meantime - ban the IPs you find in your error log.

« Last Edit: Aug 6th, 2012 at 7:48pm by Dandello »  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
GT-Eins
YaBB Newcomer
*
Offline



Posts: 34
Location: Garbsen, Hannover, Germany
Re: Board hacked - how to solve this Safety-Issue?
Reply #8 - Aug 6th, 2012 at 7:35pm
Post Tools
Thanks
How can I locate the unvalidated Member-file?
e.g. Download all from the last 4 weeks and open them?
  
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: 1 [2] 3 
Topic Tools
 
  « Board Index ‹ Board  ^Top