Page Index Toggle Pages: [1] 2 3 
Topic Tools
Very Hot Topic (More than 25 Replies) Board hacked - how to solve this Safety-Issue? (Read 6,135 times)
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,125
Location: Earth

YaBB 2.6.0
Re: Board hacked - how to solve this Safety-Issue?
Reply #37 - Sep 13th, 2012 at 7:55pm
Post Tools
The version in question was an older one. The newer versions of YaBB have length limits on things in the query string. And these things were ending up in the error log, so they were just filling up the error log and not doing anything detrimental to the board itself. So it was an annoyance, not a board-breaking threat.  And yes, YaBB does have pretty extensive regexes to prevent bad stuff from getting through.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Elfen
Full Member
***
Offline



Posts: 450
Re: Board hacked - how to solve this Safety-Issue?
Reply #36 - Sep 13th, 2012 at 6:11pm
Post Tools
Dandello wrote on Aug 10th, 2012 at 2:29pm:
You can see all the non-renderable characters in the string interrupting it. You can empty out the errorlog by hand if necessary. it's in ./Variables. Each line ends with a
Code
Select All
 

(end of line.)  It may be invisible in your text editor but it's there.

Looking at the string, it seems to me that its in Windows Character Set and not the standard UTF-8 set. But looking at it, it is not an MySQL injection code stuff. That would have actual MySQL code in it to inject those links into the database, this does not have that.

Dandello wrote on Aug 10th, 2012 at 2:29pm:
I'm also wondering - just wondering, mind you - how all those
Code
Select All
[url= 

got passed through because those are UBB code.

As far as I see, there are too many 's and "s in the code, along with a few :s. This would probably render such pattern matching useless I believe. Correct me if I'm wrong.

Does YaBB has pattern matching and replacement routines to try to kill injected code from being put in as a log in or posts? In the programs I write, I automatically put in things like:
Code
Select All
 ~s/\</\&lt\;/;
to replace <, as used in HTML code, and render it as an acsii code &lt; which prints a '<' but renders the code useless.
 



I do the same with 'script', 'java', and a few other key words.

Everything else that all others said about setting protection and banning IP addresses, I also do.
  
Back to top
 
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,125
Location: Earth

YaBB 2.6.0
Re: Board hacked - how to solve this Safety-Issue?
Reply #35 - Aug 12th, 2012 at 12:45am
Post Tools
I don't see them on mine either - and seeing  'Failed Fruit test' gives me a lift.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
westwegoman
Ex Member
**




None
Re: Board hacked - how to solve this Safety-Issue?
Reply #34 - Aug 11th, 2012 at 10:31pm
Post Tools
I disabled the captcha and added spam fruits and the anti-spam question mod to my forum. It's been about 6 months and actually, I can't remember one getting through.
« Last Edit: Aug 11th, 2012 at 10:34pm by WestwegoMan »  
<div class=
Back to top
 
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,125
Location: Earth

YaBB 2.6.0
Re: Board hacked - how to solve this Safety-Issue?
Reply #33 - Aug 11th, 2012 at 1:43pm
Post Tools
1: captcha fix AND ( SpamFruits OR Anti-Spam Question )  (They're supposed to work with 2.3.1)
2: go to hand registrations (protect your email address)
3. YaBB 2.5 - but before you open for registrations ADD captcha fix AND ( SpamFruits OR Anti-Spam Question ) and StopForumSpam.

and be on the lookout for new anti-spam mods.

Good luck.
« Last Edit: Aug 11th, 2012 at 1:44pm by Dandello »  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
GT-Eins
YaBB Newcomer
*
Offline



Posts: 34
Location: Garbsen, Hannover, Germany
Re: Board hacked - how to solve this Safety-Issue?
Reply #32 - Aug 11th, 2012 at 8:52am
Post Tools
Thx Dandello

so
1st) the Captcha-fix
if that doesnŽt work:
2nd) shut down registrations
later in the year
3rd) yabb 2.5

IŽll keep you updated on the effects
  
Back to top
WWW  
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,125
Location: Earth

YaBB 2.6.0
Re: Board hacked - how to solve this Safety-Issue?
Reply #31 - Aug 10th, 2012 at 2:29pm
Post Tools
You can see all the non-renderable characters in the string interrupting it. You can empty out the errorlog by hand if necessary. it's in ./Variables. Each line ends with a
Code
Select All
\n 

(end of line.)  It may be invisible in your text editor but it's there.

You might also look at this captcha 'fix': http://www.yabbforum.com/community/YaBB.pl?num=1324832594 The people who use it swear by it.

I'm also wondering - just wondering, mind you - how all those
Code
Select All
[url= 

got passed through because those are UBB code.

In the short term you might want to shut down registrations through the site, put up an apology and an encoded email address for people to ask to be registered. (Encoded as in using Javascript to hide the contact email - make it a gmail or free email account you can abandon later - or a separate contact form - again using a disposable email address for the contact address. )  It's more work for you but it has be less than cleaning out files repeatedly and tearing your hair out while these *tards try to break your forum.

Edited:
I know the above advice seems counter-intuitive, but they're coming back and attacking because they've gotten through the first step. So if you can stop them from getting through at all, they'll eventually give up (for a while). But get some anti-spam mods added at least so you can resume normal registration.
« Last Edit: Aug 10th, 2012 at 2:42pm by Dandello »  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
GT-Eins
YaBB Newcomer
*
Offline



Posts: 34
Location: Garbsen, Hannover, Germany
Re: Board hacked - how to solve this Safety-Issue?
Reply #30 - Aug 10th, 2012 at 12:14pm
Post Tools
Just restored the error-log with an old version - lets see what it will reveal.
  
Back to top
WWW  
IP Logged
 
GT-Eins
YaBB Newcomer
*
Offline



Posts: 34
Location: Garbsen, Hannover, Germany
Re: Board hacked - how to solve this Safety-Issue?
Reply #29 - Aug 10th, 2012 at 12:08pm
Post Tools
Sh§t!!
Its still there
And also the error log is now corrupted as well!


IŽll empty the registration-log at once

an update on 2.5 is on our schedule (but just near winter  Embarrassed )
  
Back to top
WWW  
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,125
Location: Earth

YaBB 2.6.0
Re: Board hacked - how to solve this Safety-Issue?
Reply #28 - Aug 10th, 2012 at 1:32am
Post Tools
Well, the registration log can be emptied out and the errors cleared - I'm assuming that regular users aren't being negatively effected?

I'm told that Anti-Spam Question should work on 2.3.1 http://www.boardmod.org/yabb2/YaBB.pl?num=1316894374
or SpamFruits http://www.carsten-dalgaard.dk/cgi-bin/yabb2/YaBB.pl?num=1318072608

Either one of these should stop them in their tracks.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,584
Location: UK:Scotland/livingston

None
Re: Board hacked - how to solve this Safety-Issue?
Reply #27 - Aug 10th, 2012 at 12:40am
Post Tools
Dandello yep looks like a bot attack most of the Error Log is full with Quote:
Error: The validation code is not identical to that shown on-screen graphics. Please go back, reload the page (press F5 in most browsers) and try again.
66 of them and 87 Quote:
Error: username / password is incorrect. Either the username does not exist, or you used the wrong password.
and 2 ALERT!! Form Spoofing Detected coming from IP address: all out of 212 the Registration Log is sitting at 3418 pages as well
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,125
Location: Earth

YaBB 2.6.0
Re: Board hacked - how to solve this Safety-Issue?
Reply #26 - Aug 9th, 2012 at 7:25pm
Post Tools
Are these new errors happening when regular members try to log in or when someone tries a 'super-string'?

What the error is telling us is that something stopped LogInOut.pl from going all the way to the end of the script like it's supposed to. But if it's only happening when a spammer is trying a super-string then that might be an error you can live with. I suspect the ultimate solution will be for you to upgrade to 2.5 at some point.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
GT-Eins
YaBB Newcomer
*
Offline



Posts: 34
Location: Garbsen, Hannover, Germany
Re: Board hacked - how to solve this Safety-Issue?
Reply #25 - Aug 9th, 2012 at 7:02pm
Post Tools
OK - At least the error now finally appeared in the error-log - but just for an half hour then no further attempt was recorded.
There appeared also other error-codes like the following 2 :

Quote:
Fehler: Untrapped Error :
./Sources/LogInOut.pl did not return a true value at ./Sources/Subs.pl line 1407.

http://www.gt-eins.at/cgi-bin/GT1-Forum/YaBB.pl?board=0403&action=&num=126112959...


or
Quote:
Fehler: Untrapped Error :
./Sources/LogInOut.pl did not return a true value at YaBB.pl line 162.

http://www.gt-eins.at/cgi-bin/GT1-Forum/YaBB.pl?board=&action=login


But Things are looking good so far (Final confirmation tomorrow...)
  
Back to top
WWW  
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,125
Location: Earth

YaBB 2.6.0
Re: Board hacked - how to solve this Safety-Issue?
Reply #24 - Aug 9th, 2012 at 6:22pm
Post Tools
We'll keep our fingers crossed.  Wink
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
GT-Eins
YaBB Newcomer
*
Offline



Posts: 34
Location: Garbsen, Hannover, Germany
Re: Board hacked - how to solve this Safety-Issue?
Reply #23 - Aug 9th, 2012 at 4:20pm
Post Tools
OK
I modified LogInOut.pl in the described way
lets see if that works
  
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: [1] 2 3 
Topic Tools
 
  « Board Index ‹ Board  ^Top