Page Index Toggle Pages: 1
Topic Tools
Normal Topic 3000 Script Abuse emails in two minutes (Read 134 times)
------
Senior Member
Beta Testers
****
Offline



Posts: 528
3000 Script Abuse emails in two minutes
Jul 3rd, 2013 at 6:06pm
Post Tools
I know The Guardian was doing its job and protected the forum so all is good. ( I block the IP)

But what were they trying to do?

Quote:
Scripting Abuse Detected! on Jul 3, 2013  12:44pm

Abusing user ID (Real Name): Guest -> ()
Abuse detected from IP: 96.44.189.100
Blocked script in Url data: wrupdates and gth((select name from v$database where rownum=1))<56

The Woodturning Forum - Woodturner's Resource, The Guardian


BTW - I just turned on  messageindex, messagepagedrop,  messagepagetext in the Referrer Security
  
Back to top
 
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,489
Location: Earth

YaBB 2.6.1
Re: 3000 Script Abuse emails in two minutes
Reply #1 - Jul 3rd, 2013 at 8:41pm
Post Tools
I'm not a security expert (or a PHP person) but that looks like a PHP/mySQL call they put into the query string. If that's the case, I suspect it was an attempt to force open one of the critical 'databases', like members. (But since YaBB doesn't use that structure, it's just infernally annoying rather than damaging.)
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
------
Senior Member
Beta Testers
****
Offline



Posts: 528
Re: 3000 Script Abuse emails in two minutes
Reply #2 - Jul 3rd, 2013 at 9:42pm
Post Tools
Dandello wrote on Jul 3rd, 2013 at 8:41pm:
looks like a PHP/mySQL call they put into the query string.



I suspected the same thing, thanks
  
Back to top
 
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: 3000 Script Abuse emails in two minutes
Reply #3 - Jul 3rd, 2013 at 10:57pm
Post Tools
in  the The Guardian i have
Do you want an e-mail notification on any detected attempts?
off for most items so that i don't get an overload of them.
and only turn the e-mail notification on when i am testing site security to see who is trying what.

Dandello wrote on Jul 3rd, 2013 at 8:41pm:
I'm not a security expert (or a PHP person) but that looks like a PHP/mySQL call they put into the query string. If that's the case, I suspect it was an attempt to force open one of the critical 'databases', like members.

yes it was a PHP/mySQL call but it was not  an attempt to force open one of the critical 'databases' but more of a query to list all items in the db on row 1 and on most database setups for website content cms or forums
v$database
displays information about the database from the control file or it can on Oracle
and rownum=1
is like a index or main menu, column names
see pics




it is not much to worry about apart from if you are using wordpress for website cms or any items on your website that use a database in a standard format.
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
------
Senior Member
Beta Testers
****
Offline



Posts: 528
Re: 3000 Script Abuse emails in two minutes
Reply #4 - Jul 3rd, 2013 at 11:29pm
Post Tools
Thanks for the info xnoddyx you did a great job explaining it.

I only started receiving emails last week from the Guardian just to see whats going on. I'll admit I didn't expect such a deluge today. I do have a gallery on the server that uses a MySQL database and it looks like it was not effected.

Once I'm comfortable that everything is back on track I plan on turning off the notifications


  
Back to top
 
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,489
Location: Earth

YaBB 2.6.1
Re: 3000 Script Abuse emails in two minutes
Reply #5 - Jul 3rd, 2013 at 11:54pm
Post Tools
xnoddyx wrote on Jul 3rd, 2013 at 10:57pm:
yes it was a PHP/mySQL call but it was not  an attempt to force open one of the critical 'databases' but more of a query to list all items in the db on row 1 and on most database setups for website content cms or forums
v$database
displays information about the database from the control file or it can on Oracle
and rownum=1
is like a index or main menu, column names



I freely admit to knowing next to nothing about mySQL hacks.  Huh
But I can't imagine people try to get hold of the names in the top row as being at all benign in their intent.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
------
Senior Member
Beta Testers
****
Offline



Posts: 528
Re: 3000 Script Abuse emails in two minutes
Reply #6 - Jul 4th, 2013 at 12:34am
Post Tools
Just impotent when it comes to YaBB (thanks you you folks).

« Last Edit: Jul 4th, 2013 at 12:36am by ------ »  
Back to top
 
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: 3000 Script Abuse emails in two minutes
Reply #7 - Jul 4th, 2013 at 5:58am
Post Tools
------ wrote on Jul 3rd, 2013 at 11:29pm:
have a gallery on the server that uses a MySQL database and it looks like it was not effected.

yer as
Dandello wrote on Jul 3rd, 2013 at 8:41pm:
(But since YaBB doesn't use that structure, it's just infernally annoying rather than damaging.)

but if the same call was made on the gallery depending on the security of it they may have got a list from it has the gallery you use got a loging system ? may want to check that or the url data in your server logs for i.e.
Code
Select All
yoururl.com/gallery/index.php?t=good%20string&f=bad<br+%2F>string#v$database 


Dandello wrote on Jul 3rd, 2013 at 11:54pm:
But I can't imagine people try to get hold of the names in the top row as being at all benign in their intent.

it is when they try to get YaBB to do it as we all know YaBB don't have a database so it cant make that call to the database.  Grin i don't even know why they try to make a query string for YaBB to call a database as it will fail every time  Roll Eyes@ them lol
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
------
Senior Member
Beta Testers
****
Offline



Posts: 528
Re: 3000 Script Abuse emails in two minutes
Reply #8 - Jul 4th, 2013 at 11:55am
Post Tools
xnoddyx wrote on Jul 4th, 2013 at 5:58am:
but if the same call was made on the gallery depending on the security of it they may have got a list from it has the gallery you use got a loging system ? may want to check that or the url data in your server logs for i.e.



Yes the gallery uses a login system and it looks like that string data isn't in the logs. I guess I got lucky. thanks
  
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1
Topic Tools