YaBB Community and Support Forum
YaBB Home About YaBB Download YaBB YaBB Support Customize Your Forum Development Contribute to the Project
  Welcome, Guest. Please Login or Register


 
Page Index Toggle Pages: 1
Topic Tools
 
3000 Script Abuse emails in two minutes (Read 1,063 times)
 Jul 3rd, 2013 at 6:06pm
There are no actions to perform.  

RonS2 
Full Member
Beta Testers
***
Offline
Posts: 446


YaBB 2.5
3000 Script Abuse emails in two minutes
I know The Guardian was doing its job and protected the forum so all is good. ( I block the IP)

But what were they trying to do?

Quote:
Scripting Abuse Detected! on Jul 3, 2013  12:44pm

Abusing user ID (Real Name): Guest -> ()
Abuse detected from IP: 96.44.189.100
Blocked script in Url data: wrupdates and gth((select name from v$database where rownum=1))<56

The Woodturning Forum - Woodturner's Resource, The Guardian


BTW - I just turned on  messageindex, messagepagedrop,  messagepagetext in the Referrer Security
 
 
IP Logged  
 Reply #1 - Jul 3rd, 2013 at 8:41pm
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,858
Earth


YaBB 2.5
Re: 3000 Script Abuse emails in two minutes
I'm not a security expert (or a PHP person) but that looks like a PHP/mySQL call they put into the query string. If that's the case, I suspect it was an attempt to force open one of the critical 'databases', like members. (But since YaBB doesn't use that structure, it's just infernally annoying rather than damaging.)
 
WWW  
IP Logged  
 Reply #2 - Jul 3rd, 2013 at 9:42pm
There are no actions to perform.  

RonS2 
Full Member
Beta Testers
***
Offline
Posts: 446


YaBB 2.5
Re: 3000 Script Abuse emails in two minutes
Dandello wrote on Jul 3rd, 2013 at 8:41pm:
looks like a PHP/mySQL call they put into the query string.



I suspected the same thing, thanks
 
 
IP Logged  
 Reply #3 - Jul 3rd, 2013 at 10:57pm
There are no actions to perform.  

xnoddyx 
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline
Posts: 1,552
UK:Scotland/livingston


YaBB 2.5
Re: 3000 Script Abuse emails in two minutes
in  the The Guardian i have
Do you want an e-mail notification on any detected attempts?
off for most items so that i don't get an overload of them.
and only turn the e-mail notification on when i am testing site security to see who is trying what.

Dandello wrote on Jul 3rd, 2013 at 8:41pm:
I'm not a security expert (or a PHP person) but that looks like a PHP/mySQL call they put into the query string. If that's the case, I suspect it was an attempt to force open one of the critical 'databases', like members.

yes it was a PHP/mySQL call but it was not  an attempt to force open one of the critical 'databases' but more of a query to list all items in the db on row 1 and on most database setups for website content cms or forums
v$database
displays information about the database from the control file or it can on Oracle
and rownum=1
is like a index or main menu, column names
see pics

...
...

it is not much to worry about apart from if you are using wordpress for website cms or any items on your website that use a database in a standard format.
 
YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
WWW xnoddyx xnoddyx1  
IP Logged  
 Reply #4 - Jul 3rd, 2013 at 11:29pm
There are no actions to perform.  

RonS2 
Full Member
Beta Testers
***
Offline
Posts: 446


YaBB 2.5
Re: 3000 Script Abuse emails in two minutes
Thanks for the info xnoddyx you did a great job explaining it.

I only started receiving emails last week from the Guardian just to see whats going on. I'll admit I didn't expect such a deluge today. I do have a gallery on the server that uses a MySQL database and it looks like it was not effected.

Once I'm comfortable that everything is back on track I plan on turning off the notifications


 
 
IP Logged  
 Reply #5 - Jul 3rd, 2013 at 11:54pm
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,858
Earth


YaBB 2.5
Re: 3000 Script Abuse emails in two minutes
xnoddyx wrote on Jul 3rd, 2013 at 10:57pm:
yes it was a PHP/mySQL call but it was not  an attempt to force open one of the critical 'databases' but more of a query to list all items in the db on row 1 and on most database setups for website content cms or forums
v$database
displays information about the database from the control file or it can on Oracle
and rownum=1
is like a index or main menu, column names



I freely admit to knowing next to nothing about mySQL hacks.  Huh
But I can't imagine people try to get hold of the names in the top row as being at all benign in their intent.
 
WWW  
IP Logged  
 Reply #6 - Jul 4th, 2013 at 12:34am
There are no actions to perform.  

RonS2 
Full Member
Beta Testers
***
Offline
Posts: 446


YaBB 2.5
Re: 3000 Script Abuse emails in two minutes
Just impotent when it comes to YaBB (thanks you you folks).

« Last Edit: Jul 4th, 2013 at 12:36am by RonS2 »  
 
IP Logged  
 Reply #7 - Jul 4th, 2013 at 5:58am
There are no actions to perform.  

xnoddyx 
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline
Posts: 1,552
UK:Scotland/livingston


YaBB 2.5
Re: 3000 Script Abuse emails in two minutes
RonS2 wrote on Jul 3rd, 2013 at 11:29pm:
have a gallery on the server that uses a MySQL database and it looks like it was not effected.

yer as
Dandello wrote on Jul 3rd, 2013 at 8:41pm:
(But since YaBB doesn't use that structure, it's just infernally annoying rather than damaging.)

but if the same call was made on the gallery depending on the security of it they may have got a list from it has the gallery you use got a loging system ? may want to check that or the url data in your server logs for i.e.
Code Select All
yoururl.com/gallery/index.php?t=good%20string&f=bad<br+%2F>string#v$database 


Dandello wrote on Jul 3rd, 2013 at 11:54pm:
But I can't imagine people try to get hold of the names in the top row as being at all benign in their intent.

it is when they try to get YaBB to do it as we all know YaBB don't have a database so it cant make that call to the database.  Grin i don't even know why they try to make a query string for YaBB to call a database as it will fail every time  Roll Eyes@ them lol
 
YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
WWW xnoddyx xnoddyx1  
IP Logged  
 Reply #8 - Jul 4th, 2013 at 11:55am
There are no actions to perform.  

RonS2 
Full Member
Beta Testers
***
Offline
Posts: 446


YaBB 2.5
Re: 3000 Script Abuse emails in two minutes
xnoddyx wrote on Jul 4th, 2013 at 5:58am:
but if the same call was made on the gallery depending on the security of it they may have got a list from it has the gallery you use got a loging system ? may want to check that or the url data in your server logs for i.e.



Yes the gallery uses a login system and it looks like that string data isn't in the logs. I guess I got lucky. thanks
 
 
IP Logged  
Page Index Toggle Pages: 1
Topic Tools
 

Get Yet another Bulletin Board at SourceForge.net. Fast, secure and Free Open Source software downloads Support This Project BoardMod - YaBB features and templates YaBB Codex - support on installation and usage YaBB Toolbar for your browser

YaBB Facebook Group Page

Vulnerability Scanner

Valid RSS Valid XHTML Valid CSS Powered by Perl
YaBB Chat and Support Community » Powered by YaBB 3.0 Beta!
YaBB Forum Software © 2000-2011. All Rights Reserved.