Page Index Toggle Pages: 1
Topic Tools
Normal Topic Guardian reporting lots of Scripting and UNION abuse (Read 767 times)
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Online



Posts: 2,166
Location: Earth

YaBB 2.6.0
Re: Guardian reporting lots of Scripting and UNION abuse
Reply #3 - Aug 7th, 2013 at 11:02pm
Post Tools
One thing to remember - Union warnings are part of Guardian but YaBB doesn't use mySQL (unless you're running 3.0) so Union and Clike warnings mean nothing to YaBB.

Another thing the spammers like doing is 'social engineered "Guardian warnings"' where it looks like there's a warning from Guardian that something like Captcha is messed up. Only, Guardian doesn't even look at those things - it's part of the spam text Guardian has detected as bad stuff and is warning you about.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Jerry Krinock
YaBB Newcomer
*
Offline



Posts: 30
Location: San José, CA, USA

YaBB 2.6.0
Re: Guardian reporting lots of Scripting and UNION abuse
Reply #2 - Aug 7th, 2013 at 12:48am
Post Tools
Thank you, Bill.  The two suspicious files, PHP scripts, did look malicious, but they have a file modification date of 2010, and I vaguely remember seeing the nefarious directory that they were in for quite some time.  So I think these two files were not a result of today's attack.
  
Back to top
 
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,562
Location: Los Angeles

YaBB 2.4
Re: Guardian reporting lots of Scripting and UNION abuse
Reply #1 - Aug 7th, 2013 at 12:26am
Post Tools
Jerry Krinock wrote on Aug 6th, 2013 at 11:25pm:
Do other YaBB users get these reports very often?

I get what you're getting all the time, and every once in a while in very large numbers in a very short period of time. Sometimes I'll temporarily turn off my email notification about it.

On a related matter today so far in the last 2 1/2 hours, I've had 500 error messages, mostly about spam-bots that have been stopped cold from registering in our 2.4 forum (I've set the limit to 500 at a time).

As you might guess, many of those error messages are produced because of just a handful of IP addresses. However, our forum is so good at stopping spam-bots cold, I don't even bother blocking IP addresses. It's cleaner that way.

But like you mentioned, this shows how well YaBB fends off those attacks.Smiley

  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
Jerry Krinock
YaBB Newcomer
*
Offline



Posts: 30
Location: San José, CA, USA

YaBB 2.6.0
Guardian reporting lots of Scripting and UNION abuse
Aug 6th, 2013 at 11:25pm
Post Tools
Hi,

I have a YaBB 2.4 Forum.  I usually get several messages from my forum's robot every day with subject The Guardian-(Macs & Bookmarks): Scripting Abuse Detected!   They've been coming more frequently lately.  Yesterday, and again today, I got 35 such messages within a few minutes.  Today, this was followed, in a 15-minute period, by 258 messages with subject The Guardian-(Macs & Bookmarks): UNION Abuse Detected!

My forum, and my whole site, still seem to be working fine.  My web host has scanned half of my site so far and found two "suspicious" files.

As you can see from a sample of the messages below, it looks like someone is trying to inject code.  Is there anything more I should be doing, other than bragging smugly about how well YaBB and The Guardian are fending off these attacks?  Do other YaBB users get these reports very often?

Thanks,

Jerry

-------------------------------------------------------------------------


Scripting Abuse Detected! on  6, 2013  1:33pm

Abusing user ID (Real Name): Guest -> ()
Abuse detected from IP: 72.52.91.30
Blocked script in Url data: printnum=1235607039' or 1=convert(int,chr(114)||chr(51)||chr(100)||chr(109)||chr(48)||chr(118)||chr(51)|
|chr(95)||chr(104)||chr(118)||chr(106)||chr(95)||chr(105)||chr(110)||chr(106)||c
hr(101)||chr(99)||chr(116)||chr(105)||chr(111)||chr(110))--

Abusing user ID (Real Name): Guest -> ()
Abuse detected from IP: 166.70.207.2

Blocked script in Url data: printnum=1235607039' and if(1=1,benchmark(28906800,md5(0x41)),0) and 'x'='x

-------------------------------------------------------------------------

Scripting Abuse Detected! on  6, 2013  1:33pm

Abusing user ID (Real Name): Guest -> ()
Abuse detected from IP: 72.52.91.30
Blocked script in Url data: printnum=1235607039' or 1=convert(int,chr(114)||chr(51)||chr(100)||chr(109)||chr(48)||chr(118)||chr(51)|
|chr(95)||chr(104)||chr(118)||chr(106)||chr(95)||chr(105)||chr(110)||chr(106)||c
hr(101)||chr(99)||chr(116)||chr(105)||chr(111)||chr(110))--

-------------------------------------------------------------------------


UNION Abuse Detected! on  6, 2013  1:32pm

Abusing user ID (Real Name): Guest -> ()
Abuse detected from IP: 96.44.189.98
Environment string: action=999999.9%27%20union%20all%20select%200x31303235343830303536%2C0x313032353
43830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830
303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3130323534383030353
6%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0
x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3130
3235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x313032353
43830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830
303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3130323534383030353
6%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0
x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3130
3235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x


  
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1
Topic Tools
 
  « Board Index ‹ Board  ^Top