So I get 'Possible security attack!!! All data has been collected and sent to the site owner for analysis.' message again.
Everything was working fine after I updated from RC to RC2. However, after a few days of meddling with it, I started getting the above message. Since most of the messages on the forums about this was before the RC update, I figured that I didnt update properly, so I decided just to scrap and do a completely new install, and then just do a restore of the content.
To my demise, even though it started off working fine again, the message came back, and is now blocking me from doing really any admin changes.
Did I go wrong anywhere, or is this a problem more people are having?
Would greatly appreciate any insight.
Alex
|
Edit: Seems to be actually only editing articles. News etc....and even adding new articles seems to be working fine. |
What are you editing/posting to cause the attacks. By default, the "block user" is set to 27. Unless you are putting in URLs and Smileys you shouldnt be getting blocked. Can you post one of the emails from the attack that blocked you?
Chris
Nothing to see here |
Will post the email in a separate msg. But why would I not be able to post a url in an article?? That would just be very stupid, since we would make references to other sites etc. in the articles. Smileys I can always do without:)
|
Variable: REQUEST.content | Value: <p>While your personal credit will definitely play a part in the due diligence of potential investors, it may not be the anchor you believe it to be. When most banks and private financiers look at your credit rating, the primary fact that they will look to establish, is your respect for credit. If you have been late in paying a few credit cards because you have been funding your business through them, most will not view this as a big negative item. This may be less true when you are dealing with a traditional bank, who lend more credence to the actual credit score, while spending less time analyzing your actual credit history.</p>
<p>&nbsp;</p>
<p>The most important part in regards to your credit when you are applying for funding, is to be up front with your potential financial partner with the reason for your bad credit history. Leaving it to guesswork will always end up with them making the worst assumptions. Also, if you are not up front with them, it will count against you when they make their decision.</p>
<p>&nbsp;</p>
<p>Even though that I mentioned above that your credit score is not the proverbial \'nail in the coffin\', having a good credit score will still count as a positive. In fact, it will also most likely give you several more options when it comes to finding the right funding for your business!</p>
<p>&nbsp;</p>
<p>There are several ways to improve your personal credit score. Some of these are: 123</p>
Impact: 4 | Tags: xss, csrf
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Variable: POST.content | Value: <p>While your personal credit will definitely play a part in the due diligence of potential investors, it may not be the anchor you believe it to be. When most banks and private financiers look at your credit rating, the primary fact that they will look to establish, is your respect for credit. If you have been late in paying a few credit cards because you have been funding your business through them, most will not view this as a big negative item. This may be less true when you are dealing with a traditional bank, who lend more credence to the actual credit score, while spending less time analyzing your actual credit history.</p>
<p>&nbsp;</p>
<p>The most important part in regards to your credit when you are applying for funding, is to be up front with your potential financial partner with the reason for your bad credit history. Leaving it to guesswork will always end up with them making the worst assumptions. Also, if you are not up front with them, it will count against you when they make their decision.</p>
<p>&nbsp;</p>
<p>Even though that I mentioned above that your credit score is not the proverbial \'nail in the coffin\', having a good credit score will still count as a positive. In fact, it will also most likely give you several more options when it comes to finding the right funding for your business!</p>
<p>&nbsp;</p>
<p>There are several ways to improve your personal credit score. Some of these are: 123</p>
Impact: 4 | Tags: xss, csrf
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
REMOTE_ADDR: XX.XX.XX.XX
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME: /home/mysite/public_html/
modules/index.php
QUERY_STRING: r=articles/admin/
REQUEST_URI: /m/articles/admin/
QUERY_STRING: r=articles/admin/
SCRIPT_NAME: /modules/index.php
PHP_SELF: /modules/index.php
|
EDIT: I should have included at the top - This error comes up when trying to edit Articles or News under the admin- modules.
Still shows up even after increasing the values under Advanced Setting-Other.
|
The problem it is finding is:
Description: finds html breaking injections including whitespace attacks
This means it has detected too many spaces (hitting the space bar or the enter key too many times) in the post. What was the total impact of the email? From what is listed below, I show a total impact of 8. This should be listed at the cery top of the email you received.
Chris
Nothing to see here |
Thank you for getting back to me. Much appreciated!
Total impact on that email was:
Total impact: 8
Affected tags: xss, csrf
On a few other posts I tried I got:
Total impact: 58
Affected tags: xss, csrf, id, rfe, sqli, lfi
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: Detects JavaScript with(), ternary operators and XML predicate attacks | Tags: xss, csrf | ID: 7
Description: Detects JavaScript object properties and methods | Tags: xss, csrf, id, rfe | ID: 17
Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20
Description: Detects common comment types | Tags: xss, csrf, id | ID: 35
Description: Detects comments to exploit firefox' faulty rendering and proprietary opera attacks | Tags: xss, csrf, id | ID: 36
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
__________
I guess after RC2, they have made the 'attack' filter more anal if you will:) Does Boonex list the impact criteria for posting articles/news somewhere?
|
Yeah the filter is a bit sensitive hehe.. But I think its good to be in place. Since I have added things like HTML blocks, I boosted my total impact for emails to be sent to 13, instead of 9. That way I would get an email everytime someone visited that page or I hit refresh.
I kept the total impact of "blocking the user" at 27. This has helped me keep a few spammers away that love goofing around with the guestbook.php file.
Hitting a total impact of 58 is quite a achievement. Im not sure what all that consisted of without looking at the post.
I have not seen any "cans" and "cant do's" regarding the new PHPIDS filters yet. But it does seem to not play well with smileys and hyperlinks. Smiley will give a nice impact level too.
Chris
Nothing to see here |
Since I have added things like HTML blocks, I boosted my total impact for emails to be sent to 13, instead of 9. That way I would get an email everytime someone visited that page or I hit refresh.
Chris
Chris, how do you do this? I get so many possible attack messages that I seldom have time to even look at them, much less try to understand them. With RC2, my htmlTextArea fields on my join form no longer works at all, which has made my site more or less useless until I figure out a fix.
Rob
|
Hey Rob,
Just login to your Admin Panel > Settings> Advanced Settings> Other. You will see the settings about 3/4 of the way down. By default the "send email" is set to 9 and the "block user" is set to 27. You can change these settings to whatever you want, but I would suggest bumping to high and not protect from actual attacks.
Send email = 13
Block User = 27
These settings above seem to work fine for me.
Chris
Nothing to see here |
I think it also has something to do with that I copied and pasted text. Maybe there was some hidden that made the article get higher impact. The url part is something that I will have to get a way around though, since articles will have hyperlinks. Smileys I can be without:)
I will just try to see how much I can push it, since at one point it seemed like it didnt want to accept anything. Seems a bit better now (though it should matter from one point in time to another)
Thank you for the explanation. It definitely helps understand the whole attack message system a bit better.
|
I think it also has something to do with that I copied and pasted text. Maybe there was some hidden that made the article get higher impact. The url part is something that I will have to get a way around though, since articles will have hyperlinks. Smileys I can be without:)
I will just try to see how much I can push it, since at one point it seemed like it didnt want to accept anything. Seems a bit better now (though it should matter from one point in time to another)
Thank you for the explanation. It definitely helps understand the whole attack message system a bit better.
Hi,
I started getting these when I try to add RSS feed urls on a profile page. If they are long strings. they cause a white browser page with attack message and then the possible attack email. I tried with a shorter RSS url, and it worked .. for now.. I also seem to get a bucket load of possible attack messages for doing all sorts of things. none make any sense: here is an example of a batch of 20 emails I got:
Total impact: 10
Affected tags: dt, id, lfi
Variable: REQUEST.Link | Value: modules/?r=board/home/|
modules/?r=board/|modules/?r=photos/browse/category/Board|m/photos/browse/category/Board
Impact: 5 | Tags: dt, id, lfi
Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID: 11
Variable: POST.Link | Value: modules/?r=board/home/|modules/?r=board/|modules/?r=photos/browse/category/Board|m/photos/browse/category/Board
Impact: 5 | Tags: dt, id, lfi
Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID: 11
|
I just tried to add a blog post and got the message "Possible security attack!!! All data has been collected and sent to the site owner for analysis".
So far, every other area that I've had possible attack problems with has checked out.
|
Is everyone that is having this problem running RC2 ? Nothing to see here |
|
So you are just getting an email, not blocked correct?
It looks like there is a link in your post:
Value: modules/?r=board/home/|modules/?r=board/|modules/?r=photos/browse/category/Board|m/photos/browse/category/Board
This filter can be a bit "touchy". Just go into Admin Panel > Settings> Advanced Settings>Other and change the total impact to send email to something like 13 instead of 9.
The total impact shown in your message is 10, so everytime some visits that page or you refresh it, it will send an email.
Chris
Nothing to see here |
Running RC2 as well.....
Seems like it really doesnt like white space. Got impact of 16 with the only problem is white space.
|
Nope, doesnt play well with whitespace or smileys :) Nothing to see here |
I'm wondering, is it actually safe to change the numbers under Settings -> Advanced Settings -> Other -> Total Security Impact Threshold to larger numbers? Mine were at 9 and 27. |
I have just finally got to install rc1 not got to 2 yet. As soon as the install was complete without editing anything I am getting "possible security attack" every 2-3 minutes. I dont quite understand how this can be, but mu inbox is now up to 601 emails?!
They seem to be from 2 particular sites: virb.com and platlist.com I dont want to paste the txt here are is is very pornographic and will offend.... but here are the first few lines. can anyone help? Is this actually an attack on the site. My last site was compromised/hacked and I dont want to got hrough the same thing again....
Total impact: 24
Affected tags: xss, csrf
Variable: REQUEST.newrecord | Value: comment3, <a href="http://virb.com/groups/adultsitesshowinglesbianfemalesvideos34601/discuss/topic/135912">female fighting customs videos</a>, 3822, <a href="http://virb.com/groups/8thstreetlatinapreviewvideo39593/discuss/topic/135544">hawaiian amatuer video</a>, dasq, <a
and then at the end is:
Impact: 26 | Tags: xss, csrf
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: finds attribute breaking injections including whitespace attacks | Tags: xss, csrf | ID: 2
Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8
Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID: 25
Description: Detects possible event handlers | Tags: xss, csrf | ID: 32
Description: Detects obfuscated script tags and XML wrapped HTML | Tags: xss | ID: 33 Centrifuge detection data Threshold: --- Ratio: --- Converted: ((++:
REMOTE_ADDR: 89.149.242.25
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME: /home/sites/carersupport.co.uk/public_html/profile.php
QUERY_STRING: ID=guestbook.php&owner=3
REQUEST_URI: /guestbook.php?owner=3
QUERY_STRING: ID=guestbook.php&owner=3
SCRIPT_NAME: /profile.php
PHP_SELF: /profile.php
|
I had to remove my test site because I got several attacks with know virus txt files.
So to your question now, to me it looks for a serious attack, remove the Guestbook.php or rename it to something other. Kids first |
Nope, doesnt play well with whitespace or smileys :)
The possible attack problem occurs when one pastes in text.
The problem seems to be : It does not recognise the characters being entered and seems to think the whole pasted text string is whitespace is my guess.
I tried adding a url (http://www.okmedicalboard.org/display.php?content=md_search_advanced:md_search_advanced) in the URL box for adding a new site and got the whitescreen/attack message etc
Cant do much til this is fixed. Using RC1 version
|
