RC2 more Attacks!

So I tried RC2 thinking that probably the security attack thing had been fixed, since my site didn't lock down with that crazy attack message since the install which is great.  However I went to check my inbox a few days later and close to a thousand emails sitting stating possible attack!!  I simply have the base install with my imported users, I haven't touched a thing except the custom profile fields.

A possible solution rather than having to manually comment out the code on each install would be to perhaps give the option in the administration panel to disable this crazy security feature.

Those emails contain a number at the top , like Total Impact: 12 or something like that.

Go to your Settings>Advanced Settings>Other and raise the "total impact to send email" value from 9 to maybe 13.

Chris

Thank you Chris!

Your welcome :)

Chris

  The total impact I am getting on hundreds of emails, still coming through is 52.

Shall i set the impact to higher than that, or am I asking for a breach in my security by doing this.

I cant seem to block the IP (I have 3 addresses, identified as causing the problem) as their appears to be a problem with the date setting everytime I try?

Any advice would be really helpful.

Many Thanks

Can you post one of the attack emails so I can see it? 52 is kinda high, so I wouldnt suggest it yet until we can determine what is causing the issue.

Chris

Thanks Zarcon, Have copied below. Warning some of the detail is pornographic.!!!!

Many Thanks. I have configured the whole site, and if possible dont want to have to reinstall...

Total impact: 52

Affected tags: xss, csrf, id, rfe

Variable: REQUEST.newrecord | Value: comment4, <a href="http://www.playlist.com/blog/entry/12469617923">gay clips gay videos older men</a>,  %-]], <a href="http://www.playlist.com/blog/entry/12469677059">gay hand jobs clips</a>,  54842, <a href="http://www.playlist.com/blog/entry/12469570051">gay bear free video clips</a>,  1068, <a href="http://www.playlist.com/blog/entry/12469614595">gay clips best quality</a>,  cnqi, <a href="http://www.playlist.com/blog/entry/12469668867">gay gangster porn clips</a>,  =-[[, <a href="http://www.playlist.com/blog/entry/12469681923">gay home vid clips</a>,  =OO, <a href="http://www.playlist.com/blog/entry/12469574915">gay bisexual video porn clips creampie</a>,  5400, <a href="http://www.playlist.com/blog/entry/12469593091">gay boy sex free sample clips</a>,  =(((, &l!

 t;a href="http://www.playlist.com/blog/entry/12469620227">gay clips tgp</a>,  witz, <a href="http://www.playlist.com/blog/entry/12469658371">gay free clips frat</a>,  00051, <a href="http://www.playlist.com/blog/entry/12469675523">gay gym buddies free clips</a>,  kvv, <a href="http://www.playlist.com/blog/entry/12469583107">gay blond clips</a>,  wlwqt, <a href="http://www.playlist.com/blog/entry/12469662211">gay free porn clips</a>,  olan, <a href="http://www.playlist.com/blog/entry/12469667587">gay fucking porn clips</a>,  >:-(((,

Impact: 26 | Tags: xss, csrf, id, rfe

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

Description: finds attribute breaking injections including whitespace attacks | Tags: xss, csrf | ID: 2

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID: 25

Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31

Description: Detects obfuscated script tags and XML wrapped HTML | Tags: xss | ID: 33

Variable: POST.newrecord | Value: comment4, <a href="http://www.playlist.com/blog/entry/12469617923">gay clips gay videos older men</a>,  %-]], <a href="http://www.playlist.com/blog/entry/12469677059">gay hand jobs clips</a>,  54842, <a href="http://www.playlist.com/blog/entry/12469570051">gay bear free video clips</a>,  1068, <a href="http://www.playlist.com/blog/entry/12469614595">gay clips best quality</a>,  cnqi, <a href="http://www.playlist.com/blog/entry/12469668867">gay gangster porn clips</a>,  =-[[, <a href="http://www.playlist.com/blog/entry/12469681923">gay home vid clips</a>,  =OO, <a href="http://www.playlist.com/blog/entry/12469574915">gay bisexual video porn clips creampie</a>,  5400, <a href="http://www.playlist.com/blog/entry/12469593091">gay boy sex free sample clips</a>,  =(((, <a!

  href="http://www.playlist.com/blog/entry/12469620227">gay clips tgp</a>,  witz, <a href="http://www.playlist.com/blog/entry/12469658371">gay free clips frat</a>,  00051, <a href="http://www.playlist.com/blog/entry/12469675523">gay gym buddies free clips</a>,  kvv, <a href="http://www.playlist.com/blog/entry/12469583107">gay blond clips</a>,  wlwqt, <a href="http://www.playlist.com/blog/entry/12469662211">gay free porn clips</a>,  olan, <a href="http://www.playlist.com/blog/entry/12469667587">gay fucking porn clips</a>,  >:-(((,

Impact: 26 | Tags: xss, csrf, id, rfe

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

Description: finds attribute breaking injections including whitespace attacks | Tags: xss, csrf | ID: 2

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID: 25

Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31

Description: Detects obfuscated script tags and XML wrapped HTML | Tags: xss | ID: 33 Centrifuge detection data  Threshold: ---  Ratio: ---  Converted: (((++:

REMOTE_ADDR: 89.149.242.25

HTTP_X_FORWARDED_FOR:

HTTP_CLIENT_IP:

SCRIPT_FILENAME: /home/sites/carersupport.co.uk/public_html/profile.php

QUERY_STRING: ID=guestbook.php&owner=3

REQUEST_URI: /guestbook.php?owner=3

QUERY_STRING: ID=guestbook.php&owner=3

SCRIPT_NAME: /profile.php

PHP_SELF: /profile.php

I have googeld the IP adddresses that show in the emails and they tend to be a slight variation of each other, with only the last 2/3 digits changing.

Google highlighted lots of sites that show this as a known spamming IP...possibly coming out of Germany.

If I could block the IP that would help.

Thats definitely a spammer using an old exploit with guestbook.php, which doesn't even exist in D7. hehe. I would try to ban the series of IPs. for example if the IP address was 127.0.0.1 (please do not ban that one..lol)

You could ban from 127.0.0.1 to 127.0.0.254

Just using that as an example.

Chris

I have tried to do this in the admin panel/tools/ip_blacklist

everything goes in OK but then when I click on the date, it defaults to an error and will not process the data.

Try it on yours just to see if you have the same problem.

I dont know how to write it in the php file itself, as I might do something wrong!!!

Any suggestions?

Regards

Sorry, but I cannot try this at work (they block my site on the corporate network). Try without changing the date for now and see if it works. If you are still having problems, then I can try when I return home.

Chris

LOL

Hi Zarcon. It is 8:00PM here in the UK  work was done for the day a few hours ago :)

I have tried without the date and setting any date, but it keeps coming up with an error.

I think I will be in bed when you get home from work, so I wil check back in the morning(my time)

Many thanks for your help, it is really appreciated.