I installed the new D7 RC3 release and am now recieving many emails about attacks. Here is the email I received.
Total impact: 36
Affected tags: xss, csrf, sqli, id, lfi
Variable: REQUEST.newrecord | Value: <p><a href=\"http://www.mmogcart.com/\">wow gold</a> <a href=\"http://www.mygamesale.net/\">wow gold</a> <a href=\"http://www.wowgoldbank.com/wow-gold/\">wow gold</a> tks</p>
Impact: 18 | Tags: xss, csrf, sqli, id, lfi
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: finds attribute breaking injections including whitespace attacks | Tags: xss, csrf | ID: 2
Description: Detects obfuscated script tags and XML wrapped HTML | Tags: xss | ID: 33
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
Variable: POST.newrecord | Value: <p><a href=\"http://www.mmogcart.com/\">wow gold</a> <a href=\"http://www.mygamesale.net/\">wow gold</a> <a href=\"http://www.wowgoldbank.com/wow-gold/\">wow gold</a> tks</p>
Impact: 18 | Tags: xss, csrf, sqli, id, lfi
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: finds attribute breaking injections including whitespace attacks | Tags: xss, csrf | ID: 2
Description: Detects obfuscated script tags and XML wrapped HTML | Tags: xss | ID: 33
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
You possess an intuitive intelligence so powerful it can help you heal, and relieve stress. |
Jennifer Bogan .. Acc. Dip. Psychology - EMAIL: jennifer.bogan@gmail.com |
I don't have these issues with sign-ups, as I have no members, just Admin. I also am running php5 so that does not deal with my issue either. But thanks for the heads up hon. You possess an intuitive intelligence so powerful it can help you heal, and relieve stress. |
It's an actual lattack that is being stopped. This is how you read the code
Variable: REQUEST.newrecord | Value: <p><a href=\"http://www.mmogcart.com/\">wow gold</a> <a href=\"http://www.mygamesale.net/\">wow gold</a> <a href=\"http://www.wowgoldbank.com/wow-gold/\">wow gold</a> tks</p>
Impact: 18 | Tags: xss, csrf, sqli, id, lfi
The red bolded Value is the indicator of what string is causing the issue
The bolded pink is what sql injection caused the issue
The blue is what the actual string is that caused the issue, lets look at it:
Someone is trying to make a sql injection calling .newrecord into your site.
What they are trying to post is a link to mmogcart.com, mygamesales.net, wowgoldbank.net all advertising to sell wow gold.
Impact: 18 this is how high of a security risk the attempted injected code is, you can control how high of a risk you want to open yourself up to by going into Admin>AdvancedSettings>Other and there you will find a line that says " Total security impact threshold to send report and block aggressor" you can set this at any number you want, the higher yous et it the more people can inject into your site.
So from your email you have a very high security threat form someone trying to place wow gold selling onto your site. Likely they made a new user and are trying to put that into their profile in which they wills spam the heck out of your users.
Conclusion: you are not having any errors, the security scripts are doing their job and preventing spam from infiltrating your site. Good job boonex on this.
Description tells you what the system believes is happening that causes the error. If you have a number over 18 it shouldn't really be occuring on your site.
Finally, if you do not want to receive these emails, you can set the the total security impact to a low number to prevent the injection of code and to stop the emails from coming you can set "Total security impact threshold to send report" to a very high number. Now you will stop the attacks and won't get a ton of emails, but that isn't smart imho because you will not know whats going on with your site and possible attacks.
So read your attack emails, its not just an error and I believe the system is in a good spot that it is doing its job more than causing a headache for legitimate users.
|
I don't have any users, this is a demo site with just the admin. It is also set to invite only. Only thing I have done to site is try to retrieve through the data migrate from my D6 site. Also I never said anything about errors, I know this is a security attack email. You possess an intuitive intelligence so powerful it can help you heal, and relieve stress. |
Hello Lightwolf,
Me to I get the same. This is what I found! If you use the embedded function in videos, say a video from Youtube you will get these crazy e-mails. Also I had this happen from uploading a pdf file from my own computer desktop. I don't think it is possibley dangrous at the moment but something to keep an eye on.
I am running RC3 also. If you are using a desktop mail client, go to YouTube and get a link for embedding a video and then check your e-mail after a few minutes from the upload.
Luck.
|
Thanks for the response, all of you, but i have not even done anything but install the zip, put in my RMS in flash apps, and try to retrieve data through data migration tool in admin section, from my live D6 site..lol Nothing was added, nothing was typed,nothing was downloaded..lol You possess an intuitive intelligence so powerful it can help you heal, and relieve stress. |
Thanks for the response, all of you, but i have not even done anything but install the zip, put in my RMS in flash apps, and try to retrieve data through data migration tool in admin section, from my live D6 site..lol Nothing was added, nothing was typed,nothing was downloaded..lol
you are still going to have to adjust the attack level thing, the setting is just way to low for the site to function. i got this attach message on the browser and an email when i tried to change a users password. seems any manipulation of interaction with the site will make it think its being attacked.
raise the threshhold
--> administration
--> settings --> advanced settings --> other | drop down --> there are two settings one is set to 9
make adjustments until the site is functional for you.
thank mrp for that information
Regards,
DosDawg
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
Sites are more likely to get these attack messages when they are new. I wouldn't change the default settings. Once you start modifying your site - getting rid of the Dolphin and Boonex verbiage, it will attract less vermin, and the attack messages will subside. |
@caltrade,
there was no choice for me to not change the settings, because i was not able to change a users password, it would flag that as an attack if i tried to change the password.
adjusted the setting, and all was well.
Sites are more likely to get these attack messages when they are new. I wouldn't change the default settings. Once you start modifying your site - getting rid of the Dolphin and Boonex verbiage, it will attract less vermin, and the attack messages will subside.
Regards,
DosDawg
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
Thanks for the response, all of you, but i have not even done anything but install the zip, put in my RMS in flash apps, and try to retrieve data through data migration tool in admin section, from my live D6 site..lol Nothing was added, nothing was typed,nothing was downloaded..lol
I would do a search for those urls in your version 6 website then, maybe it got dragged over from 6 (which didn't have security testing) during your data migration.
|
I was thinking it may be the data migration myself. Thanks DosDawg for the info. I am going to wait for the next release and see if things change. Every install I have used has had these attacks, so maybe they will fix this irritating bug before final release. You possess an intuitive intelligence so powerful it can help you heal, and relieve stress. |
Block the entire country of China, and the majority of sql injection attempts will go away. My opinions expressed on this site, in no way represent those of Boonex or Boonex employees. |
I don't think the issue is due to data migration. I installed D7RC3 fresh on my dedicated server and I am also getting lots of emails with those error messages -
Total impact: 36
Affected tags: xss, csrf, sqli, id, lfi
Variable: REQUEST.newrecord | Value: <p>hello find <a href=\"http://www.mmogcart.com/cheap-wow-powerleveling/\">Wow Power Leveling</a> click here <a href=\"http://www.powerleveling-wow.com/siteMap.asp\">Wow Power Leveling</a> tks</p>
Without changing the default secuirty setting level, is there anywya to avoid the attack?
Thanks
Mick
|
Every site will get these errors from all of the spiders and bots that are on the net now. I have just been putting a deny for all of the addresses in the .htaccess. I can send what I have compiled to anyone who would like it. The IP blocker function inside of Dolphin will only keep those IP addresses from logging into the site. A deny rule will keep them from scanning or doing anything. I was loosing a lot of bandwidth from spiders that scanned the mp3's that users uploaded. I am hoping that AntonLV will update his access management system to D7 soon. Much easier to add a massive amount of addresses into a database to block users.
I love this new security feature. Now you do not have to sit and scan your logs to figure out what is going on with your site.
FuGuM
|
Hey DosDawg I did what you said and lowered the 9 to a 5 and still get emails about attacks. I have now lowered it to 1 and am waiting for emails to see if this works. You possess an intuitive intelligence so powerful it can help you heal, and relieve stress. |
LightWolf, everytime you upgrade you will receive attack messages. I do too. Its because the site in re-inserting, reconfiguring, and so on. So its normal to receive these emails during an upgrade.Your first post was of an actual spammers trying to utilize an old exploit in the guestbook.php file that no longer exists in D7 (I get those from WowGold all the freakin time)
If you are not wanting to receive these emails at all, you can do one of two things:
1 - Set your impact limits to send emails to something like 40 (using the first attack email as example)
2 - You can disable PHPIDS all together by putting a -1 in the impact levels and you will never see them again. However, you will never see if you got a real attack either :)
Chris
Nothing to see here |
As zarcon said, you can use -1 to disable.
But you want to go UP with the numbers. Not down.
https://www.deanbassett.com |
Ouch! After just upgrading to 7.0.0, I had no idea that spammers were so insanely crazy about attacking a site with ZERO users and ZERO messages :) I just got, mmmh, 2500 or so "security attack reports" during the night, when nobody was using the site. All that I've seen (I've just seen a sample) were actually legitimate attacks, i.e. they were indeed code injections, not "database installs", not spiders/crawlers, nor anything of the kind...
I definitely hope this goes away after a while, because this is a nightmare in terms of wasted bandwidth! (Yes, I've raised that threshold — thanks so much for the tip! — and hopefully this will at least keep my mailbox manageable)
But thanks to BoonEx for dealing with the issue!
|
It's not going away, I am still getting a lot of emails with these URL - href=\"http://www.mmogcart.com/cheap-wow-powerleveling
Is there someway to block that script that contains that URL ????
Thank
|
