users getting PA on join

I am getting reports of people trying to pull up the my site and getting Possible Attack errors. I have had several people join without problems. Anyone know whats happening?

Look at your PA emails. It is probably happening in the description box. People tend to use all types of characters in the description box, like example below:

!!!!!!!

????

........

Stuff like that and/or consistent spaces will cause PA attacks.

Chris

still happening whenever they go to the site

Can you post the email you received of the PA attack for us to see?

Total impact: 12
Affected tags: sqli, id, lfi

Variable: REQUEST.fIM_userConfig | Value: {\"enableAudio\":true,\"enableTimestamp\":false}
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Variable: COOKIE.fIM_userConfig | Value: {\"enableAudio\":true,\"enableTimestamp\":false}
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
Centrifuge detection data  Threshold: 3.49  Ratio: 2.5

REMOTE_ADDR: 72.148.124.166
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME: /home2/thechur3/public_html/index.php
QUERY_STRING:
REQUEST_URI: /
QUERY_STRING:
SCRIPT_NAME: /index.php
PHP_SELF: /index.php

Total impact: 12
Affected tags: sqli, id, lfi

Variable: REQUEST.fIM_userConfig | Value: {\"enableAudio\":true,\"enableTimestamp\":false}
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Variable: COOKIE.fIM_userConfig | Value: {\"enableAudio\":true,\"enableTimestamp\":false}
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
Centrifuge detection data  Threshold: 3.49  Ratio: 2.5

REMOTE_ADDR: 98.230.20.106
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME: /home2/thechur3/public_html/index.php
QUERY_STRING:
REQUEST_URI: /index.php
QUERY_STRING:
SCRIPT_NAME: /index.php
PHP_SELF: /index.php

when they hit join after they have put everything in this is what they get.

"Possible security attack!!! All data has been collected and sent to the site owner for analysis."

With the new security updates provided earlier to rid false/postive errors. The user should not be getting blocked by a total impact of 12. Go into your Admin Panel>Settings>Advanced Settings> Other. In there you will see the area to adjust your impact settings for blocking members. If you have installed the new security updates, this should already be set to block the member if total impact is >25 and email is sent if > 10 (i think). I have changed the email to 13, so I could add a HTML block. If you do not see these settings then go to my blog and download the fix below:

http://www.boonex.com/unity/blog/entry/Possible_Attack_Fix_All_In_One_Download

Chris

Hope this helps

Chris, I dont see that anywhere. I uploaded the zip file, extracted it, but still I do not see what you are describing.

Make sure you read that READMEFIRST file COMPLETELY. Once you execute those 2 SQL queries you will.

unfortunately, i am very much a noob when it comes to phpMyAdmin, I hve been reading the file ad it is a little over my head. I would so greatly appreciate it if you could help me do this.

Ok, PM (email) your login info to cPanel/FTP and admin panel areas.

OK, I have fixed/updated your site to the new security fixes. I set your total impact levels so users can join. Also fixed your cron jobs so your video will process correctly (you had it like periodic.cron.php instead of periodic/cron.php)

Hope this helps

Chris

you are the MAN,

Where you able to successfully test it to make sure it was working? THEN you can call me the MAN !! LOL

Chris