Joined: Aug 30, 2005 Posts: 3186 Location: near Albany NY
Posted:
Fri May 18, 2007 7:46 am
What should be happening when anonymous tries to post is something like this:
Quote:
SQL was: SELECT MAX(post_time) AS last_post_time
FROM nuke_bbposts
WHERE poster_id =
client IP: || remote addr: 216.32.81.18.
May 16, 2007, 3:39 pm 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 1179344356, 12, 0, 0, 0)' at line 1
SQL was: INSERT INTO nuke_bbtopics (topic_title, topic_poster, topic_time, forum_id, topic_status, topic_type, topic_vote) VALUES ('Buy Propecia Real Pills', , 1179344356, 12, 0, 0, 0)
client IP: || remote addr: 216.32.81.18.
May 16, 2007, 4:59 pm 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3
I have a little "patch" into the /db/mysql.php on my production site that captures these. But try this: log out of both your normal user and admin and come into your site as anonymous. Go to Forums and try to create a post. Forums will let you all the way thru creating it but when you actually try to submit it you should see the SQL error right on the Forums screen. If you don't then you don't have the right patch level, or RN distribution running.
We really should fix forums so that anonymous doesn't even see the new topic button or have any other "opportunity" to even begin to create a post, but of course that involves mucking with the PHPBB code and risking having it overwritten the next time there is a PHPBB upgrade.
Joined: Feb 26, 2006 Posts: 337 Location: Jackson, Mississippi
Posted:
Fri May 18, 2007 1:30 pm
Coming back to this, but a little off subject. I have stripped nearly all options from anonymous in every module. Mainly for SEO/Sitemap reasons. It builds up so many link that are just unnecessary.
Joined: Aug 30, 2005 Posts: 3186 Location: near Albany NY
Posted:
Fri May 18, 2007 1:39 pm
You made me curious Floppy. Like I said, I am seeing SQL errors when anonymous tries to post in my Forums. I haven't wanted to go into Forum code and do what you've done ... taking buttons off for anonymous for instance. I hate doing things that can just get undone with the next update.
But anyway, I went into my raw access logs to see what they are doing to try to post as anonymous. Here is a typical attempt (edited to obscure the path):
Quote:
200.35.34.58 - - [18/May/2007:09:36:14 -0400] "GET /xx/modules.php?name=Forums&file=viewforum&f=12 HTTP/1.1" 200 13748 "http://xxx.org/modules.php?name=Forums&file=viewforum&f=12" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"
All the efforts I am seeing are some variant of that and I am seeing a good handful each day from various IP's. I don't know if it's from a script or from someone coming on my site and trying to post. None of the posts are getting thru, they are all getting the SQL error I posted earlier. I am then banning them thru htaccess, though I have a feeling that's like putting a finger in the dike.
I've been thinking of modifying my /db/mysql.php hack to check for the string "bbpost" in the failed sql and write that IP out to htaccess. Or maybe this is an additional check that NukeSentinel should do?
Joined: Aug 30, 2005 Posts: 3186 Location: near Albany NY
Posted:
Fri May 18, 2007 2:15 pm
Well, with some hesitation since this has not been extensively tested, I will post the code I am using in mysql.php. If you decide to use it, please make a backup copy of your current code in case any problems occur. First, the code, then some notes:
Code:
function sql_query($query = '', $transaction = FALSE)
{
global $db_error_toscreen;
// Remove any pre-existing queries
unset($this->query_result);
if($query != '')
{
Note that this just replaces the function sql_query. You will also need to create a file called dblog.txt in your Nuke root directory to receive output.
I had to give it permissions of 666 to get it to work. The db_error_toscreen check is not implemented at this time and will just be bypassed. I'm leaning towards eliminating this also.
Note also that all this does is log mysql errors. It doesn't stop any hack attacks or anything else. I have been "manually" reviewing bbtopic related mysql errors and sticking the IP's I find there in my htaccess file. Longer term that's something we'd want to automate.
An obvious caveat is that this is an entirely unsupported hack. At the same time I will be interested to know if it works for you or anyone else who wants to try it. But please back up your current mysql.php file first and keep an eye on things if you are running it on a production system.
Joined: Feb 26, 2006 Posts: 337 Location: Jackson, Mississippi
Posted:
Fri May 18, 2007 2:53 pm
I see what you mean about writing the ip to .htaccess now. This is definitely something that could integrated into sentinel pending it does the job. So far so good.
I've tried that as anonymous on my test site, both RavenNuke and Patched phpNuke. I cannot duplicate any attempt to post on private or private [hidden] forums. It will not post, it will just go to the Your_Account login
Joined: Feb 26, 2006 Posts: 337 Location: Jackson, Mississippi
Posted:
Fri May 18, 2007 4:45 pm
I hardcoded a check into fucntions_post.php as a simple fix till I can update then. The only thing I could think to do. It returns a good mysql error, but at least it will do the job.
Joined: Feb 26, 2006 Posts: 337 Location: Jackson, Mississippi
Posted:
Fri May 18, 2007 4:59 pm
if function_post.php was a little more advanced it would check to make sure that forum had permissions for anonymous to post. This might be a simple fix to posting bots which seem to be a growing issue.
Joined: Aug 30, 2005 Posts: 3186 Location: near Albany NY
Posted:
Mon Jun 11, 2007 11:11 am
Just to update this. I've been running the dblog hack to mysql.php on my production site for almost a month now. It's proving invaluable both in catching hacks and in diagnosing errors in my own code as I develop in. Usually I would catch the errors on my local test system but in a recent case I was testing a Paypal related application where I had to run the new programs on a real domain (cause Paypal posts back to it) and having the SQL errors captured really helped.
I hadn't edited dblog.txt in a while and it had built up to 140k or so, mostly because of hackers trying to put spam into Forums as anonymous. The typical captured post looks like this:
Quote:
June 11, 2007, 11:59 am 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 1181577585, 14, 0, 0, 0)' at line 1
SQL was: INSERT INTO nuke_bbtopics (topic_title, topic_poster, topic_time, forum_id, topic_status, topic_type, topic_vote) VALUES ('nnnnnnnnnnnnnnnnnnnnnnn', , 1181577585, 14, 0, 0, 0)
remote addr: 127.0.0.1
This is a test post I did, the more typical topic has something to do with sex and children or viagra or pharmacy stuff or whatever.
Anyway what I was doing was capturing the IP's and putting them over into htaccess as deny froms and then deleting the captured errors from dblog. But with like 100 such messages this morning I decided: "enough". So I spent some time modifying the dblog hack and I'll post it here. Read the caveats after:
Code:
function sql_query($query = '', $transaction = FALSE)
{
global $db_error_toscreen;
// Remove any pre-existing queries
unset($this->query_result);
if($query != '')
{
Caveats: back up your present mysql.php in case you run into problems. Second, realize that this is going to add to a dblog.txt file that you have created with 666 permissions in your nuke root folder. If you are never going to look at this and not going to maintain it regularly, then don't create it and don't use this hack. Third, you will probably get some false positives. This happens when a "normal" user (not a hacker) tries to post anonymously. With the new version of code they will get banned. I'm finding these at about a 1 percent ratio to hackers so it's tolerable to me.
Eventually I'd like to see some version of this hack get put into a future Ravennuke release but wiser minds should look at it first. The ideal thing might be to put the forum based filter into NS so any anonymous who tries to post gets banned (or so that the admin has the choice over what action to take at least).
I'm also not sure how effective banning these IP's is. It seems like the hackers have access to an unlimited pools of (probably) faked IP's so it could be like trying to remove sand from the beach grain by grain. I don't know.
Joined: Feb 26, 2006 Posts: 337 Location: Jackson, Mississippi
Posted:
Mon Jun 11, 2007 11:23 am
I believe this should go into sentinel, but like you said in the right mischievous hands this method may be unaffective. If you don't allow anonymous to post on your board at all. In includes/functions_post.php you check to make sure they are a user.
Joined: Aug 30, 2005 Posts: 3186 Location: near Albany NY
Posted:
Mon Jun 11, 2007 11:44 am
I have held off on modifying any forums code because of the complications involved when we get a new integration package. I can't keep track of a lot of mods; I'm just not disciplined enough. Right now if anonymous tries to post on my system they see a SQL error right on the posting screen and it doesn't get posted. With my hack they also now get banned. I can see where your modification would be helpful too, they'd never even get a chance to TRY to post. Actually, on second thought, where you have the die (haha stupid) you could instead write to htaccess or both.
Joined: Aug 30, 2005 Posts: 3186 Location: near Albany NY
Posted:
Mon Jun 11, 2007 6:26 pm
Quote:
I am big fan of core hacking, but I keep decent records, but it doesn't make updating too much easier lol.
At the risk of taking this totally off-topic, one of the major reasons I'm involved with Ravennuke is that I want to see any "good" ideas I have become part of the core. Otherwise they are essentially dead-ends. I don't know how many times, for instance, I've eliminated that subscription code from Your Account but it keeps coming back with each revision. And that's trivial. On the other hand, changes I made to the themes to make them compliant and more efficient will be there for every succeeding version of RN and I won't have to reinvent them either. Or sit here with Beyond Compare or some other tool figuring out exactly what lines got changed and how to make what I want to do compatible ... again.
And getting slightly back to being on-topic, that's why I'm so reluctant to hack the Forum code. It's just not Nuke versus Ravennuke but it involves PHPBB and PHPBB integration code and whoever does that.
Joined: Aug 30, 2005 Posts: 3186 Location: near Albany NY
Posted:
Thu Jul 12, 2007 9:34 am
I wonder. I am seeing tons of attempts to inject Forum spam that look something like this:
Quote:
/yourpath/modules.php?name=Forums&username=ringosd&subject=he nice download world&addbbcode18=0;&addbbcode20=7&helpbox=Tip: Styles can be applied quickly to selected text.&message=he love ringtone site
Only registered users can see links on this board! Get registered or login to the forums!
you love link ass? &mode=newtopic&sid=42788fae206090308d1f97385c1ea886&f=12&post=Submit 2007-07-11
The common denominator is a username that is not registered at your site.
NukeSentinel, if I am not mistaken, parses every such get string with the code:
Which can be found at line 305 of the latest release. I guess I could experiment on my own systems but I thought I would ask first: would it be feasible to test for the string username. If that's present, take what it's equal to and do a SQL find on the users table for the value on the right of the = sign (ringosd in this case). If numrows is = 0 then do the block_ip function. I would love to see these suckers get automatically banned and I'd love to see it built right into the security product we all know and love and have it be part of Ravennuke from some point on out.
View next topic View previous topic
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
