#1 2016-09-17 1:45 am

lucas.robb

Member

Registered: 2016-01-28

Posts: 2

Potential Attack

Hi All,

I received a problem posting the error I found, but I was parsing the error logs for my web server and I wanted to send it your way so that I could get some feedback on it.  I will try to post the error for your analysis.

lucas.robb

Member

Registered: 2016-01-28

Posts: 2

Re: Potential Attack

I am unable to post links to items with less than 5 posts but you can get it from: lucasrobb.com / Attack-Capture.PNG

Papa Parrot

Member

From: Mexico

Registered: 2011-08-19

Posts: 1,826

Website

Re: Potential Attack

Why do you need us to follow some link to some site, ???  you could post the output of the log
in code boxes,
like this: ( I did not have any errors in my mysql logs, so using this )

 #: 1073 @: Wed, 27 Apr 2016 19:59:19 -0700 Running: 0.4.10a3 / 76
Host: dyn-59-22.fttbee.kis.ru
IP: 88.81.59.22
Score: 1
Violation count: 2 
Why blocked: No registrations, or logins, from hosts listed as hostile on Stop Forum Spam (http://www.stopforumspam.com/removal) (local block). 
Query: mode=register&sid=e39613ba8d6abd9fd54f2f3488c3d24f
Referer: Removed url ,....zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzf
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Reconstructed URL: removed url: For security reasons,&zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

In any event, there is no need to link to that site , and look at a screen shot, you can
copy/paste the error mesages,  what ever it says, into code boxes, in a post.
Code boxes are like this :

 [code]Paste the text,script or code in between , like this
 :)  =) not very difficult  :( =(  [/code]

like this
  not very difficult 
For more details see: http://www.stopforumspam.com/forum/help.php#bbcode

---

Everything is for the Birds

And now, Papa Parrot and his kids

NeoFox

Member

From: WI, USA, Earth

Registered: 2013-09-26

Posts: 830

Website

Re: Potential Attack

I used a proxy to view that file. It seems you are escaping something because of the multiple "%2f"'s in the output.

Your system seems kind of borked. How can a post ID have a decimal number? Either this is a troll attempt or ?

I also don't understand why it says "information_schema" are you trying to install on a SQL Server?

EDIT: Unless you have that option where you have custom PHP error codes. I don't see how else this could happen where the php errors themselves get parsed?

EDIT2: Could this be one of those old "magic quotes" problems? I've never used that option before.

Last edited by NeoFox (2016-09-17 2:16 pm)

Deatives

Member

Registered: 2016-10-06

Posts: 7

Re: Potential Attack

If you are running custom php/mysql code then make sure you are escaping your input and integer casting where possible. Beyond that rather than freaking out when you see someone trying to attack your service you'll know that you've written secure code and that you won't need to worry about potential attacks.

Also if you are willing to pay the $20/month CloudFlare's Pro plan includes an SQL Injection WAF Filter that helps reduce those types of attacks (even their free plan with the "checking your browser" screen [which btw won't harm your SEO, it's bypassed for Google and such] will mitigate minor SQLMap attacks until a smart attacker grabs the cookie sets and spoofs user agents).