Post to Facebook
Tweet about this
Share at LinkedIn
Invite participants
Reference this page Bernard Paquesfrom nearby-an-airport Associate, 8408 posts |
Nick, I suppose you had installed 7.6.3 before the exploit? Whatever response, please send me your logs by e-mail for further analysis. |
Bernard Paquesfrom nearby-an-airport Associate, 8408 posts |
Also, please change the password or suppress user profiles member, editor and subscriber, which have well-known passwords, and should be used only on private development servers. |
Bernard Paquesfrom nearby-an-airport Associate, 8408 posts |
As an associate, you should edit the alien link to identify the nick name that has been used to post it. |
| NickR |
" Nick, I suppose you had installed 7.6.3 before the exploit? Whatever response, please send me your logs by e-mail for further analysis. " Yup 7.6.3 installed. We suspect it was a server specific attack, rather than YACS specific. ----- Nick |
| NickR |
" As an associate, you should edit the alien link to identify the nick name that has been used to post it. " "Last edition by" is not displayed. ----- Nick |
| NickR |
" Also, please change the password or suppress user profiles member, editor and subscriber, which have well-known passwords, and should be used only on private development servers. " My password has been changed already. ----- Nick |
Bernard Paquesfrom nearby-an-airport Associate, 8408 posts |
" "Last edition by" is not displayed. From the Control Panel, click on the Links in the database overview to get a list of recent links with contributors. |
| NickR |
" From the Control Panel, click on the Links in the database overview to get a list of recent links with contributors. " Still not shown !-----Nick |
Bernard Paquesfrom nearby-an-airport Associate, 8408 posts |
Is it specific to this link? i mean, do you have other links showing nick names or not? |
| NickR |
" Is it specific to this link? i mean, do you have other links showing nick names or not? " No its just one link. ----- Nick |
Bernard Paquesfrom nearby-an-airport Associate, 8408 posts |
NickR: You are confirming, then, that this is a hack since no regular nick name has been recorded with the link. |
| NickR |
" NickR: You are confirming, then, that this is a hack since no regular nick name has been recorded with the link. " Yes. Will find out more when we get the server logs. ----- Nick |
| NickR |
Well no server logs as we just had the server upgraded and logging was turned off. Anyhow, someones updated it again today, so logging is back on and will let you know next time it happens. Nick. ----- Nick |
Bernard Paquesfrom nearby-an-airport Associate, 8408 posts |
NickR: What about the database engine? Is it safe enough? |
| NickR |
" NickR: What about the database engine? Is it safe enough? " The link today is a new link, not a changed one. Apart from this one link, everything else checks out fine, I changed yacs and server passwords and backed up everything. Nick |
| NickR |
Finally logged it... This corresponds with when the link was updated: [20/Oct/2007:05:14:17 +0100] "POST /links/trackback.php/article/48 HTTP/1.1" 200 78And is an isolated line of code. I also noticed this same url being posted to many times (by a different IP address) POST http://www.ngr78.co.uk/links/t...s/trackback.php HTTP/1.1" 200 8569----- Nick |
| NickR |
Having looked more closely at the issue, I realise that they have simply used the trackback form... Basically trackback spam >  This is not a bug, but I will look into how we can combat such bad practices. ----- Nick |
| NickR |
Here is my first improvement, a reverse IP lookup. This makes sure that the ip of the url sent for trackback matches the ip address that sends the http post. NOT TESTED. I placed this function in links\link.php
function verifyurlip($url, $ip) {
$ip = preg_replace('/[^0-9.]/', '', $ip );
$items = @parse_url($url);
//sent by the form so cannot verify
if (gethostbyaddr($ip) = $context['host_name'])
return TRUE;
$reverseip = gethostbyname($items['host']);
if ($reverseip != $ip) {
return FALSE;
}else{
return TRUE;
}
}
It is then called in links\trackback.php at line 138 (7.6.3) after we check we have an anchor, before we check the source does not already exist. I reused a fault code, so I guess a real code would need to be used.
elseif(Link::verifyurlip($anchor, $_SERVER['REMOTE_ADDR']))
$response = array('faultCode' => 16, 'faultString' => 'IP address does not match source');
The other improvement I suggest is implementing a captcha for the form. |
Bernard Paquesfrom nearby-an-airport Associate, 8408 posts |
Based on your suggestion, I have added a captcha on the trackback form, and additional tests on originating hosts for remote requests. Hope this will help stop trackback spammers for a while... This will be part of the 8.1 release. Thanks for the trick. |
| NickR |
Cheers, BTW since I implemented that code on my site I have had no further problems. Nick My Website: NGR78 |
English « Bug tracker «
Site explioted !
| Workflow | Support request |
| Status | Problem has been recorded
|
| Progress |  |
Someone has managed to expliot my site and modify a link:
http://www.ngr78.co.uk/articles/71
Notice the date and username are missing.
I am getting hold of the server logs.
http://www.ngr78.co.uk/articles/71
Notice the date and username are missing.
I am getting hold of the server logs.
