Author |
31/12/14 Chockstone spam-hack-attack |
|
|
12-Jan-2015 7:11:12 AM
|
Looks like one of Steve's ads is broken again?
Also the gallery picture has weird code in it again?
Have people been playing funny buggers with the site again?
|
12-Jan-2015 10:04:11 AM
|
On 12/01/2015 ajfclark wrote:
>Looks like one of Steve's ads is broken again?
>
>Also the gallery picture has weird code in it again?
>
>Have people been playing funny buggers with the site again?
Gallery pic is blank for me, and when I go into the sub folder gallery/more the first page is incorrectly formatted & pics don't come up for the remainders.
I will send Mike a text message to see if he is aware of it.
|
12-Jan-2015 11:04:56 AM
|
The hack has definitely reoccurred as paydayloan crapscript is within title of PM replies and also at tail of the PM message body.
Mike has not yet acknowledged the text I sent him ...
I suspect Chocky will go offline while being fixed and a backup restore may be required, in which case we may lose todays posts...
|
12-Jan-2015 4:46:05 PM
|
Update.
Mike thinks he has sorted the re-hack issues. He doesn't think they are targeting Chocky directly but rather are throwing their code out onto the net to exploit old system loopholes.
He is not sure yet as to how they are getting through the fences* he has set up.
(*That is my basic computer-speak, not his!), but his block list of codes is expanding.
He tells me it isn't that hard to fix without having to backup, but is inconvenient as it requires manually doing.
He has obtained a new phone, hence the delay in our communication on the issue, as I was using an obsolete number.
|
12-Jan-2015 5:23:53 PM
|
Maybe he should swap fences for firey walls?
|
12-Jan-2015 7:24:41 PM
|
At a guess, a firewall wouldn't help as the attacks are coming over legitimate channels. Needs an IDS/IPS to weed out the SQL injections.
|
12-Jan-2015 8:53:51 PM
|
He might be better off with an EIEIO
|
13-Jan-2015 8:02:51 AM
|
So, - - without a space is now considered suspicious input.
|
14-Jan-2015 7:37:36 AM
|
On 13/01/2015 ajfclark wrote:
>So, - - without a space is now considered suspicious input.
But I can encode it as % 2D% 2D in a url? or & minus; & minus; in html?
−−
That doesn't seem right.
|
14-Jan-2015 7:58:59 AM
|
On 12/01/2015 Eduardo Slabofvic wrote:
>He might be better off with an EIEIO
Without an SQL here, and an SQL there
|
14-Jan-2015 2:00:01 PM
|
Those lines look longer - em dash?
|
14-Jan-2015 3:13:18 PM
|
What is this thing?
A trampoline inside a tent? For those who like to bounce around in the dark...
|
22-Jan-2015 3:15:24 PM
|
Hmm, block-lists.
Why is 'con-text' (when written as the normal one word version), considered suspicious input and not allowing the reply to go through?
Wendy experienced it the other day ("the word 'c_rsory' is terribly upsetting to chockstone"), and made half a dozen posts to make a short point, likewise I received a half dozen PMs (original broken up into small portions), from one sender recently trying to isolate a single offending word before his 'PM' would go. ~> Blerrie good thing I had cleaned up my PM box prior, or there wouldn't have been space for those to get to me!
(2nd Post edit: He has since informed me that the offending word was precurs_r.)
Today while trying to send a PM to another, it keeps getting blocked due suspicious input, though my experimentation has not isolated the offending bit...
(Post edit. I found the offender word. It was 'un-characteristic')!
(3rd post edit: Chocky doesn't like tr_ncated either).
(4th edit: Don't use fa ke either!)
Is it possible to work around this inconvenience without publishing the offending words if you think the spam-hackster might read and use that info?
|
22-Jan-2015 3:51:35 PM
|
I've been adding to the blocked words list quite a bit of late in order to prevent the ongoing hacks. The word "c_rsor" (if correctly worded) is on the block list because it's a SQL statement used to iterate through record sets. The word "d_clare" (if correctly worded) is also blocked. I wanted to block "select" too but figured people might use it.
It's possibly going to come down to how upset users are by not having certain words available to them, vs having the site down for a few days when a hack occurs.
Their robot is still attacking us. Even as we speak the logs are being filled by hex encoded SQL script they are trying to inject into various page query strings. So far this week (touch wood), the block list and some extra validation code I added is repelling them.
Just don't use those words.
|
22-Jan-2015 4:03:27 PM
|
I'd be looking more at what they are doing to escape the string the in first place.
eg. If they're sending:
http://chockstone/loadpage?action="somethinsomething‘; sqlquery here;"
The problem isn't the sqlquery, it's that the ' isn't being escaped when thrown to the database.
|
22-Jan-2015 8:55:04 PM
|
On 22/01/2015 ajfclark wrote:
>I'd be looking more at what they are doing to escape the string the in
>first place.
>
>eg. If they're sending:
>
>http://chockstone/loadpage?action="somethinsomething‘; sqlquery
>here;"
>
>The problem isn't the sqlquery, it's that the ' isn't being escaped when
>thrown to the database.
Blerry Heck! I'm glad there's people thet understand this shite. Just wish robotsemthingwormthingy would leave chocky alone and pick on seething else! Wy the Fuq a tack sumthng hrmlss lyk chocky.
|
23-Jan-2015 8:21:29 AM
|
I work too much and always have a Chockstone tab open in Chrome. What I've noticed recently is that the page is always loading and causes issues, it never used to do this.
|
8-Feb-2015 11:34:58 AM
|
I just sent a txt to Mike again. This time regarding the fact that 10 out of 20 thread topics on first page within Crag & Route Beta are coming up as blanks...
|
9-Feb-2015 3:09:41 PM
|
Feedback from Mike earlier this morning...
>Thanks. Try it now, should be working.
>The hacks are still happening a couple of times a week, but my repair script is now checking every five minutes and auto running itself if it needs to. So, next time they attack it should recover by itself a few minutes later.
>Not the best solution. Would be better to prevent the hacks entirely, but should buy us some time to work on it.
Feedback from Mike re ajf's suggestions earlier in this thread...
>Saw those. It's a more complex issue.
|
15-Feb-2015 7:14:46 PM
|
|