Welcome to Geeklog, Anonymous Friday, November 29 2024 @ 03:24 am EST
Geeklog Forums
Anonymous users posting comments
Page navigation
Over this last few days I have had a number of comment postings usually ....
Nice thread
Enjoyed reading your comments
Following the few opening words are four or five small lines of broken dots and dashes.
I deleted them but here lies the problem the site has comments turned off for anonymous users I have double checked and the overall setting is 1 for login required. (I have added a '1' to commentsloginrequired.
// this lets you select which functions are available for registered users only
$_CONF['loginrequired'] = 1; // all of them, if set to 1 will override all else
$_CONF['submitloginrequired'] = 0;
$_CONF['commentsloginrequired'] = 1;
$_CONF['linksloginrequired'] = 0;
$_CONF['pollsloginrequired'] = 0;
$_CONF['calendarloginrequired'] = 0;
$_CONF['statsloginrequired'] = 0;
$_CONF['searchloginrequired'] = 0;
$_CONF['profileloginrequired'] = 0;
$_CONF['emailuserloginrequired'] = 0;
$_CONF['emailstoryloginrequired'] = 0;
We have tested with a number of users and no one has succeeded in adding a comment without logging in.
Has anyone else experienced this it seems some clever idoit has found a back door especially as the dots and dashes seem to be code when viewed in the database.
We are running Linux (BSD) not Windows.
Regards
Marites
Nice thread
Enjoyed reading your comments
Following the few opening words are four or five small lines of broken dots and dashes.
I deleted them but here lies the problem the site has comments turned off for anonymous users I have double checked and the overall setting is 1 for login required. (I have added a '1' to commentsloginrequired.
// this lets you select which functions are available for registered users only
$_CONF['loginrequired'] = 1; // all of them, if set to 1 will override all else
$_CONF['submitloginrequired'] = 0;
$_CONF['commentsloginrequired'] = 1;
$_CONF['linksloginrequired'] = 0;
$_CONF['pollsloginrequired'] = 0;
$_CONF['calendarloginrequired'] = 0;
$_CONF['statsloginrequired'] = 0;
$_CONF['searchloginrequired'] = 0;
$_CONF['profileloginrequired'] = 0;
$_CONF['emailuserloginrequired'] = 0;
$_CONF['emailstoryloginrequired'] = 0;
We have tested with a number of users and no one has succeeded in adding a comment without logging in.
Has anyone else experienced this it seems some clever idoit has found a back door especially as the dots and dashes seem to be code when viewed in the database.
We are running Linux (BSD) not Windows.
Regards
Marites
28
29
Quote
Dirk
How do I disable the comments without a major hack I had to hand delete well over 200 this morning. Can you tell me how this spam site, menace or whatever - is posting as all I get when clicking comments when not logged in is only registered users are allowed to post comments.
I disabled the link on the story 'Add Your Comments' still 3 more have been added in the last hour.
It seems obvious that there is a hole or back dor in 1.3.9 that is allowing this.
Marites
How do I disable the comments without a major hack I had to hand delete well over 200 this morning. Can you tell me how this spam site, menace or whatever - is posting as all I get when clicking comments when not logged in is only registered users are allowed to post comments.
I disabled the link on the story 'Add Your Comments' still 3 more have been added in the last hour.
It seems obvious that there is a hole or back dor in 1.3.9 that is allowing this.
Marites
43
31
Quote
Sorry to hear that, but I am at a loss here. I have stared at the source for the comment posting for the better part of an hour today and can't see a way around the code that blocks anonymous posts (when that's enabled in config.php).
The only thing that is missing is an additional check for the speed limit in function savecomment(). Vinny added that to CVS recently (the first code block, with a blue background - ignore the other changes). That should at least slow them down a bit.
Someone probably found a way to send an HTTP POST request directly, therefore removing links, etc. won't really help.
If you can provide any more information (webserver log entries, suspicious entries from error.log, whatever), please send them to geeklog-security@lists.geeklog.net
bye, Dirk
The only thing that is missing is an additional check for the speed limit in function savecomment(). Vinny added that to CVS recently (the first code block, with a blue background - ignore the other changes). That should at least slow them down a bit.
Someone probably found a way to send an HTTP POST request directly, therefore removing links, etc. won't really help.
If you can provide any more information (webserver log entries, suspicious entries from error.log, whatever), please send them to geeklog-security@lists.geeklog.net
bye, Dirk
32
28
Quote
Status: offline
Marites
Forum User
Chatty
Registered: 02/04/04
Posts: 64
Many thanks Dirk will see what the logs bring up. In the meantime I have renamed the comment.php to .bak and made a copy of index.php naming it comment.php which just loops the user if they click the add comments link. Not ideal but will do as a stop gap.
I have also disabled for users other than admin the What's New block so only I can see if anything is added.
Regards
Tess
I have also disabled for users other than admin the What's New block so only I can see if anything is added.
Regards
Tess
28
38
Quote
Status: offline
keystone430
Forum User
Chatty
Registered: 01/28/04
Posts: 68
I am getting the same thing on about 6 geeklog sites I have. When you take the dots and dashes and put them in a text editor they are links to a drug spammer in Russia. http://www.01j.com The last 50 or so also included porn links. I am trying to have my server company block them at server level.
I have spent 4 days deleting as fast as they are posting. One thing I have noticed is that their access does not show up in the access logs. How can that be?
I have also found a user named automoddm12 on all but 1 of the sites getting hit. Instead of deleting the user I took away all the check marks for access on one of the sites. Since I did that there have been no comments added in 12 hours.
Is it possible they have some kind of back door that adds a user name that shows up as anonymous when they post? Could they have added a user?
I am not a code writer but I use Geeklog and find it excellent. I am going crazy with this problem because all together I have 14 sites that use Geeklog. All have a kid friendly rating so I cannot get caught with the porn links in the comments or it will compromise that rating.
I have spent 4 days deleting as fast as they are posting. One thing I have noticed is that their access does not show up in the access logs. How can that be?
I have also found a user named automoddm12 on all but 1 of the sites getting hit. Instead of deleting the user I took away all the check marks for access on one of the sites. Since I did that there have been no comments added in 12 hours.
Is it possible they have some kind of back door that adds a user name that shows up as anonymous when they post? Could they have added a user?
I am not a code writer but I use Geeklog and find it excellent. I am going crazy with this problem because all together I have 14 sites that use Geeklog. All have a kid friendly rating so I cannot get caught with the porn links in the comments or it will compromise that rating.
41
30
Quote
Status: offline
keystone430
Forum User
Chatty
Registered: 01/28/04
Posts: 68
I just did a Google search on that user name automoddm12. It shows up 29 times in Google and every one of them is a geeklog site. It is also in my sports sites, military sites and a publishing site I built for someone else.
34
27
Quote
Status: offline
drkrum
Forum User
Newbie
Registered: 03/01/03
Posts: 5
Quote by keystone430: I just did a Google search on that user name automoddm12. It shows up 29 times in Google and every one of them is a geeklog site. It is also in my sports sites, military sites and a publishing site I built for someone else.
What uid do the automoddm12 accounts have? Anything suspicious in the gl_users row for that user?
27
35
Quote
I am the unfortunate victim of this particular spam as well. I was running a modified version of 1.3.8sr2 which was supposedly susceptible to anonymous comment injection (even when disallowed in config.php) so i have done a complete upgrade to 1.3.9 tonight (not my usual incremental piece-work upgrade, this time I renamed the old directories and uploaded all new code). I'll post again if it continues to get by the setting even after this upgrade. The IP address of the poster hasn't changed for 2 days. My server log shows only the following:
69.5.72.104 - - [29/May/2004:08:20:14 -0400] "POST /comment.php HTTP/1.1" 200 140 "http://mysite.net/article.php?story=20030905093936588" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
69.5.72.104 - - [29/May/2004:08:20:14 -0400] "POST /comment.php HTTP/1.1" 200 140 "http://mysite.net/article.php?story=20030905093936588" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
34
26
Quote
Status: offline
Marites
Forum User
Chatty
Registered: 02/04/04
Posts: 64
We do not openly solicit members with no registration offered on the front page - however if you click 'comments' then you are told comments are only available to registered users only then are they offered to register.
These postings are anonymous and I have noticed that they are posted within seconds of each other on one of four linked sites. All these sites run from 1.3.9 and share one installation (set up as per instructions in FAQ and modified to suit).
I have checked the username quoted but there is noone of that name registered with us.
We have checked the logs and cannot find anything out of the usual.
What we have noticed is that the comments are related to articles posted in 2003 i.e. the older stories. In fact they are related to articles referenced on search engines.
I have also noticed that the dots and dashes are URL's which assumes this person has admin type access as I feel sure GL does not allow URL's in user comments unless specificially set up by the individual site.
I read and understand what Dirk said about 1.3.8 and the possibility of posting when unregistered but reiterate that the site/s run on 1.3.9.
For us this is a worrying aspect as our users like to comment on the aricles posted.
We are looking at the possiblity of linking our comments to an outside BB - GLForum will not work in this instance for us at least.
Saddened ...
Marites
These postings are anonymous and I have noticed that they are posted within seconds of each other on one of four linked sites. All these sites run from 1.3.9 and share one installation (set up as per instructions in FAQ and modified to suit).
I have checked the username quoted but there is noone of that name registered with us.
We have checked the logs and cannot find anything out of the usual.
What we have noticed is that the comments are related to articles posted in 2003 i.e. the older stories. In fact they are related to articles referenced on search engines.
I have also noticed that the dots and dashes are URL's which assumes this person has admin type access as I feel sure GL does not allow URL's in user comments unless specificially set up by the individual site.
I read and understand what Dirk said about 1.3.8 and the possibility of posting when unregistered but reiterate that the site/s run on 1.3.9.
For us this is a worrying aspect as our users like to comment on the aricles posted.
We are looking at the possiblity of linking our comments to an outside BB - GLForum will not work in this instance for us at least.
Saddened ...
Marites
26
34
Quote
Status: offline
Marites
Forum User
Chatty
Registered: 02/04/04
Posts: 64
I am getting the same thing on about 6 geeklog sites I have. When you take the dots and dashes and put them in a text editor they are links to a drug spammer in Russia. http://www.01j.com The last 50 or so also included porn links. I am trying to have my server company block them at server level.
We have checked 66.117.44.106 (01j.com) against our logs and can find no record of access ... means nothing as it could be using another IP.
Tess
36
23
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Vinny identified what was (probably) the cause of the problem in comment.php. It seems the spammers are using an account (i.e. they are registered with your site), but use a manipulated POST request to send anonymous posts while being logged in.
Can those suffering from the spamming attacks please download and try this version of comment.php. It's a drop-in replacement for Geeklog 1.3.9.
If this fixes the problem, we'll be releasing proper security updates for 1.3.9 (and 1.3.8-1) ASAP, so please give us some feedback on this.
Thanks and sorry again for the nuisance.
bye, Dirk
Can those suffering from the spamming attacks please download and try this version of comment.php. It's a drop-in replacement for Geeklog 1.3.9.
If this fixes the problem, we'll be releasing proper security updates for 1.3.9 (and 1.3.8-1) ASAP, so please give us some feedback on this.
Thanks and sorry again for the nuisance.
bye, Dirk
37
34
Quote
Status: offline
Marites
Forum User
Chatty
Registered: 02/04/04
Posts: 64
I have added it here will let you know. All the logins I have around the time of posting are from
151122.cps.virtua.com.br
and they seem to be using uid=2 which is one of my logins. We ban yahoo, msn and free mail servers from registering and most of our registered users are know to us and are regular posters ... reiterate people only register if they want to post.
Will Vinny's updated comment.php cover this what is the string at the end.
Forgot to add we do approve manually all registrations also.
Marites
151122.cps.virtua.com.br
and they seem to be using uid=2 which is one of my logins. We ban yahoo, msn and free mail servers from registering and most of our registered users are know to us and are regular posters ... reiterate people only register if they want to post.
151122.cps.virtua.com.br - - [29/May/2004:16:59:08 +0000] "GET /gl/public_html/comment.php?sid=20040226154633960&pid=0&type=article HTTP/1.1" 200 16629 "-" "aol xgiy1vciadyxwsngwympgtod1at yy"
Will Vinny's updated comment.php cover this what is the string at the end.
Forgot to add we do approve manually all registrations also.
Marites
32
31
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Marites: they seem to be using uid=2 which is one of my logins.
uid=2 is the default Admin account. But it looks like they faked the uid and got away with it due to a bug in Geeklog's comment code. The new version of comment.php should catch that.
151122.cps.virtua.com.br - - [29/May/2004:16:59:08 +0000] "GET /gl/public_html/comment.php?sid=20040226154633960&pid=0&type=article HTTP/1.1" 200 16629 "-" "aol xgiy1vciadyxwsngwympgtod1at yy"
The string at the end is usually where the user agent string is located, i.e. the browser's name and version number. It looks like the script or whatever they're using is simply inserting random characters here.
That is not a problem. Actually, it could be used to block these requests on the server: Check if the user agent matches any of the usual browsers, and if it doesn't, block it. Although I wouldn't really advise you to use this, as you may accidentally block legit requests from exotic user agents ...
From your description, this looks like a slightly different attack than the one that Jesse (drkrum) described. They both seem to be exploiting the same bug in Geeklog, though.
bye, Dirk
46
38
Quote
Status: offline
Marites
Forum User
Chatty
Registered: 02/04/04
Posts: 64
Dirk
Many thanks for your comment I added the comment.php to one of the affected sites you get this error when calling comments from the story.
Fatal error: Call to undefined function: com_applyfilter() in /html/public_html/comment.php on line 465
Should there be a revised file some otherplace also.
Marites
Many thanks for your comment I added the comment.php to one of the affected sites you get this error when calling comments from the story.
Fatal error: Call to undefined function: com_applyfilter() in /html/public_html/comment.php on line 465
Should there be a revised file some otherplace also.
Marites
30
33
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Marites: Fatal error: Call to undefined function: com_applyfilter() in /html/public_html/comment.php on line 465
COM_applyFilter is a new function in Geeklog 1.3.9 (but does not exist in 1.3.8-1). It can be found in lib-common.php ...
bye, Dirk
[edit: A fixed comment.php for Geeklog 1.3.8-1sr4 can be found here|
28
36
Quote
Status: offline
keystone430
Forum User
Chatty
Registered: 01/28/04
Posts: 68
I will give the new comment.php a try and let you know what happens.
Just as a point of reference the site that I disabled the questionable account on stlii has had no comment attacks. I disabled rather than deleted to prevent the same name from being used again.
Just as a point of reference the site that I disabled the questionable account on stlii has had no comment attacks. I disabled rather than deleted to prevent the same name from being used again.
38
33
Quote
Status: offline
Marites
Forum User
Chatty
Registered: 02/04/04
Posts: 64
Dirk Version check from Admin reports 1.3.9 - I will try the other version and see what happens.
I have asked our server manager to reinstall GL tomorrow using individual setup in place of shared as we have now.
Will report back on finding.
Tess
I have asked our server manager to reinstall GL tomorrow using individual setup in place of shared as we have now.
Will report back on finding.
Tess
Quote by Dirk:
COM_applyFilter is a new function in Geeklog 1.3.9 (but does not exist in 1.3.8-1). It can be found in lib-common.php ...
bye, Dirk
[edit: A fixed comment.php for Geeklog 1.3.8-1sr4 can be found here|[/QUOTE]
Quote by Marites: Fatal error: Call to undefined function: com_applyfilter() in /html/public_html/comment.php on line 465
COM_applyFilter is a new function in Geeklog 1.3.9 (but does not exist in 1.3.8-1). It can be found in lib-common.php ...
bye, Dirk
[edit: A fixed comment.php for Geeklog 1.3.8-1sr4 can be found here|[/QUOTE]
30
31
Quote
Status: offline
Marites
Forum User
Chatty
Registered: 02/04/04
Posts: 64
Our log for yesterday 30 May was 390,000 lines so I took a 3 hour period and checked comment postings with the relevant entry in the access log. These are the IP addresses noted in that time. It looks to me as if the person is using proxies as the log from the 29th is using a different list of IP's.
To those who run sites aimed at family audiences I suggest you dump the database and delete the messages
from there (if you feel confident) as the items that list in the 'What's New' only show some of the postings.
When examining my database I found many porno, iffy postings, some with code and so on. Luckily we do have a custom script and can delete field content.
My concern is all these items seem to have been poted with uid 2.
With the speed that multiple items are posted to 4 domains within 2 seconds of each other it does seem like there is a script out there that can do this for them.
I have also found that the items choosen have all been listed by Google.
It is a very worrying situation.
I find that 3 of our sites are running 1.3.9 and 1 1.3.8, stangely the 1.3.8 site has had the least attacks - I have updated the comment.php in each as suggested by Dirk.
I will not waiting and see what happens.
Tess
69.5.72.104 epocketworks.com - 41 postings
dsl81-215-3442.adsl.ttnet.net.tr a IIS site under construction - 21 postings
117_pc6.ntcb.edu.tw - 18 postings
80.58.9.44.proxycache.rima-tde.net - 112 postings
200.48.218.178 - 6 postings
alfaproxy.pai.net.pl - 11 postings
216.157.225.37 - 3 postings
207.230.66.18 - 86 postings
host194-206.pool8016.interbusiness.it - 41 postings
203.162.3.146 - 12 postings
194.27.49.2 - 2 postings
12.36.104.2 - 61 postings
22.47.30.61.isp.tfn.net.tw - 91 postings
68.152.252.74 - 7 postings
To those who run sites aimed at family audiences I suggest you dump the database and delete the messages
from there (if you feel confident) as the items that list in the 'What's New' only show some of the postings.
When examining my database I found many porno, iffy postings, some with code and so on. Luckily we do have a custom script and can delete field content.
My concern is all these items seem to have been poted with uid 2.
With the speed that multiple items are posted to 4 domains within 2 seconds of each other it does seem like there is a script out there that can do this for them.
I have also found that the items choosen have all been listed by Google.
It is a very worrying situation.
I find that 3 of our sites are running 1.3.9 and 1 1.3.8, stangely the 1.3.8 site has had the least attacks - I have updated the comment.php in each as suggested by Dirk.
I will not waiting and see what happens.
Tess
69.5.72.104 epocketworks.com - 41 postings
dsl81-215-3442.adsl.ttnet.net.tr a IIS site under construction - 21 postings
117_pc6.ntcb.edu.tw - 18 postings
80.58.9.44.proxycache.rima-tde.net - 112 postings
200.48.218.178 - 6 postings
alfaproxy.pai.net.pl - 11 postings
216.157.225.37 - 3 postings
207.230.66.18 - 86 postings
host194-206.pool8016.interbusiness.it - 41 postings
203.162.3.146 - 12 postings
194.27.49.2 - 2 postings
12.36.104.2 - 61 postings
22.47.30.61.isp.tfn.net.tw - 91 postings
68.152.252.74 - 7 postings
33
32
Quote
Page navigation
All times are EST. The time is now 03:24 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content