Welcome to Geeklog, Anonymous Saturday, December 28 2024 @ 06:29 am EST
Geeklog Forums
Bug or Attack?
Status: offline
ronack
Forum User
Full Member
Registered: 05/27/03
Posts: 612
I'm not really sure what is happening to cause this. I run multiple sites of Geeklog on one machine. Today when I went to 2 of my sites I was unable to log in as admin or any other account. Upon close examination in phpmyadmin I noticed that the password string for every single account was the exact same. The string was different for both sites but all the accounts were the same.
Has anyone else experienced this? Is there something out there that can changed passwords "GLOBALLY"? To me it sounds like an attack and thankfully it was not on one of my sites that had a large membership but I fear it's only a matter of time.
Has anyone else experienced this? Is there something out there that can changed passwords "GLOBALLY"? To me it sounds like an attack and thankfully it was not on one of my sites that had a large membership but I fear it's only a matter of time.
3
20
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by ronack: Is there something out there that can changed passwords "GLOBALLY"? To me it sounds like an attack
It sure does. Probably an SQL injection.
Which version of Geeklog are you running? Which PHP and MySQL versions? Which plugins and other 3rd-party add-ons or scripts do you have on the site?
A good look through your webserver's logfiles (as well as Geeklog's error.log and access.log) may also reveal more information.
Feel free to post anything that you think is of interest to geeklog-security@lists.geeklog.net
bye, Dirk
5
5
Quote
Status: offline
ronack
Forum User
Full Member
Registered: 05/27/03
Posts: 612
The only thing that I can see that is odd is this
02/18/2005 09:56:30 AM - 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1. SQL in question: UPDATE gl_comments SET lft = lft + 2 WHERE sid = '20030617105531991' AND lft >=
It looks like someone tried to use mysql statememts in comments. I could be wrong, what do you think.
Unfortunatly all my sites are using the same access, error and spamx log so it's kind of hard to tell what affects what site.
Text Formatted Code
02/17/2005 04:45:41 PM - 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1. SQL in question: UPDATE gl_comments SET lft = lft + 2 WHERE sid = '20030617105531991' AND lft >= 02/18/2005 09:56:30 AM - 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1. SQL in question: UPDATE gl_comments SET lft = lft + 2 WHERE sid = '20030617105531991' AND lft >=
Unfortunatly all my sites are using the same access, error and spamx log so it's kind of hard to tell what affects what site.
8
9
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by ronack: It looks like someone tried to use mysql statememts in comments. I could be wrong, what do you think.
The comment functions are using proper parameter filtering. I don't see a way to inject something there.
I can see this error occuring when someone tries to post a comment as a response to a non-existent comment. Could have been a comment spammer or just someone trying out what happens in that case. Geeklog should really catch this ...
Anyway, that doesn't seem to have anything to do with the changed passwords. You didn't answer my question for other scripts you're running. Gallery and phpBB, to pick just two examples, had security updates recently (as did Geeklog, btw - 1.3.11 was also a security update for 1.3.10).
bye, Dirk
20
9
Quote
Status: offline
ronack
Forum User
Full Member
Registered: 05/27/03
Posts: 612
Guess I should go ahead and update to 1.3.11 as far as other scripts, no other scripts on either site. One site is my main business site and the other is a live test site that I set up to test different things and work on my shopping cart plugin. Here are the sites
http://www.isdsc.com (business site)
http://www.miplanet.com (test site)
Just a note, I have run across this before, it very well could be something that I am working on but to have something on one domain affect something on a different domain but not other domains or then same PC would be highly unlikely.
I will keep trying to figure out what is going on because it could be a serious issue.
Thanks Dirk,
Ron
Oh something I just thought about, I was testing Auditor. I'll check to see if that has anything to do with it.
http://www.isdsc.com (business site)
http://www.miplanet.com (test site)
Just a note, I have run across this before, it very well could be something that I am working on but to have something on one domain affect something on a different domain but not other domains or then same PC would be highly unlikely.
I will keep trying to figure out what is going on because it could be a serious issue.
Thanks Dirk,
Ron
Oh something I just thought about, I was testing Auditor. I'll check to see if that has anything to do with it.
5
3
Quote
All times are EST. The time is now 06:29 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content