HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


[RESOLVED] - Hack Attack resulting from SEARCH

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#67589 (In Topic #14408)
Avatar

Community saint

Recently I have been getting more and more of these reports. It affects my members, visitors, AND me …
A potential hacking attempt has been detected. Please do not be alarmed: approximately half of the suspected attempts are triggered innocently (the software intentionally has a paranoid security model, to give you very high security). Real hacking attempts are almost always caused by 'bots' (computer programs) that automatically crawl the internet looking for websites which may contain vulnerabilities, and then reporting any found vulnerabilities to their 'master' for future exploitation (usually, to assist in spam relaying). If this was a real hack attempt, it has failed - you might want to try and analyse the logged details (in case it gives clues to a real and persistant offender). More information on security is given in the software documentation.

Expand: Hack Attack - stack trace ... Hack Attack - stack trace ...


Any suggestions on how to mitigate this problem?


Last edit: by Fletch

Take my advice. I'm not using it!

View my working ocPortal site (version 9.x.x) at Anglo-Indian Portal
Back to the top
 
Posted
Rating:
#67590
Avatar

Hmm, this seems to be the 'id' parameter send in the URL to the search module. This parameter is used to identify which 'advanced search' screen to search under. The error happens if it isn't strictly alphanumeric. Could some whitespace have got into the URL somehow, or some other symbols? Where is the link generated from?


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#67592
Avatar

Community saint

Chris Graham said

… whitespace have got into the URL somehow, or some other symbols? Where is the link generated from?
Difficult for me to answer that Chris as I don't really understand what the hell is happening, HOWEVER, here are a couple of random 'headers' for some of the reports, and You may be able to pick the bones out of them …
Reason: Tried to get something to eval() which was probably malicious
IP address: 14.98.0.128
Member ID: 895
Username: abhaysahaay
User Agent (typically, the web browser): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Referrer: Results - Anglo-Indian Portal
Operating System: Windows NT 5.1; .NET CLR 2.0.50727
Date and time: Mon 21 March 2011, 2:57 PM
URL: /anglo/site/index.php?page=search&type=results&id=graphics/z
oomout.cur

and

Reason: Tried to get something to eval() which was probably malicious
IP address: 83.132.90.131
Member ID: 2
Username: Fletch
User Agent (typically, the web browser): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Referrer: http://www.tapmal.com/anglo/site/pg/search/results/index.php/index.php?content=Glenda+Booth&all_defaults=1&author=&days=-1&sort=relevance&direction=DESC&only_titles=0&only_search_meta=0&boolean_search=0&conjunctive_operator=AND
Operating System: Windows NT 6.1; WOW64; rv:2.0
Date and time: Mon 21 March 2011, 7:36 PM
URL: /anglo/site/index.php?page=search&type=results&id=index.php&
keep_fatalistic=1&content=Glenda+Booth&all_defaults=1&author=
&days=-1&sort=relevance&direction=DESC&only_titles=0&only_sea
rch_meta=0&boolean_search=0&conjunctive_operator=AND

Other than showing those two I haven't got a clue what else might make things clearer for you …

 :dry:

Take my advice. I'm not using it!

View my working ocPortal site (version 9.x.x) at Anglo-Indian Portal
Back to the top
 
Posted
Rating:
#67593
Avatar

I think I know what's wrong. We had a very similar bug report earlier today. Look for some content with a relative link of 'graphics/z
oomout.cur' in it, and try and make it an absolute link, or remove the link entirely. I'll look at a fix tomorrow.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#67594
Avatar

Community saint

Chris Graham said

Look for some content with a relative link of 'graphics/zoomout.cur' in it, and try and make it an absolute link, or remove the link entirely. I'll look at a fix tomorrow.
This rang an alarm bell …

Found this in my global.css
/* Style of the expanded image */
.MagicThumb-expanded {
cursor: url(graphics/zoomout.cur), pointer;
background: transparent;
border: 1px solid #ccc;
outline: 0;
padding: 0;
}
… which is a CSS property for the 'MagicThumb' script that does the JavaScript expand/contract on mouseover, which lives on my front page.

Does this mean I cannot integrate the 'MagicThumb' script with ocPortal?

Take my advice. I'm not using it!

View my working ocPortal site (version 9.x.x) at Anglo-Indian Portal
Back to the top
 
Posted
Rating:
#67608
Avatar

Ah right. It'll be fine, just put http://... onto that URL to make it absolute (i.e. full, not relative).
But I really don't like false hackattack alarms because people end up banned, so I'll look at this as a priority.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#67617
Avatar

Right, fix attached :).

Attachment
sources/global.php
» Download: global.php (20 Kb, 88 downloads so far)


Here is what happened…

You have (old-style) short URLs enabled, which treat SEO links as paths (<zone>/pg/<page>/<type>/<id>).
We advise not to use relative URLs in ocPortal because even without SEO-URLs, content can conceivably be shown from any zone, and hence the URL base is not going to be consistent.
With SEO-URLs though the base would be one of these 'virtual' paths and it ends up passing the file path in as a part of the final ID parameter. This triggered the hack-attack notification because ocPortal's search uses the ID as a file path and it looked suspicious because it had a slash in it.

The fix makes ocPortal aware of the situation and just generate a "missing resource" error instead.

Actually your situation is slightly weirder. You have a relative URL in a CSS file. Relative URLs are meant to be treated relative to the URL of the file it is referenced from (the CSS file), so it's odd it looked at the page URL. But there is an IE bug that makes it look at the page URL instead. Maybe because Firefox 4 could not find it at a URL relative to the CSS file it looked relative to the page URL too, to emulate IE. That's my guess anyway. So for your cursor to display as I said in the last post it's best to use an absolute URL.
You probably were not even aware the cursor was not working for your CSS, just the hack-attack messages.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#67632
Avatar

Community saint

Chris Graham said

You probably were not even aware the cursor was not working for your CSS, just the hack-attack messages.

Strange that that was the only relative url called in the MagicThumb CSS. All the others carried the '{$BASE_URL}/magicthumb/' in the url's called. Must have missed it when I edited the properties before adding it to my global.css.

And you were right; the reference was to the 'expanded image', so I really didn't notice!

Chris Graham said

Here is what happened…
Thanks for the detailed explanation. Even EYE was able to understand it …  :o

Off to include the attached fix …

 :thumbs:

Take my advice. I'm not using it!

View my working ocPortal site (version 9.x.x) at Anglo-Indian Portal
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: