HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


[Resolved] HackAttack

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#72472 (In Topic #15204)
Avatar

Community saint


This is the second time I've banned myself. Luckily, administrator's IP can't be banned.  :dry:

Every time I try to expand Zone: Welcome from either the menu editor or the site tree editor (I haven't tried elsewhere) I start receiving emails about the Hackattacks. The zone never expands but shows that it's loading.

An IP address, xx.xx.80.237, has been automatically banned for generating 5 hackattack alerts. If you believe these were false alarms, or that the user was manipulated into triggering the alerts, you may wish to unban this IP address. A summary of the alerts follows:

Tried to get something to eval() which was probably malicious [/data/site_tree.php?get_perms=0&start_links=1&id=%3A&option
s=&default=]
Tried to get something to eval() which was probably malicious [/data/site_tree.php?get_perms=0&start_links=1&id=%3A&option
s=&default=]
Tried to get something to eval() which was probably malicious [/data/site_tree.php?get_perms=0&start_links=1&id=%3A&option
s=&default=]
Tried to get something to eval() which was probably malicious [/data/site_tree.php?get_perms=0&start_links=1&id=%3A&option
s=&default=adminzone%3A]
Tried to get something to eval() which was probably malicious [/data/site_tree.php?get_perms=0&start_links=1&id=%3A&option
s=&default=]
Tried to get something to eval() which was probably malicious [/data/site_tree.php?get_perms=0&start_links=1&id=%3A&option
s=&default=]
Tried to get something to eval() which was probably malicious [/data/site_tree.php?get_perms=0&start_links=1&id=%3A&option
s=&default=]
Tried to get something to eval() which was probably malicious [/data/site_tree.php?get_perms=0&start_links=1&id=%3A&option
s=&default=]
Tried to get something to eval() which was probably malicious [/data/site_tree.php?start_links=1&get_perms=0&id=%3A&option
s=&default=]
Tried to get something to eval() which was probably malicious [/data/site_tree.php?start_links=1&get_perms=0&id=%3A&option
s=&default=4e320c0868a9e]
Tried to get something to eval() which was probably malicious [/data/site_tree.php?start_links=1&get_perms=0&id=%3A&option
s=&default=]

Reason: Tried to get something to eval() which was probably malicious
IP address: xx.xx.80.237
Member ID: 354
Username: sholzy
User Agent (typically, the web browser): Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.19) Gecko/20110420 SUSE/2.0.14-0.2.1 SeaMonkey/2.0.14
Referrer: http://whiteislandsoftware.com/adminzone/index.php?page=admin_sitetree&type=site_tree
Operating System: X11; U; Linux x86_64; en-US; rv:1.9.1.19
Date and time: 1:28 AM
URL: /data/site_tree.php?start_links=1&get_perms=0&id=%3A&options
=&default=


Steve
Back to the top
 
Posted
Rating:
#72499
Avatar

It would help a lot if you have the stack trace for this. It should have been in the emails.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#72513
Avatar

All I can think without the stack trace is that there could be a file with a weird file name somewhere underneath 'pages' or 'site'.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#72518
Avatar

Community saint

Here is the stack trace from the email. Nothing stands out to me.
File   '/home/whiteisl/public_html/sources/failure.php'    Line   '426'    Function   'get_html_trace'    Args    
   File   '/home/whiteisl/public_html/sources/global2.php'    Line   '949'    Function   '_log_hack_attack_and_exit'    Args   
 'EVAL_HACK'
 ':downloads:type=misc:id=1'
 ''

   File   '/home/whiteisl/public_html/sources/global.php'    Line   '388'    Function   'log_hack_attack_and_exit'    Args   
 'EVAL_HACK'
 ':downloads:type=misc:id=1'

   File   '/home/whiteisl/public_html/sources/zones2.php'    Line   '527'    Function   'filter_naughty_harsh'    Args   
 ':downloads:type=misc:id=1'

   File   '/home/whiteisl/public_html/sources/site_tree.php'    Line   '348'    Function   'extract_module_functions_page'    Args   
 ''
 ':downloads:type=misc:id=1'
 array ( 0 => 'get_entry_points',)

   File   '/home/whiteisl/public_html/data/site_tree.php'    Line   '49'    Function   'site_tree_script'    Args


Steve
Back to the top
 
Posted
Rating:
#72523
Avatar

Sorry to be difficult but could you post the stack trace together with the hack-attack mail that came with it. I need to be 100% sure of the URL associated with it.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#72524
Avatar

Nevermind, got it, reporting in a few mins...


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#72526
Avatar

Redirects can only be between zone and page combinations, but you had some set up with colons in to try and make them do it at a deeper level which would not work. Moreover though, it made ocPortal think see the page links as attempts to inject malicious filenames.

Attachment
sources/site_tree.php
» Download: site_tree.php (26 Kb, 92 downloads so far)


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#72528
Avatar

Community saint

Chris Graham said

Redirects can only be between zone and page combinations, but you had some set up with colons in to try and make them do it at a deeper level which would not work. Moreover though, it made ocPortal think see the page links as attempts to inject malicious filenames.

Now that you mention redirects, that prompted me to remember I had set up a redirect that entered the downloads tree 1 sub-category into it. Later I also had added a menu item that did the same thing but never removed the redirect. I just removed the redirect and everything seems to be functioning properly.

I haven't dropped your fix into place yet.

Steve
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: