Recent Topics

Security question..

started by on Mar 23, 2017 – Last touched: Mar 25, 2017

Mar 23, 2017 02:06    

Hi

In my apache2 ERROR log I got a lot of this kind of entries:


[Wed Mar 22 00:06:09.009102 2017] [:error] [pid 9127] [client 91.223.133.30:43384] SQL ERROR: Data too long for column 'hit_disp' at row 1(Errno=1406), QUERY: "INSERT DELAYED INTO evo_hitlog ( hit_datetime, hit_uri, hit_disp, hit_ctrl, hit_action, hit_type, hit_referer_type, hit_referer, hit_referer_dom_ID, hit_keyphrase_keyp_ID, hit_keyphrase, hit_serprank, hit_coll_ID, hit_remote_addr, hit_agent_type, hit_agent_ID, hit_response_code, hit_method, hit_sess_ID ) VALUES ( FROM_UNIXTIME( 1490137569 ), '/?disp=-8017%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23', '-8017 UNION ALL SELECT 41,41,41,41,41,41,41,41,41#', NULL, NULL, 'standard', 'direct', '', NULL, NULL, NULL, NULL, '1', '91.223.133.30', 'browser', NULL, '400', 'GET', '2989' )", BACKTRACE: Backtrace: DB->print_error( "", "", "Record the hit" ) File: /srv/www/htdocs/blog/inc/_core/model/db/_db.class.php on line 868 DB->query( "INSERT DELAYED INTO evo_hitlog ( hit_datetime, hit_uri, hit_disp, hit_ctrl, hit_action, hit_type, hit_referer_type, hit_referer, hit_referer_dom_ID, hit_keyphrase_keyp_ID, hit_keyphrase, hit_serprank, hit_coll_ID, hit_remote_addr, hit_agent_type, hit_age…", "Record the hit" ) File: /srv/www/htdocs/blog/inc/sessions/model/_hit.class.php on line 956 Hit->record_the_hit( true ) File: /srv/www/htdocs/blog/inc/sessions/model/_hit.class.php on line 767 Hit->log( true ) File: /srv/www/htdocs/blog/inc/_core/_misc.funcs.php on line 234 shutdown( ) [runtime created function] Ignored last: 1, URL: https://www.mydomain.com/?disp=-8017%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23
[Wed Mar 22 00:06:09.009362 2017] [:error] [pid 9127] [client 91.223.133.30:43384] b2evolution error: MySQL error! / Data too long for column 'hit_disp' at row 1(Errno=1406) / Your query: Record the hitINSERT DELAYED INTO evo_hitlog ( hit_datetime, hit_uri, hit_disp, hit_ctrl, hit_action, hit_type, hit_referer_type, hit_referer, hit_referer_dom_ID, hit_keyphrase_keyp_ID, hit_keyphrase, hit_serprank, hit_coll_ID, hit_remote_addr, hit_agent_type, hit_agent_ID, hit_response_code, hit_method, hit_sess_ID ) / VALUES ( FROM_UNIXTIME( 1490137569 ), '/?disp=-8017%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23', '-8017 UNION ALL / SELECT 41,41,41,41,41,41,41,41,41#', NULL, NULL, 'standard', 'direct', '', NULL, NULL, NULL, NULL, '1', '91.223.133.30', 'browser', NULL, '400', 'GET', '2989' ) in /srv/www/htdocs/blog/inc/_core/model/db/_db.class.php at line 652 / REQUEST_URI:  /?disp=-8017%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23 / HTTP_REFERER: -
[Wed Mar 22 00:06:09.748074 2017] [:error] [pid 8985] [client 91.223.133.30:43582] SQL ERROR: Data too long for column 'hit_disp' at row 1(Errno=1406), QUERY: "INSERT DELAYED INTO evo_hitlog ( hit_datetime, hit_uri, hit_disp, hit_ctrl, hit_action, hit_type, hit_referer_type, hit_referer, hit_referer_dom_ID, hit_keyphrase_keyp_ID, hit_keyphrase, hit_serprank, hit_coll_ID, hit_remote_addr, hit_agent_type, hit_agent_ID, hit_response_code, hit_method, hit_sess_ID ) VALUES ( FROM_UNIXTIME( 1490137569 ), '/?disp=-3226%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23', '-3226 UNION ALL SELECT 41,41,41,41,41,41,41,41,41,41#', NULL, NULL, 'standard', 'direct', '', NULL, NULL, NULL, NULL, '1', '91.223.133.30', 'browser', NULL, '400', 'GET', '2990' )", BACKTRACE: Backtrace: DB->print_error( "", "", "Record the hit" ) File: /srv/www/htdocs/blog/inc/_core/model/db/_db.class.php on line 868 DB->query( "INSERT DELAYED INTO evo_hitlog ( hit_datetime, hit_uri, hit_disp, hit_ctrl, hit_action, hit_type, hit_referer_type, hit_referer, hit_referer_dom_ID, hit_keyphrase_keyp_ID, hit_keyphrase, hit_serprank, hit_coll_ID, hit_remote_addr, hit_agent_type, hit_age…", "Record the hit" ) File: /srv/www/htdocs/blog/inc/sessions/model/_hit.class.php on line 956 Hit->record_the_hit( true ) File: /srv/www/htdocs/blog/inc/sessions/model/_hit.class.php on line 767 Hit->log( true ) File: /srv/www/htdocs/blog/inc/_core/_misc.funcs.php on line 234 shutdown( ) [runtime created function] Ignored last: 1, URL: https://www.mydomain.com/?disp=-3226%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23
[Wed Mar 22 00:06:09.748356 2017] [:error] [pid 8985] [client 91.223.133.30:43582] b2evolution error: MySQL error! / Data too long for column 'hit_disp' at row 1(Errno=1406) / Your query: Record the hitINSERT DELAYED INTO evo_hitlog ( hit_datetime, hit_uri, hit_disp, hit_ctrl, hit_action, hit_type, hit_referer_type, hit_referer, hit_referer_dom_ID, hit_keyphrase_keyp_ID, hit_keyphrase, hit_serprank, hit_coll_ID, hit_remote_addr, hit_agent_type, hit_agent_ID, hit_response_code, hit_method, hit_sess_ID ) / VALUES ( FROM_UNIXTIME( 1490137569 ), '/?disp=-3226%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23', '-3226 UNION ALL / SELECT 41,41,41,41,41,41,41,41,41,41#', NULL, NULL, 'standard', 'direct', '', NULL, NULL, NULL, NULL, '1', '91.223.133.30', 'browser', NULL, '400', 'GET', '2990' ) in /srv/www/htdocs/blog/inc/_core/model/db/_db.class.php at line 652 / REQUEST_URI:  /?disp=-3226%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23 / HTTP_REFERER: -

And this is from the ACCESS log:


91.223.133.30 - - [22/Mar/2017:00:05:54 +0100] "GET /?disp=-4382%27%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 852
91.223.133.30 - - [22/Mar/2017:00:05:55 +0100] "GET /?disp=-5816%27%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 853
91.223.133.30 - - [22/Mar/2017:00:05:55 +0100] "GET /?disp=-5368%27%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 853
91.223.133.30 - - [22/Mar/2017:00:05:56 +0100] "GET /?disp=-1168%25%27%20ORDER%20BY%201%23 HTTP/1.1" 400 379
91.223.133.30 - - [22/Mar/2017:00:05:56 +0100] "GET /?disp=-9358%25%27%20UNION%20ALL%20SELECT%2041%23 HTTP/1.1" 400 379
91.223.133.30 - - [22/Mar/2017:00:05:57 +0100] "GET /?disp=-1599%25%27%20UNION%20ALL%20SELECT%2041%2C41%23 HTTP/1.1" 500 850
91.223.133.30 - - [22/Mar/2017:00:05:57 +0100] "GET /?disp=-2264%25%27%20UNION%20ALL%20SELECT%2041%2C41%2C41%23 HTTP/1.1" 500 853
91.223.133.30 - - [22/Mar/2017:00:05:58 +0100] "GET /?disp=-4225%25%27%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%23 HTTP/1.1" 500 850
91.223.133.30 - - [22/Mar/2017:00:05:59 +0100] "GET /?disp=-1262%25%27%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 854
91.223.133.30 - - [22/Mar/2017:00:05:59 +0100] "GET /?disp=-8796%25%27%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 855
91.223.133.30 - - [22/Mar/2017:00:05:59 +0100] "GET /?disp=-3324%25%27%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 854
91.223.133.30 - - [22/Mar/2017:00:06:00 +0100] "GET /?disp=-5233%25%27%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 854
91.223.133.30 - - [22/Mar/2017:00:06:00 +0100] "GET /?disp=-4713%25%27%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 854
91.223.133.30 - - [22/Mar/2017:00:06:01 +0100] "GET /?disp=-3793%25%27%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 855
91.223.133.30 - - [22/Mar/2017:00:06:02 +0100] "GET /?disp=msgform%26amp%3Brecipient_id%3D1%26amp%3Bredirect_to%3Dhttps%3A%2F%2Fwww.we-serve-god.tk%2F%3Fdisp%3Dposts%26coll_comment_list_show_statuses%255B%255D%3Dpublished%26coll_comment_list_show_statuses%255B%255D%3Dcommunity%26coll_comment_list_show_statuses%255B%255D%3Dprotected%26coll_comment_list_show_statuses%255B%255D%3Dprivate%26coll_comment_list_show_statuses%255B%255D%3Dreview%26coll_comment_list_order%3DDESC%25%27%20UNION%20ALL%20SELECT%20CONCAT%280x7176717671%2C0x4a43614c414257586b5357784e596d71455946774d4b556357426948445741444a4b71534a417644%2C0x7178627a71%29%23 HTTP/1.1" 500 1086
91.223.133.30 - - [22/Mar/2017:00:06:02 +0100] "GET /?disp=msgform%26amp%3Brecipient_id%3D1%26amp%3Bredirect_to%3Dhttps%3A%2F%2Fwww.we-serve-god.tk%2F%3Fdisp%3Dposts%26coll_comment_list_show_statuses%255B%255D%3Dpublished%26coll_comment_list_show_statuses%255B%255D%3Dcommunity%26coll_comment_list_show_statuses%255B%255D%3Dprotected%26coll_comment_list_show_statuses%255B%255D%3Dprivate%26coll_comment_list_show_statuses%255B%255D%3Dreview%26coll_comment_list_order%3DDESC%25%27%20UNION%20ALL%20SELECT%20CONCAT%280x7176717671%2C0x6173496c457470616758%2C0x7178627a71%29%23 HTTP/1.1" 500 1043
91.223.133.30 - - [22/Mar/2017:00:06:03 +0100] "GET /?disp=-7649%25%27%20UNION%20ALL%20SELECT%20CONCAT%280x7176717671%2C0x4a7667774b4249584e536e72744a706971446d4c6a6c647464696d61566e66444d5a744569624c41%2C0x7178627a71%29%23 HTTP/1.1" 500 947
91.223.133.30 - - [22/Mar/2017:00:06:04 +0100] "GET /?disp=-1560%25%27%20UNION%20ALL%20SELECT%20CONCAT%280x7176717671%2C0x41756b7a6457434d6963%2C0x7178627a71%29%23 HTTP/1.1" 500 902
91.223.133.30 - - [22/Mar/2017:00:06:04 +0100] "GET /?disp=-4410%20ORDER%20BY%201%23 HTTP/1.1" 400 379
91.223.133.30 - - [22/Mar/2017:00:06:04 +0100] "GET /?disp=-7566%20UNION%20ALL%20SELECT%2041%23 HTTP/1.1" 400 379
91.223.133.30 - - [22/Mar/2017:00:06:05 +0100] "GET /?disp=-2563%20UNION%20ALL%20SELECT%2041%2C41%23 HTTP/1.1" 400 379
84.106.2.187 - - [22/Mar/2017:00:06:05 +0100] "POST /htsrv/anon_async.php HTTP/1.1" 200 472
91.223.133.30 - - [22/Mar/2017:00:06:05 +0100] "GET /?disp=-1890%20UNION%20ALL%20SELECT%2041%2C41%2C41%23 HTTP/1.1" 500 844
91.223.133.30 - - [22/Mar/2017:00:06:06 +0100] "GET /?disp=-6852%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%23 HTTP/1.1" 500 845
91.223.133.30 - - [22/Mar/2017:00:06:06 +0100] "GET /?disp=-4043%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 845
91.223.133.30 - - [22/Mar/2017:00:06:07 +0100] "GET /?disp=-1764%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 846
91.223.133.30 - - [22/Mar/2017:00:06:07 +0100] "GET /?disp=-1412%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 846
91.223.133.30 - - [22/Mar/2017:00:06:08 +0100] "GET /?disp=-1424%20UNION%20ALL%20SELECT%2041%2C41%2C41%2C41%2C41%2C41%2C41%2C41%23 HTTP/1.1" 500 846

Someone is trying to access the Database?
Is this kind of a attack (in case it is) a security risk in b2evolution or are these tryouts doomed to fail anyway?

Mar 24, 2017 07:19

@zebulon the pattern they used is a bit weird, but it looks like an sql inject attempt indeed. However, there are no current known security risks that would be exploded, and in general, b2evolution is securely developed to make this kind of actions harmless. Just keep your sites updated and block the IP, which is the same in almost all cases, if this continues.

Mar 24, 2017 11:35

@mgsolipa wrote earlier:

@zebulon the pattern they used is a bit weird, but it looks like an sql inject attempt indeed. However, there are no current known security risks that would be exploded, and in general, b2evolution is securely developed to make this kind of actions harmless. Just keep your sites updated and block the IP, which is the same in almost all cases, if this continues.

@mgsolipa

Thank you. Yes I have blocked that IP. And I am at the latest stable release. :)

Mar 25, 2017 20:29

It doesn't look like a successful attack; nonetheless we will handle this case on a global level so that:

1) we prevent this attack from working in case it would ever work in some particular situation
2) it doesn't pollute your or anyone else's error log in case this is a bot that hits many sites


Form is loading...

powered by b2evolution – This forum is powered by b2evolution CMS, a complete engine for your website.