Possible login/spammer hack. Looking for preventative solutions. vBulletin 4.2.1 site
 

Over the last 2 weeks I have received 12 vBulletin database errors of the following type:

Database error in vBulletin 4.2.1:

Invalid SQL:
SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM user WHERE username = 'basket compens??es isabel marant';

MySQL Error : Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='
Error Number : 1267
Request Date : Tuesday, November 26th 2013 @ 02:16:49 AM
Error Date : Tuesday, November 26th 2013 @ 02:16:49 AM
Script : http://www.empirisoft.com/support/login.php?do=login
Referrer : http://www.empirisoft.com/support/me...75-AryanDuncan
IP Address : 142.0.143.20
Username : Unregistered
Classname : vB_Database
MySQL Version :

Please note the funny text that someone is trying to use as a username. Also, all 12 errors originated from the same IP address.
I think this is an attempt by a spammer to hack a username on our site. Is there any solution/add-on to prevent this type of attack in the future?

​Thanks in advance for any and all suggestions.

Your table collations should be latin1_swedish_ci, please check your tables and update one by one.

Please note that the correct collation for column username (latin1_swedish_ci,IMPLICIT) is being compared to the collation of the string provided by the user at login (utf8_general_ci,COERCIBLE) in a string that looks awfully suspicious:

'basket compens¨¦es isabel marant'

Is there a way to change the collation of the user provided string? I should have mentioned above that all 12 errors I received were generated from the same ip address. I'm guessing this is a hacker trying to hack a username. Again any suggestions for preventing this type of hack/spam are greatly appreciated.

It's a autospam administrator trying to bypass your human verification with some adolescent script kiddie attempt. It's not a hacker or a exploit. You are being probed for a exploit.

Ok. Can it be prevented? The fact that it generates database errors is throwing off our support system.

I'm temporarily at a loss as to how to prevent. Blocking the IP address would only be a temporary "fix" since the persistence of the spammer is already demonstrated. You could ban the whole range, like putting 142.0* in your IP ban list. But like I said, IPs are easy to spoof anyway.

It might be helpful to see if the User Agent string being used is constant, and if it contains some unusual variable, for blocking purposes.

I added the IP address to the banned list. The user string has a constant of "| within it (I think because I am not sure second character is pipe).

Question: Does the banned ip address prevent login attempts?

It would be helpful if you have it, to post the entire user agent string. Typical one looks like this:

198.204.237.210
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0

It tells us the operating system, browser, some add-ons and toolbars, and all versions.

From the banned IP it does. It blocks all access.

Max,

All I have is what is listed in the error message and was sent to me via email notification (see below). Where would I find the rest of this info? Also, would an add-on like Spam-O-Matic Firewall help with these types of probes?

Database error in vBulletin 4.2.1:

Invalid SQL:
SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM user WHERE username = 'basket compens??es isabel marant';

MySQL Error : Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='
Error Number : 1267
Request Date : Tuesday, November 26th 2013 @ 02:16:49 AM
Error Date : Tuesday, November 26th 2013 @ 02:16:49 AM
Script : http://www.empirisoft.com/support/login.php?do=login
Referrer : http://www.empirisoft.com/support/me...75-AryanDuncan
IP Address : 142.0.143.20
Username : Unregistered
Classname : vB_Database
MySQL Version :

Is it not amazing, you see these same questions on the home page for vbulletin, and you get crickets..... Here people actually help. It is a good thing

S