Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions

Reply
 
Thread Tools Display Modes
  #1  
Old 11-26-2013, 04:45 PM
JohnD5000 JohnD5000 is offline
 
Join Date: Aug 2012
Posts: 18
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Possible login/spammer hack. Looking for preventative solutions. vBulletin 4.2.1 site

Over the last 2 weeks I have received 12 vBulletin database errors of the following type:

Database error in vBulletin 4.2.1:

Invalid SQL:
SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM user WHERE username = 'basket compens??es isabel marant';

MySQL Error : Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='
Error Number : 1267
Request Date : Tuesday, November 26th 2013 @ 02:16:49 AM
Error Date : Tuesday, November 26th 2013 @ 02:16:49 AM
Script : http://www.empirisoft.com/support/login.php?do=login
Referrer : http://www.empirisoft.com/support/me...75-AryanDuncan
IP Address : 142.0.143.20
Username : Unregistered
Classname : vB_Database
MySQL Version :

Please note the funny text that someone is trying to use as a username. Also, all 12 errors originated from the same IP address.
I think this is an attempt by a spammer to hack a username on our site. Is there any solution/add-on to prevent this type of attack in the future?

​Thanks in advance for any and all suggestions.
Reply With Quote
  #2  
Old 11-26-2013, 05:01 PM
blackberry's Avatar
blackberry blackberry is offline
 
Join Date: Feb 2008
Posts: 382
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Your table collations should be latin1_swedish_ci, please check your tables and update one by one.
Reply With Quote
  #3  
Old 11-26-2013, 06:16 PM
JohnD5000 JohnD5000 is offline
 
Join Date: Aug 2012
Posts: 18
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Please note that the correct collation for column username (latin1_swedish_ci,IMPLICIT) is being compared to the collation of the string provided by the user at login (utf8_general_ci,COERCIBLE) in a string that looks awfully suspicious:

'basket compens¨¦es isabel marant'

Is there a way to change the collation of the user provided string? I should have mentioned above that all 12 errors I received were generated from the same ip address. I'm guessing this is a hacker trying to hack a username. Again any suggestions for preventing this type of hack/spam are greatly appreciated.
Reply With Quote
  #4  
Old 11-26-2013, 06:29 PM
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Posts: 3,134
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It's a autospam administrator trying to bypass your human verification with some adolescent script kiddie attempt. It's not a hacker or a exploit. You are being probed for a exploit.
Reply With Quote
  #5  
Old 11-26-2013, 06:42 PM
JohnD5000 JohnD5000 is offline
 
Join Date: Aug 2012
Posts: 18
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ok. Can it be prevented? The fact that it generates database errors is throwing off our support system.
Reply With Quote
  #6  
Old 11-26-2013, 06:52 PM
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Posts: 3,134
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm temporarily at a loss as to how to prevent. Blocking the IP address would only be a temporary "fix" since the persistence of the spammer is already demonstrated. You could ban the whole range, like putting 142.0* in your IP ban list. But like I said, IPs are easy to spoof anyway.

It might be helpful to see if the User Agent string being used is constant, and if it contains some unusual variable, for blocking purposes.
Reply With Quote
  #7  
Old 11-26-2013, 08:26 PM
JohnD5000 JohnD5000 is offline
 
Join Date: Aug 2012
Posts: 18
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I added the IP address to the banned list. The user string has a constant of "| within it (I think because I am not sure second character is pipe).

Question: Does the banned ip address prevent login attempts?
Reply With Quote
  #8  
Old 11-26-2013, 08:52 PM
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Posts: 3,134
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by JohnD5000 View Post
I added the IP address to the banned list. The user string has a constant of "| within it (I think because I am not sure second character is pipe).
It would be helpful if you have it, to post the entire user agent string. Typical one looks like this:
198.204.237.210
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
It tells us the operating system, browser, some add-ons and toolbars, and all versions.

Quote:
Question: Does the banned ip address prevent login attempts?
From the banned IP it does. It blocks all access.
Reply With Quote
  #9  
Old 11-26-2013, 09:16 PM
JohnD5000 JohnD5000 is offline
 
Join Date: Aug 2012
Posts: 18
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Max,

All I have is what is listed in the error message and was sent to me via email notification (see below). Where would I find the rest of this info? Also, would an add-on like Spam-O-Matic Firewall help with these types of probes?

Database error in vBulletin 4.2.1:

Invalid SQL:
SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM user WHERE username = 'basket compens??es isabel marant';

MySQL Error : Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='
Error Number : 1267
Request Date : Tuesday, November 26th 2013 @ 02:16:49 AM
Error Date : Tuesday, November 26th 2013 @ 02:16:49 AM
Script : http://www.empirisoft.com/support/login.php?do=login
Referrer : http://www.empirisoft.com/support/me...75-AryanDuncan
IP Address : 142.0.143.20
Username : Unregistered
Classname : vB_Database
MySQL Version :
Reply With Quote
  #10  
Old 11-26-2013, 09:30 PM
steve3402000's Avatar
steve3402000 steve3402000 is offline
 
Join Date: Nov 2004
Location: Detoilet
Posts: 107
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Is it not amazing, you see these same questions on the home page for vbulletin, and you get crickets..... Here people actually help. It is a good thing

S
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:03 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04213 seconds
  • Memory Usage 2,244KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete