Welcome to Geeklog Friday, May 27 2022 @ 05:38 pm EDT

Geeklog Forums

Anonymous users posting comments

Page navigation


Status: offline

keystone430

Forum User
Chatty
Registered: 28/01/04
Posts: 68
They now have about 120 on one of my sites and are posting faster than I can delete. I have applied the patch and it is not working but my site is on 1.3.7. It is a custom version and I am nervous about upgrading it.

I have noticed the attacks are worse since I started posting here. Could be coincidence or they could monitor this forum.

Do you think it would help if I took the site off line for an hour or so? I hate to do it because we are a military support site and this is a big military holiday but I am at a loss for any other solutions right now.



 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by keystone430: I have applied the patch and it is not working but my site is on 1.3.7.

The patch for the missing speed limit will not work in 1.3.7, since speed limits are working differently in 1.3.7. But the check for the proper uid should work, I would hope.

bye, Dirk
 Quote

Status: offline

krove

Forum User
Junior
Registered: 06/05/02
Posts: 30
I just deleted the better part of 80+ spam comments on Team MacNN. Although I am still running a version of GL 1.3.8, I have disabled comment posting altogether and upped the time limit to 5 minutes. I was hoping 1.3.9 would have a fix to which I could upgrade.



Hopefully, soon.
 Quote

Status: offline

keystone430

Forum User
Chatty
Registered: 28/01/04
Posts: 68
Patch does not work at all for 1.3.7. I have it installed and they are posting at the rate of 3 sets of comments per minute. I have already deleted over 500.
 Quote

Status: offline

n4th4n

Forum User
Chatty
Registered: 21/07/03
Posts: 47
Location:NY, USA
I have changed several things so I'm not sure which has been the effective measure, but I have had no spam posts since last night.
Here's what I have done so far:
[when still on 1.3.8sr2]
a) Deleted a suspicious new user (the last one) - was still getting the posts.
b) Disabled anonymous posting - no help

[drastic measures]
1. Disabled the site which refreshed visitors to a static index.html page
2. After about 6 hours of time (spent drinking beer and barbequeing) I finally got around to upgrading. backed up the entire site, and dumped the sql. Deleted the entire site and uploaded 1.3.9 files. Reconfigured the config.php and lib-common.php files.
3. Disabled anonymous posting in config.php
4. Uploaded the new comment.php "fix"
As I said, so far, so good.
 Quote

Status: offline

keystone430

Forum User
Chatty
Registered: 28/01/04
Posts: 68
I have disabled the site and will wait for an hour or so to try it again.
 Quote

Status: offline

keystone430

Forum User
Chatty
Registered: 28/01/04
Posts: 68
If it is using the User 2 ID what about creating a new admin user and disabling the old one? Would that stop it?
I had the site down for an hour and it looks like they were still posting comments while it was down. Here is my stats list:

Stories(Comments)- in the System 257 (38866)

I know we are busy but 38000 comments is a bit much.
The patch has also caused all my articles to show 179 comments but none show up on the stories.
 Quote

Status: offline

keystone430

Forum User
Chatty
Registered: 28/01/04
Posts: 68
It seems to be working now. Thanks Dirk. I am now helping all those on our sports network install the patch.
 Quote

Status: offline

ascott

Forum User
Junior
Registered: 05/06/03
Posts: 27
Hey guys, I have a site that is seeing this.

I actually have four sites running geeklog right now with four different versions of geeklog:
1.3.8-1, 1.3.8-sr2, 1.3.8-sr3, and1.3.9. Only the 1.3.8-1 is seeing this behaviour.

It started last week with 3 posts over two days. I deleted those from the db yesterday once my client informed me of them and checked to make sure anonymous posting was off, it was. Then just last night I got over one hundred, each about a minute or two apart and most from different host IP addresses.

I deleted these and applied the comment.php patch for 1.3.8 and no new ones yet.

Right now I'm running nmap on each host IP to determine if it is a virus or script that is taking advantage of this exploit. It seems that predominantly, so far, the marjority of the boxes are Windows servers that look to be wide open and already set up for script-kiddy relaying. However, I'm also seeing weird results like a Sharp Zaurus fingerprint result. I know nmap is sometimes kind of shaky, but if that result is correct then my guess is that it is a script-kiddy attack (thinking some leet punk walking around the city hopping from wireless access points), and there may be a version of the exploit strapped onto an MS viral hack.

I wish I knew what they were doing to post anonymously, it seems to be scriptable. Do you think it might have something to do with the UID hack from 2003? http://seclists.org/lists/fulldisclosure/2003/Oct/1147.html
 Quote

Status: offline

Marites

Forum User
Chatty
Registered: 04/02/04
Posts: 64
sad
Dirk thinks there are two exploitations using the same hole if that is the right word. As far as our exploitation goes all POSTS are being made using uid 2 but others it seems it is a a (bad) registered user.

We have had limited success with the patch nothing on the site running the highest version of 1.3.8 but the other 3 sites share an installation with 1.3.9 and they are still being hit albeit at a slow rate than the previous two days. A total of 6 postings.

Whether these 'hits' are made direct or with a bit of code I don't know - whatever it is we have to find a total resolve soon as we run family sites and sites visited by NGO's and they have not taken lightly to the porn messages.

Tess
 Quote

Status: offline

keystone430

Forum User
Chatty
Registered: 28/01/04
Posts: 68
It still seems to me that if it is using the same User ID for the attacks then you should be able to create a new user with admin/root access and disable the original one or delete it. If the attacker can't find the user then it can't access, correct?
 Quote

Status: offline

Marites

Forum User
Chatty
Registered: 04/02/04
Posts: 64
Quote by keystone430: It still seems to me that if it is using the same User ID for the attacks then you should be able to create a new user with admin/root access and disable the original one or delete it. If the attacker can't find the user then it can't access, correct?


Certainly in theory that seems a sensible solution although before jumping I must find out id uid 2 is significant and altering Admin to another uid will work without problems. It could be the script/s look for Admin as 2.

If I were to delete Admin uid 2 all stories posted by Admin (4500 plus) on one site would become orphaned.

Dirk what do you suggest.

Marites
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
The patch should actually protect against spoofing the uid for comment posts. So if you're still seeing posts by user #2, it may be because they are really logged in as that user.

In which case the obvious things to do would be to change the password for that account and drop its session from the gl_sessions table. This would force them to log in again which, hopefully, they can't do without the new password.

If you haven't already done so, it may also be a good idea to "downgrade" that user to a normal user without any admin privileges (at least for the time being).

bye, Dirk
 Quote

Status: offline

Marites

Forum User
Chatty
Registered: 04/02/04
Posts: 64
Dirk

Since the problem we have been changing all users with Admin access on a daily basis. Additionally our php programmers has today added various lines of code to expand on the data given in the logs.

We will also take your advice to downground the actual Admin user to an ordinary user.

If anything untoward happens in coming weeks I will keep the group informed.

Thanks for everyones help and advice it is appreciated.

Regards

Marites


Quote by
Dirk: The patch should actually protect against spoofing the uid for comment posts. So if you're still seeing posts by user #2, it may be because they are really logged in as that user.

In which case the obvious things to do would be to change the password for that account and drop its session from the gl_sessions table. This would force them to log in again which, hopefully, they can't do without the new password.

If you haven't already done so, it may also be a good idea to "downgrade" that user to a normal user without any admin privileges (at least for the time being).

bye, Dirk
 Quote

Page navigation

All times are EDT. The time is now 05:38 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content