Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

[SECURITY] Thousands (+250k) of requests in my daily log file for some kind of SQL injection?

fmimosofmimoso
edited July 2008 in Vanilla 1.0 Help
I was notified by my hosting provider by email (CPanel automated) that my disk space was over the limit.
I thought it was strange but I had a look. The culprit was in the tmp directory: this month's log file.

This month, 7 days only, my bandwidth usage is six times the previous month (the whole month)...!
There were no real traffic peaks, so I took a look at the daily log file.

My log file is filled with requests like these:

189.100.211.103 - - [07/Jul/2008:20:16:09 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+' HTTP/1.1" 200 18400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:11 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri+' HTTP/1.1" 200 18127 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:12 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri+'/'+uri%20+' HTTP/1.1" 200 18274 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:13 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri%20+' HTTP/1.1" 200 18421 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:14 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri+' HTTP/1.1" 200 18400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:15 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri+'/'+uri+' HTTP/1.1" 200 18253 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:16 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri+'/'+uri+'/'+uri%20+' HTTP/1.1" 200 18400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:17 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri+'/'+uri+'/'+uri+' HTTP/1.1" 200 18379 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:18 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+' HTTP/1.1" 200 17728 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:19 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri%20+' HTTP/1.1" 200 17875 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:20 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri%20+' HTTP/1.1" 200 18022 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:21 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri%20+'/'+uri%20+' HTTP/1.1" 200 18169 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:22 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+' HTTP/1.1" 200 18316 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:23 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+' HTTP/1.1" 200 18463 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:24 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+' HTTP/1.1" 200 18442 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:26 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+' HTTP/1.1" 200 18295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:29 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+' HTTP/1.1" 200 18442 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:30 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri+' HTTP/1.1" 200 18421 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:32 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri%20+'/'+uri+' HTTP/1.1" 200 18148 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.100.211.103 - - [07/Jul/2008:20:16:33 +0100] "GET /discussion/1049/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri%20+'/'+uri+'/'+uri+'/'+uri%20+'/'+uri%20+'/'+uri+'/'+uri%20+' HTTP/1.1" 200 18295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

I've processed maybe 1/10 of today's daily log file and found some +25000 requests similar to this from several IPs, but one unique IP at a time for the same discussion, for about 3 hours, at the rate of 1 request per second. A bot. No wonder the 60GB...

I could block the IP but the problem is that the IPs are different each time I get "bombed". The IP address is always 189.*.*.* - Brazil. I could block the whole country, but it accounts for more than 20% of my valid and real traffic.

I guess there's no "real" security problem with it, but it's draining resources. I also don't think this attack it's targeted at Vanilla, but you never know...

What can I do?

Thanks in advance for all replies!

Comments

  • my host set me up so if people try ping bomb it locks them. Contact yours there normaly nice
  • edited July 2008
    I agree--check with your host about what they can do--it would be more effective and reliable than a custom-made blocking script.

    edit: This looks like lazy bot-writing, but it'd still be a good idea to check the rest of the logs in case this junk exists to hide the real attack.
  • I had this one, my blog pissed some people off so they ping bombed me. My host sorted it all out.
  • Well, here's a twisted outcome...

    I took a close look at my source files, and I think I found out how this is being done.

    One ad platform that I use provided me with these javascript snippets:

    <a href="http://adplatform.com/click?p=64736&a=1523375&g=17169078" target="_blank">Text Ad</a> <script type="text/javascript"> var uri = 'http://adplatform.com/imp?type(inv)g(17169078)a(1523375)' + new String (Math.random()).substring (2, 11); document.write('<img src="'+uri +'">'); </script> <script type="text/javascript"> var uri = 'http://adplatform.com/imp?type(js)g(17357174)a(1523375)' + new String (Math.random()).substring (2, 11); document.write('<sc'+'ript type="text/javascript" src="'+uri+'" charset="ISO-8859-1"></sc'+'ript>'); </script>

    I'm no javascript expert but is that my "+uri%20+" and "+uri+" that I see on line 4 and on line 8?
    Could anyone who's javascript wise confirm that the problem lies there?
    Without asking too much, how could this code do that?

    Thanks to those who replied so far, and to those who can answer my question.
  • Off topic (sorry): Document write is invalid in XHTML document and is bad practice and a major security issue (I know, major web actor use it).
This discussion has been closed.