Prevent script use at registration form

volkerjacob · December 9, 2015, 1:57pm

Hello Gent’s

today our site has a hick-up because of some weird registrations. Looks like that a script at registrations forms used to enable some pop-ups.

I found only that at my sql pilot’s table:

(70, ‘Sssssssssss’, ‘Sssssssssss’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘4617ed0edf894edeb9d7ff2f6c7edd0e’, ‘e3630f431c969216bbe88b95074179f5’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 20:19:54’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(71, ‘<script>console.log(’‘ok’‘)’, ‘<script>console.log(’‘ok’‘)’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘41bbc4bab0416ee6ec86a6e51c196eeb’, ‘b4029acfb5f5e9d27953d64dff3cf5ba’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:20:07’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(72, ‘<script>alert(’‘beepboopal’, ‘<script>alert(’‘beepboopal’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘0cd432ec5402bc396701dfe8939dfa3e’, ‘bfbdf3832283a34bae86744b0c3ae159’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:21:08’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(73, ‘<scirpt>alert(’‘k’‘)</scrip’, ‘Asdf’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘b5c7c2fcba9672a7fbbdced95f2282f3’, ‘8289b517eec6d7a7f6a6e9c2a5191e2f’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:22:34’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(74, ‘<script>alert()</script>o’, ‘<script>alert()</script>o’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘0757f4128f3cbc8a832222654e7794b8’, ‘53f0aa03e734d094d8cc0b84ca7f27e3’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:24:04’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(75, ‘<script>alert(’‘AHHHHHHHHH’, ‘<script>alert(’‘AHHHHHHHHH’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘ce32c9c0f426b7b5580ffe9e4a0ff505’, ‘0e80477df44433a6c3b80044fefe8988’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:25:39’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(76, ‘<iframe></iframe>’, ‘<iframe></iframe>’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘b610c758596c21ce0fe64dabe9f6ebb7’, ‘fb0bcdff3ffee9d08b2d888e66249688’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 2, ‘2015-12-08 21:27:23’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, ‘’),

(77, ‘<br><br><br><br><br><br><’, ‘<br><br><br><br><br><br><’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘04742d3bbe06c2f30b49bb1aa2610bce’, ‘7d879052c08b7956ef73fdad212b3f49’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:30:19’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(78, ‘<style>*{color:red}</styl’, ‘<style>*{color:red}</styl’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘7cc8ae7c7d20c45809d4c18aab88bd0f’, ‘f0b7ebbba8075c3cc486b76a0033cf3e’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:31:37’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(79, ‘<script>alert(’‘catcool’, ‘’‘)</script>’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘faa61b2ac0cd8d9df2c9cfc7d3c70b1d’, ‘e482abdb0721caa6b5fea14f4dbba164’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:32:52’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(80, ‘<p Style="font-size:’, ‘5000000000%">HH</p>’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘4a6f568928930435cc9ba0616088d54a’, ‘5bee60f0e9694683dc46a58bd86a7df9’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:35:09’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(81, ‘<script>document.wri’, ‘Te(’‘bat’‘)</script>’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘e4ba28bca95cd5d00132232dbe2204cf’, ‘dafb43e1bb389b17d482186a93cb20ac’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:37:03’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(82, ‘<script>document.’, ‘Write(’‘69’‘)</script>’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘6023717de71926392f551205b5b779f4’, ‘ed5339c39105d626c57b7c943b798917’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:39:11’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(83, ‘<script>document’, ‘.write(’‘7’‘)</script>’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘a76c24d6178bac9333868e86206aad6e’, ‘c693f9c8ce0efc53c6d1d8d0e8846ebc’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:40:09’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(84, ‘<style>*{font-size:’, ‘5000000000%}</style>’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘2c6e8a9d72daffb6200831301d39a59e’, ‘fa2db50b99b1a727a543c2b673fac0c7’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:42:50’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL),

(85, ‘<script>alert(’‘BOO’, ‘OOOOOOOOO’‘)</script>’, ‘[email protected]’, ‘OWA’, ‘AF’, ‘KDFW’, ‘c5aa5445138e3f2a764db1b0fb7c8f05’, ‘434b209a80da49e4acdd47478c1d5cd0’, ‘’, ‘0000-00-00’, 0, 0, 0, 0, 0, 1, ‘New Hire’, 1, 0, 0, ‘2015-12-08 21:44:51’, ‘0000-00-00 00:00:00’, ‘142.232.52.119’, NULL);

–

looks like that no other files were affected.

I disabled registration for the moment until a solution is found. - Any ideas?

Sorry for bad english . . .

Volker

servetas · December 9, 2015, 3:04pm

What is your website url? Does your registration form includes captcha?

volkerjacob · December 9, 2015, 3:49pm

www.vonewa.org/vAMS - captcha is in use . . . .

servetas · December 9, 2015, 3:53pm

Have you checked if it is working too? I mean, does it blocks you from registering until you fill in the captcha form correctly?

Parkho · December 9, 2015, 4:19pm

Looks like the recaptcha has been bypassed by the script somehow.Security layers would be a good solution but only if you have the knowledge to apply it.

volkerjacob · December 9, 2015, 5:07pm

Have you checked if it is working too? I mean, does it blocks you from registering until you fill in the captcha form correctly?

Yes - it#s working fine . . . .

magicflyer · December 10, 2015, 2:54am

Nothing wrong with your registration system from what I can see. Someone just tried to inject some code in some of the fields, it’s a very amateur hacking technique. Just block that IP and it shouldn’t really happen again, without a VPS at least. Based on the time-stamps, he wasn’t using a bot to do this so I doubt he’s talented to really put your data in vulnerability.

His IP is: 142.232.52.119

volkerjacob · December 10, 2015, 9:00am

IP at BlackList now!

General IP Information

IP: 142.232.52.119

Decimal: 2397582455

Hostname: ip-142-232-52-119.ptr.bcit.ca

ASN: 4476

ISP: British Columbia Institute of Technology

Organization: British Columbia Institute of Technology

Services: None detected

Type: Corporate

Assignment: Static IP

volkerjacob · December 10, 2015, 5:26pm

may i need to allow only needed characters at registration form