Prevent script use at registration form

volkerjacob · December 9, 2015

Hello Gent's

today our site has a hick-up because of some weird registrations. Looks like that a script at registrations forms used to enable some pop-ups.

I found only that at my sql pilot's table:

(70, 'Sssssssssss', 'Sssssssssss', 'sssssssssss@sssssssssss.sssssssssss', 'OWA', 'AF', 'KDFW', '4617ed0edf894edeb9d7ff2f6c7edd0e', 'e3630f431c969216bbe88b95074179f5', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 20:19:54', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(71, '<script>console.log(''ok'')', '<script>console.log(''ok'')', 'asdkfsad@asgasd.com', 'OWA', 'AF', 'KDFW', '41bbc4bab0416ee6ec86a6e51c196eeb', 'b4029acfb5f5e9d27953d64dff3cf5ba', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:20:07', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(72, '<script>alert(''beepboopal', '<script>alert(''beepboopal', 'adsfads@adsfads.ca', 'OWA', 'AF', 'KDFW', '0cd432ec5402bc396701dfe8939dfa3e', 'bfbdf3832283a34bae86744b0c3ae159', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:21:08', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(73, '<scirpt>alert(''k'')</scrip', 'Asdf', 'adsfsa@asdfasd.com', 'OWA', 'AF', 'KDFW', 'b5c7c2fcba9672a7fbbdced95f2282f3', '8289b517eec6d7a7f6a6e9c2a5191e2f', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:22:34', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(74, '<script>alert()</script>o', '<script>alert()</script>o', 'booglyboo@goooa.caasf', 'OWA', 'AF', 'KDFW', '0757f4128f3cbc8a832222654e7794b8', '53f0aa03e734d094d8cc0b84ca7f27e3', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:24:04', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(75, '<script>alert(''AHHHHHHHHH', '<script>alert(''AHHHHHHHHH', 'OK@OK.OK', 'OWA', 'AF', 'KDFW', 'ce32c9c0f426b7b5580ffe9e4a0ff505', '0e80477df44433a6c3b80044fefe8988', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:25:39', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(76, '<iframe></iframe>', '<iframe></iframe>', 'iamaframe@u.com', 'OWA', 'AF', 'KDFW', 'b610c758596c21ce0fe64dabe9f6ebb7', 'fb0bcdff3ffee9d08b2d888e66249688', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 2, '2015-12-08 21:27:23', '0000-00-00 00:00:00', '142.232.52.119', ''),

(77, '<br><br><br><br><br><br><', '<br><br><br><br><br><br><', 'boooo@goooo.coooo', 'OWA', 'AF', 'KDFW', '04742d3bbe06c2f30b49bb1aa2610bce', '7d879052c08b7956ef73fdad212b3f49', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:30:19', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(78, '<style>*{color:red}</styl', '<style>*{color:red}</styl', 'pleaseasease@gmaomfas.com', 'OWA', 'AF', 'KDFW', '7cc8ae7c7d20c45809d4c18aab88bd0f', 'f0b7ebbba8075c3cc486b76a0033cf3e', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:31:37', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(79, '<script>alert(''catcool', ''')</script>', 'multiliveradsf@gom.da', 'OWA', 'AF', 'KDFW', 'faa61b2ac0cd8d9df2c9cfc7d3c70b1d', 'e482abdb0721caa6b5fea14f4dbba164', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:32:52', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(80, '<p Style="font-size:', '5000000000%">HH</p>', 'asdga@goo.coo', 'OWA', 'AF', 'KDFW', '4a6f568928930435cc9ba0616088d54a', '5bee60f0e9694683dc46a58bd86a7df9', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:35:09', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(81, '<script>document.wri', 'Te(''bat'')</script>', 'adsfasd@adsfasdf.c', 'OWA', 'AF', 'KDFW', 'e4ba28bca95cd5d00132232dbe2204cf', 'dafb43e1bb389b17d482186a93cb20ac', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:37:03', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(82, '<script>document.', 'Write(''69'')</script>', 'password@password.password', 'OWA', 'AF', 'KDFW', '6023717de71926392f551205b5b779f4', 'ed5339c39105d626c57b7c943b798917', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:39:11', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(83, '<script>document', '.write(''7'')</script>', 'asdfsadpassword@password.c', 'OWA', 'AF', 'KDFW', 'a76c24d6178bac9333868e86206aad6e', 'c693f9c8ce0efc53c6d1d8d0e8846ebc', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:40:09', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(84, '<style>*{font-size:', '5000000000%}</style>', 'adsfasdf@adsf.c', 'OWA', 'AF', 'KDFW', '2c6e8a9d72daffb6200831301d39a59e', 'fa2db50b99b1a727a543c2b673fac0c7', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:42:50', '0000-00-00 00:00:00', '142.232.52.119', NULL),

(85, '<script>alert(''BOO', 'OOOOOOOOO'')</script>', 'adsfads@adsfads.cadd', 'OWA', 'AF', 'KDFW', 'c5aa5445138e3f2a764db1b0fb7c8f05', '434b209a80da49e4acdd47478c1d5cd0', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:44:51', '0000-00-00 00:00:00', '142.232.52.119', NULL);

--

looks like that no other files were affected.

I disabled registration for the moment until a solution is found. - Any ideas?

Sorry for bad english . . .

Volker

servetas · December 9, 2015

What is your website url? Does your registration form includes captcha?

volkerjacob · December 9, 2015

www.vonewa.org/vAMS - captcha is in use . . . .

servetas · December 9, 2015

Have you checked if it is working too? I mean, does it blocks you from registering until you fill in the captcha form correctly?

Parkho · December 9, 2015

Looks like the recaptcha has been bypassed by the script somehow.Security layers would be a good solution but only if you have the knowledge to apply it.

volkerjacob · December 9, 2015

Have you checked if it is working too? I mean, does it blocks you from registering until you fill in the captcha form correctly?

Yes - it#s working fine . . . .

magicflyer · December 10, 2015

Nothing wrong with your registration system from what I can see. Someone just tried to inject some code in some of the fields, it's a very amateur hacking technique. Just block that IP and it shouldn't really happen again, without a VPS at least. Based on the time-stamps, he wasn't using a bot to do this so I doubt he's talented to really put your data in vulnerability.

His IP is: 142.232.52.119

volkerjacob · December 10, 2015

IP at BlackList now!

General IP Information
IP: 142.232.52.119

Decimal: 2397582455

Hostname: ip-142-232-52-119.ptr.bcit.ca

ASN: 4476

ISP: British Columbia Institute of Technology

Organization: British Columbia Institute of Technology

Services: None detected

Type: Corporate

Assignment: Static IP

volkerjacob · December 10, 2015

may i need to allow only needed characters at registration form

Sign In

Prevent script use at registration form

Recommended Posts

volkerjacob

Link to comment

Share on other sites

servetas

Link to comment

Share on other sites

volkerjacob

Link to comment

Share on other sites

servetas

Link to comment

Share on other sites

Parkho

Link to comment

Share on other sites

volkerjacob

Link to comment

Share on other sites

magicflyer

Link to comment

Share on other sites

volkerjacob

Link to comment

Share on other sites

volkerjacob

Link to comment

Share on other sites

Join the conversation