volkerjacob Posted December 9, 2015 Report Posted December 9, 2015 Hello Gent's today our site has a hick-up because of some weird registrations. Looks like that a script at registrations forms used to enable some pop-ups. I found only that at my sql pilot's table: (70, 'Sssssssssss', 'Sssssssssss', 'sssssssssss@sssssssssss.sssssssssss', 'OWA', 'AF', 'KDFW', '4617ed0edf894edeb9d7ff2f6c7edd0e', 'e3630f431c969216bbe88b95074179f5', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 20:19:54', '0000-00-00 00:00:00', '142.232.52.119', NULL), (71, '<script>console.log(''ok'')', '<script>console.log(''ok'')', 'asdkfsad@asgasd.com', 'OWA', 'AF', 'KDFW', '41bbc4bab0416ee6ec86a6e51c196eeb', 'b4029acfb5f5e9d27953d64dff3cf5ba', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:20:07', '0000-00-00 00:00:00', '142.232.52.119', NULL), (72, '<script>alert(''beepboopal', '<script>alert(''beepboopal', 'adsfads@adsfads.ca', 'OWA', 'AF', 'KDFW', '0cd432ec5402bc396701dfe8939dfa3e', 'bfbdf3832283a34bae86744b0c3ae159', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:21:08', '0000-00-00 00:00:00', '142.232.52.119', NULL), (73, '<scirpt>alert(''k'')</scrip', 'Asdf', 'adsfsa@asdfasd.com', 'OWA', 'AF', 'KDFW', 'b5c7c2fcba9672a7fbbdced95f2282f3', '8289b517eec6d7a7f6a6e9c2a5191e2f', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:22:34', '0000-00-00 00:00:00', '142.232.52.119', NULL), (74, '<script>alert()</script>o', '<script>alert()</script>o', 'booglyboo@goooa.caasf', 'OWA', 'AF', 'KDFW', '0757f4128f3cbc8a832222654e7794b8', '53f0aa03e734d094d8cc0b84ca7f27e3', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:24:04', '0000-00-00 00:00:00', '142.232.52.119', NULL), (75, '<script>alert(''AHHHHHHHHH', '<script>alert(''AHHHHHHHHH', 'OK@OK.OK', 'OWA', 'AF', 'KDFW', 'ce32c9c0f426b7b5580ffe9e4a0ff505', '0e80477df44433a6c3b80044fefe8988', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:25:39', '0000-00-00 00:00:00', '142.232.52.119', NULL), (76, '<iframe></iframe>', '<iframe></iframe>', 'iamaframe@u.com', 'OWA', 'AF', 'KDFW', 'b610c758596c21ce0fe64dabe9f6ebb7', 'fb0bcdff3ffee9d08b2d888e66249688', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 2, '2015-12-08 21:27:23', '0000-00-00 00:00:00', '142.232.52.119', ''), (77, '<br><br><br><br><br><br><', '<br><br><br><br><br><br><', 'boooo@goooo.coooo', 'OWA', 'AF', 'KDFW', '04742d3bbe06c2f30b49bb1aa2610bce', '7d879052c08b7956ef73fdad212b3f49', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:30:19', '0000-00-00 00:00:00', '142.232.52.119', NULL), (78, '<style>*{color:red}</styl', '<style>*{color:red}</styl', 'pleaseasease@gmaomfas.com', 'OWA', 'AF', 'KDFW', '7cc8ae7c7d20c45809d4c18aab88bd0f', 'f0b7ebbba8075c3cc486b76a0033cf3e', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:31:37', '0000-00-00 00:00:00', '142.232.52.119', NULL), (79, '<script>alert(''catcool', ''')</script>', 'multiliveradsf@gom.da', 'OWA', 'AF', 'KDFW', 'faa61b2ac0cd8d9df2c9cfc7d3c70b1d', 'e482abdb0721caa6b5fea14f4dbba164', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:32:52', '0000-00-00 00:00:00', '142.232.52.119', NULL), (80, '<p Style="font-size:', '5000000000%">HH</p>', 'asdga@goo.coo', 'OWA', 'AF', 'KDFW', '4a6f568928930435cc9ba0616088d54a', '5bee60f0e9694683dc46a58bd86a7df9', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:35:09', '0000-00-00 00:00:00', '142.232.52.119', NULL), (81, '<script>document.wri', 'Te(''bat'')</script>', 'adsfasd@adsfasdf.c', 'OWA', 'AF', 'KDFW', 'e4ba28bca95cd5d00132232dbe2204cf', 'dafb43e1bb389b17d482186a93cb20ac', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:37:03', '0000-00-00 00:00:00', '142.232.52.119', NULL), (82, '<script>document.', 'Write(''69'')</script>', 'password@password.password', 'OWA', 'AF', 'KDFW', '6023717de71926392f551205b5b779f4', 'ed5339c39105d626c57b7c943b798917', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:39:11', '0000-00-00 00:00:00', '142.232.52.119', NULL), (83, '<script>document', '.write(''7'')</script>', 'asdfsadpassword@password.c', 'OWA', 'AF', 'KDFW', 'a76c24d6178bac9333868e86206aad6e', 'c693f9c8ce0efc53c6d1d8d0e8846ebc', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:40:09', '0000-00-00 00:00:00', '142.232.52.119', NULL), (84, '<style>*{font-size:', '5000000000%}</style>', 'adsfasdf@adsf.c', 'OWA', 'AF', 'KDFW', '2c6e8a9d72daffb6200831301d39a59e', 'fa2db50b99b1a727a543c2b673fac0c7', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:42:50', '0000-00-00 00:00:00', '142.232.52.119', NULL), (85, '<script>alert(''BOO', 'OOOOOOOOO'')</script>', 'adsfads@adsfads.cadd', 'OWA', 'AF', 'KDFW', 'c5aa5445138e3f2a764db1b0fb7c8f05', '434b209a80da49e4acdd47478c1d5cd0', '', '0000-00-00', 0, 0, 0, 0, 0, 1, 'New Hire', 1, 0, 0, '2015-12-08 21:44:51', '0000-00-00 00:00:00', '142.232.52.119', NULL); -- looks like that no other files were affected. I disabled registration for the moment until a solution is found. - Any ideas? Sorry for bad english . . . Volker Quote
Moderators servetas Posted December 9, 2015 Moderators Report Posted December 9, 2015 What is your website url? Does your registration form includes captcha? Quote
volkerjacob Posted December 9, 2015 Author Report Posted December 9, 2015 www.vonewa.org/vAMS - captcha is in use . . . . Quote
Moderators servetas Posted December 9, 2015 Moderators Report Posted December 9, 2015 Have you checked if it is working too? I mean, does it blocks you from registering until you fill in the captcha form correctly? Quote
Moderators Parkho Posted December 9, 2015 Moderators Report Posted December 9, 2015 Looks like the recaptcha has been bypassed by the script somehow.Security layers would be a good solution but only if you have the knowledge to apply it. Quote
volkerjacob Posted December 9, 2015 Author Report Posted December 9, 2015 Have you checked if it is working too? I mean, does it blocks you from registering until you fill in the captcha form correctly? Yes - it#s working fine . . . . Quote
magicflyer Posted December 10, 2015 Report Posted December 10, 2015 Nothing wrong with your registration system from what I can see. Someone just tried to inject some code in some of the fields, it's a very amateur hacking technique. Just block that IP and it shouldn't really happen again, without a VPS at least. Based on the time-stamps, he wasn't using a bot to do this so I doubt he's talented to really put your data in vulnerability. His IP is: 142.232.52.119 Quote
volkerjacob Posted December 10, 2015 Author Report Posted December 10, 2015 IP at BlackList now! General IP InformationIP: 142.232.52.119 Decimal: 2397582455 Hostname: ip-142-232-52-119.ptr.bcit.ca ASN: 4476 ISP: British Columbia Institute of Technology Organization: British Columbia Institute of Technology Services: None detected Type: Corporate Assignment: Static IP Quote
volkerjacob Posted December 10, 2015 Author Report Posted December 10, 2015 may i need to allow only needed characters at registration form Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.