• web message base hacking attempts...

    From mark lewis@1:3634/12.73 to Digital Man on Thu Apr 11 11:39:50 2019

    i'm (still) using the default web interface... i've noticed the following hacking attempts... since we detect them indirectly, can we do something similar to what we do with the terminal services and block the IPs doing this? the error log doesn't record the IP address so we have to dig through the web logs to find the offending IP...

    Wed Apr 10 2019 07:43:45 sestar.synchro.net
    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux', Request: /msgs/msg.ssjs?msg_sub=fido-linux'&message=78'"

    Wed Apr 10 2019 07:43:47 sestar.synchro.net
    web 0067 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux2121121121212.1, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux2121121121212.1

    Wed Apr 10 2019 07:43:47 sestar.synchro.net
    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux and 1=1, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux%20and%201%3D1

    Wed Apr 10 2019 07:43:48 sestar.synchro.net
    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux and 1>1, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux%20and%201%3E1

    Wed Apr 10 2019 07:43:48 sestar.synchro.net
    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux' and 'x'='x, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux%27%20and%20%27x%27%3D%27x

    Wed Apr 10 2019 07:43:49 sestar.synchro.net
    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux' and 'x'='y, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux%27%20and%20%27x%27%3D%27y

    Wed Apr 10 2019 07:43:49 sestar.synchro.net
    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux" and "x"="x, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux"%20and%20"x"%3D"x

    Wed Apr 10 2019 07:43:50 sestar.synchro.net
    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux" and "x"="y, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux%22%20and%20%22x%22%3D%22y

    Wed Apr 10 2019 07:43:51 sestar.synchro.net
    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux AND 1=1, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux%20AND%201=1

    Wed Apr 10 2019 07:43:52 sestar.synchro.net
    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 27: Error: can't convert m to an integer, Request: /msgs/msg.ssjs?msg_sub=fido-linux&message=782121121121212.1

    Wed Apr 10 2019 07:43:58 sestar.synchro.net
    web 0065 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux' AnD sLeep(3) ANd '1, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux%27%20AnD%20sLeep%283%29%20ANd%20%271

    Wed Apr 10 2019 07:43:59 sestar.synchro.net
    web 0065 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux'&&sLEEp(3)&&'1, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux%27%26%26sLEEp%283%29%26%26%271

    Wed Apr 10 2019 07:44:00 sestar.synchro.net
    web 0065 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux' aND BeNChMaRK(2999999,Md5(NoW())) AnD '1, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux%27%20aND%20BeNChMaRK%282999999%2CMd5%28NoW%28%29%29%29%20AnD%20%271

    Wed Apr 10 2019 07:44:01 sestar.synchro.net
    web 0065 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux'&&BeNChMaRK(2999999,mD5(NOW()))&&'1, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux%27%26%26BeNChMaRK%282999999%2CmD5%28NOW%28%29%29%29%26%26%271

    Wed Apr 10 2019 07:44:01 sestar.synchro.net
    web 0065 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux' AnD sLeep(3) ANd '0'='0, Request: /msgs/msg.ssjs?message=78&msg_sub=fido-linux%27%20AnD%20sLeep%283%29%20ANd%20%270%27%3D%270


    )\/(ark

    Always Mount a Scratch Monkey
    Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
    ... A wholesome mind is wasted potential.
    ---
    * Origin: (1:3634/12.73)
  • From Digital Man@1:103/705 to mark lewis on Thu Apr 11 11:42:54 2019
    Re: web message base hacking attempts...
    By: mark lewis to Digital Man on Thu Apr 11 2019 11:39 am


    i'm (still) using the default web interface... i've noticed the following hacking attempts... since we detect them indirectly, can we do something similar to what we do with the terminal services and block the IPs doing this? the error log doesn't record the IP address so we have to dig through the web logs to find the offending IP...

    Wed Apr 10 2019 07:43:45 sestar.synchro.net
    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux', Request: /msgs/msg.ssjs?msg_sub=fido-linux'&message=78'"

    That looks like a MsgBase.open() exception. You should be able to catch() that exception and handle it to your liking (e.g. block/filter the hostname or IP) in the relevant *js file.

    digital man

    This Is Spinal Tap quote #30:
    Big bottom, big bottom / Talk about mud flaps, my girl's got 'em!
    Norco, CA WX: 69.4°F, 33.0% humidity, 9 mph ENE wind, 0.00 inches rain/24hrs --- SBBSecho 3.07-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From echicken@1:103/705 to mark lewis on Thu Apr 11 14:54:53 2019
    Re: web message base hacking attempts...
    By: mark lewis to Digital Man on Thu Apr 11 2019 11:39:50

    i'm (still) using the default web interface... i've noticed the following hacking attempts... since we detect them indirectly, can we do something similar to what we do with the terminal services and block the IPs doing

    Unrecognized msgbase code: fido-linux' AnD sLeep(3) ANd '1, Request:

    Some kind of SQL injection attempt. Annoying if it's actually bogging things down for you, but otherwise harmless and I'd ignore it.

    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error:

    I would guess that the existing "hack attempt" logging / banning mechanism in use with other services has to do with failed login attempts. In this instance, the web server only knows that a script shat its pants, and not that it was a hack attempt. There's no failed authentication to serve as a red flag.

    You'd need to modify msg.ssjs to interact with the hack attempt logging mechanism (via the system.hacklog() method I guess) when this happens. Presumably that method works with the attempts-coutner and the automated ban/unban stuff happens in the background (DM could say).

    "Unrecognized message base code" won't always mean that this type of attack is happening, so treating all instances of this error as a hack attempt isn't strictly correct. Sometimes a search engine has indexed a URL including an internal code for a sub you've since renamed or removed from your system. Some innocent bot or user is just following that link and not trying to do you the hack. Playing around with the ban threshold & duration might help; a bot might generate a bunch of these errors in a small window of time whereas a legit user probably wouldn't.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com - 416-425-5435
    ■ Synchronet ■ electronic chicken bbs - bbs.electronicchicken.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Digital Man@1:103/705 to echicken on Thu Apr 11 12:31:02 2019
    Re: web message base hacking attempts...
    By: echicken to mark lewis on Thu Apr 11 2019 02:54 pm

    You'd need to modify msg.ssjs to interact with the hack attempt logging mechanism (via the system.hacklog() method I guess) when this happens. Presumably that method works with the attempts-coutner and the automated ban/unban stuff happens in the background (DM could say).

    That's kind of what I was suggesting, that he could call system.filter_ip() in a try/catch around MsgBase.open(). Now that creates a "permanent" ban of the IP address. There no JS interface to the temp ban (failed login) stuff currently.

    I did plan on adding expiration support to the *.can files at some point, but haven't had the clear need (yet).

    digital man

    Synchronet/BBS Terminology Definition #23:
    DSZ = DOS Send ZMODEM (by Chuck Forsberg)
    Norco, CA WX: 70.0°F, 35.0% humidity, 5 mph ENE wind, 0.00 inches rain/24hrs --- SBBSecho 3.07-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From echicken@1:103/705 to Digital Man on Thu Apr 11 15:42:41 2019
    Re: web message base hacking attempts...
    By: Digital Man to echicken on Thu Apr 11 2019 12:31:02

    That's kind of what I was suggesting, that he could call system.filter_ip() in a try/catch around MsgBase.open(). Now that creates a "permanent" ban of the IP address. There no JS interface to the temp ban (failed login) stuff currently.

    Ah, I was hoping that system.hacklog did some magic in the background. Never used it.

    Banning anyone who generates this particular error wouldn't be a great solution. Something more complex (number of attempts in a set period of time, temporary ban & duration) would probably be needed.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com - 416-425-5435
    ■ Synchronet ■ electronic chicken bbs - bbs.electronicchicken.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Digital Man@1:103/705 to echicken on Thu Apr 11 13:19:32 2019
    Re: web message base hacking attempts...
    By: echicken to Digital Man on Thu Apr 11 2019 03:42 pm

    Re: web message base hacking attempts...
    By: Digital Man to echicken on Thu Apr 11 2019 12:31:02

    That's kind of what I was suggesting, that he could call system.filter_ip() in a try/catch around MsgBase.open(). Now that creates
    a "permanent" ban of the IP address. There no JS interface to the temp ban
    (failed login) stuff currently.

    Ah, I was hoping that system.hacklog did some magic in the background.
    Never
    used it.

    Banning anyone who generates this particular error wouldn't be a great solution. Something more complex (number of attempts in a set period of time,
    temporary ban & duration) would probably be needed.

    I agree.

    As for the quoted word-wrap issue above, that seems to be caused by using a terminal width > 80 (93 in your case) and an editor (SlyEdit in this case) which always word-wraps at 79/80 columns. <hrm> Something I need to look into.

    digital man

    This Is Spinal Tap quote #44:
    It really, it does disturb me, but i'll rise above it; I'm a professional. Norco, CA WX: 71.2°F, 34.0% humidity, 11 mph ENE wind, 0.00 inches rain/24hrs --- SBBSecho 3.07-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)