Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 26 Nov 2013, 16:45
JohnD5000 JohnD5000 is offline
 
Join Date: Aug 2012
Possible login/spammer hack. Looking for preventative solutions. vBulletin 4.2.1 site

Over the last 2 weeks I have received 12 vBulletin database errors of the following type:

Database error in vBulletin 4.2.1:

Invalid SQL:
SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM user WHERE username = 'basket compens¨Ĥes isabel marant';

MySQL Error : Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='
Error Number : 1267
Request Date : Tuesday, November 26th 2013 @ 02:16:49 AM
Error Date : Tuesday, November 26th 2013 @ 02:16:49 AM
Script : http://www.empirisoft.com/support/login.php?do=login
Referrer : http://www.empirisoft.com/support/me...75-AryanDuncan
IP Address : 142.0.143.20
Username : Unregistered
Classname : vB_Database
MySQL Version :

Please note the funny text that someone is trying to use as a username. Also, all 12 errors originated from the same IP address.
I think this is an attempt by a spammer to hack a username on our site. Is there any solution/add-on to prevent this type of attack in the future?

​Thanks in advance for any and all suggestions.
Reply With Quote
  #2  
Old 26 Nov 2013, 17:01
blackberry's Avatar
blackberry blackberry is offline
 
Join Date: Feb 2008
Real name: Sheem
Your table collations should be latin1_swedish_ci, please check your tables and update one by one.
__________________
SachiiDosti - Hum Sub Dost Hain
Reply With Quote
  #3  
Old 26 Nov 2013, 18:16
JohnD5000 JohnD5000 is offline
 
Join Date: Aug 2012
Please note that the correct collation for column username (latin1_swedish_ci,IMPLICIT) is being compared to the collation of the string provided by the user at login (utf8_general_ci,COERCIBLE) in a string that looks awfully suspicious:

'basket compens¨Ĥes isabel marant'

Is there a way to change the collation of the user provided string? I should have mentioned above that all 12 errors I received were generated from the same ip address. I'm guessing this is a hacker trying to hack a username. Again any suggestions for preventing this type of hack/spam are greatly appreciated.
Reply With Quote
  #4  
Old 26 Nov 2013, 18:29
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
It's a autospam administrator trying to bypass your human verification with some adolescent script kiddie attempt. It's not a hacker or a exploit. You are being probed for a exploit.

Last edited by Max Taxable; 26 Nov 2013 at 18:53.
Reply With Quote
  #5  
Old 26 Nov 2013, 18:42
JohnD5000 JohnD5000 is offline
 
Join Date: Aug 2012
Ok. Can it be prevented? The fact that it generates database errors is throwing off our support system.
Reply With Quote
  #6  
Old 26 Nov 2013, 18:52
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
I'm temporarily at a loss as to how to prevent. Blocking the IP address would only be a temporary "fix" since the persistence of the spammer is already demonstrated. You could ban the whole range, like putting 142.0* in your IP ban list. But like I said, IPs are easy to spoof anyway.

It might be helpful to see if the User Agent string being used is constant, and if it contains some unusual variable, for blocking purposes.
Reply With Quote
  #7  
Old 26 Nov 2013, 20:26
JohnD5000 JohnD5000 is offline
 
Join Date: Aug 2012
I added the IP address to the banned list. The user string has a constant of "| within it (I think because I am not sure second character is pipe).

Question: Does the banned ip address prevent login attempts?
Reply With Quote
  #8  
Old 26 Nov 2013, 20:52
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Originally Posted by JohnD5000 View Post
I added the IP address to the banned list. The user string has a constant of "| within it (I think because I am not sure second character is pipe).
It would be helpful if you have it, to post the entire user agent string. Typical one looks like this:
198.204.237.210
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
It tells us the operating system, browser, some add-ons and toolbars, and all versions.

Question: Does the banned ip address prevent login attempts?
From the banned IP it does. It blocks all access.
Reply With Quote
  #9  
Old 26 Nov 2013, 21:16
JohnD5000 JohnD5000 is offline
 
Join Date: Aug 2012
Max,

All I have is what is listed in the error message and was sent to me via email notification (see below). Where would I find the rest of this info? Also, would an add-on like Spam-O-Matic Firewall help with these types of probes?

Database error in vBulletin 4.2.1:

Invalid SQL:
SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM user WHERE username = 'basket compens¨Ĥes isabel marant';

MySQL Error : Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='
Error Number : 1267
Request Date : Tuesday, November 26th 2013 @ 02:16:49 AM
Error Date : Tuesday, November 26th 2013 @ 02:16:49 AM
Script : http://www.empirisoft.com/support/login.php?do=login
Referrer : http://www.empirisoft.com/support/me...75-AryanDuncan
IP Address : 142.0.143.20
Username : Unregistered
Classname : vB_Database
MySQL Version :
Reply With Quote
  #10  
Old 26 Nov 2013, 21:30
steve3402000's Avatar
steve3402000 steve3402000 is offline
 
Join Date: Nov 2004
Real name: Steve
Is it not amazing, you see these same questions on the home page for vbulletin, and you get crickets..... Here people actually help. It is a good thing

S
Reply With Quote
  #11  
Old 26 Nov 2013, 22:32
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Try this
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 11:09.

Layout Options | Width: Wide Color: