• web message base hacking attempts...

    From Digital Man@VERT to mark lewis on Thursday, April 11, 2019 09:42:54
    Re: web message base hacking attempts...
    By: mark lewis to Digital Man on Thu Apr 11 2019 11:39 am


    i'm (still) using the default web interface... i've noticed the following hacking attempts... since we detect them indirectly, can we do something similar to what we do with the terminal services and block the IPs doing this? the error log doesn't record the IP address so we have to dig through the web logs to find the offending IP...

    Wed Apr 10 2019 07:43:45 sestar.synchro.net
    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error: Unrecognized msgbase code: fido-linux', Request: /msgs/msg.ssjs?msg_sub=fido-linux'&message=78'"

    That looks like a MsgBase.open() exception. You should be able to catch() that exception and handle it to your liking (e.g. block/filter the hostname or IP) in the relevant *js file.

    digital man

    This Is Spinal Tap quote #30:
    Big bottom, big bottom / Talk about mud flaps, my girl's got 'em!
    Norco, CA WX: 69.4F, 33.0% humidity, 9 mph ENE wind, 0.00 inches rain/24hrs

    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From echicken@VERT/ECBBS to mark lewis on Thursday, April 11, 2019 12:54:53
    Re: web message base hacking attempts...
    By: mark lewis to Digital Man on Thu Apr 11 2019 11:39:50

    i'm (still) using the default web interface... i've noticed the following hacking attempts... since we detect them indirectly, can we do something similar to what we do with the terminal services and block the IPs doing

    Unrecognized msgbase code: fido-linux' AnD sLeep(3) ANd '1, Request:

    Some kind of SQL injection attempt. Annoying if it's actually bogging things down for you, but otherwise harmless and I'd ignore it.

    web 0037 !JavaScript /sbbs/web/root/msgs/msg.ssjs line 20: Error:

    I would guess that the existing "hack attempt" logging / banning mechanism in use with other services has to do with failed login attempts. In this instance, the web server only knows that a script shat its pants, and not that it was a hack attempt. There's no failed authentication to serve as a red flag.

    You'd need to modify msg.ssjs to interact with the hack attempt logging mechanism (via the system.hacklog() method I guess) when this happens. Presumably that method works with the attempts-coutner and the automated ban/unban stuff happens in the background (DM could say).

    "Unrecognized message base code" won't always mean that this type of attack is happening, so treating all instances of this error as a hack attempt isn't strictly correct. Sometimes a search engine has indexed a URL including an internal code for a sub you've since renamed or removed from your system. Some innocent bot or user is just following that link and not trying to do you the hack. Playing around with the ban threshold & duration might help; a bot might generate a bunch of these errors in a small window of time whereas a legit user probably wouldn't.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com - 416-425-5435
    Synchronet electronic chicken bbs - bbs.electronicchicken.com
  • From Digital Man@VERT to echicken on Thursday, April 11, 2019 10:31:02
    Re: web message base hacking attempts...
    By: echicken to mark lewis on Thu Apr 11 2019 02:54 pm

    You'd need to modify msg.ssjs to interact with the hack attempt logging mechanism (via the system.hacklog() method I guess) when this happens. Presumably that method works with the attempts-coutner and the automated ban/unban stuff happens in the background (DM could say).

    That's kind of what I was suggesting, that he could call system.filter_ip() in a try/catch around MsgBase.open(). Now that creates a "permanent" ban of the IP address. There no JS interface to the temp ban (failed login) stuff currently.

    I did plan on adding expiration support to the *.can files at some point, but haven't had the clear need (yet).

    digital man

    Synchronet/BBS Terminology Definition #23:
    DSZ = DOS Send ZMODEM (by Chuck Forsberg)
    Norco, CA WX: 70.0F, 35.0% humidity, 5 mph ENE wind, 0.00 inches rain/24hrs

    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net
  • From echicken@VERT/ECBBS to Digital Man on Thursday, April 11, 2019 13:42:41
    Re: web message base hacking attempts...
    By: Digital Man to echicken on Thu Apr 11 2019 12:31:02

    That's kind of what I was suggesting, that he could call system.filter_ip() in a try/catch around MsgBase.open(). Now that creates a "permanent" ban of the IP address. There no JS interface to the temp ban (failed login) stuff currently.

    Ah, I was hoping that system.hacklog did some magic in the background. Never used it.

    Banning anyone who generates this particular error wouldn't be a great solution. Something more complex (number of attempts in a set period of time, temporary ban & duration) would probably be needed.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com - 416-425-5435
    Synchronet electronic chicken bbs - bbs.electronicchicken.com
  • From Digital Man@VERT to echicken on Thursday, April 11, 2019 11:19:32
    Re: web message base hacking attempts...
    By: echicken to Digital Man on Thu Apr 11 2019 03:42 pm

    Re: web message base hacking attempts...
    By: Digital Man to echicken on Thu Apr 11 2019 12:31:02

    That's kind of what I was suggesting, that he could call system.filter_ip() in a try/catch around MsgBase.open(). Now that creates
    a "permanent" ban of the IP address. There no JS interface to the temp ban
    (failed login) stuff currently.

    Ah, I was hoping that system.hacklog did some magic in the background.
    Never
    used it.

    Banning anyone who generates this particular error wouldn't be a great solution. Something more complex (number of attempts in a set period of time,
    temporary ban & duration) would probably be needed.

    I agree.

    As for the quoted word-wrap issue above, that seems to be caused by using a terminal width > 80 (93 in your case) and an editor (SlyEdit in this case) which always word-wraps at 79/80 columns. <hrm> Something I need to look into.

    digital man

    This Is Spinal Tap quote #44:
    It really, it does disturb me, but i'll rise above it; I'm a professional. Norco, CA WX: 71.2F, 34.0% humidity, 11 mph ENE wind, 0.00 inches rain/24hrs

    ---
    Synchronet Vertrauen Home of Synchronet [vert/cvs/bbs].synchro.net