Never seen this before....?

[broni]

I got this automated mail this morning:

Dear admin,

An error has been generated on your forums. You are being sent this notification based on your error log notification settings in the Admin Control Panel. This error meets the criteria for errors that you have set to be notified about.

The error code is: 5031

The error message is: We use an authorization key to verify you really submitted the form, and the authorization key was not supplied with your form submission or was invalid. Please go back, reload the form and try to submit it again.

The user who saw this error is: Guest

The IP address of this user is: [deleted]

Please login to your Admin Control Panel to use the error log viewer tool for further information.

I went ACP and I can see this in error log:



What am I dealing here with?

[rct2·com]

It's an attempted SQL injection into your board. The user is attempting to run some SQL by passing it in with the URL.

The board is trapping it, because the auth_key part of the URL is incorrect.

(Even if they got the auth_key correct,the URL they are trying to use is only valid if they are a moderator.)

InVision have been public about this potential explot, and fixed it in 3.0.5.

[Michael]

You had someone try to exploit one of the issues patched in 3.0.5:



If you've not already upgraded to 3.0.5, you should do so as soon as possible. Note, though, that since it was a guest that tried this, it never would have succeeded even on earlier versions. This was probably just some script kiddie who didn't even bother to read about what they were trying to do.

[broni]

Ahhh....thank you very much guys :)
Always appreciated :)
Yeah, I'm still with 3.0.4, because I saw some posts about apparent issues with 3.0.5

[mld11]

This was probably just some script kiddie who didn't even bother to read about what they were trying to do.

Epic... IPS out! lol...

[AndyF]

I'd consider banning that IP too (after checking it's not in use by one of your members) , I'd guess it was not one of those who tried this though anyway. :)

[broni]

Great idea. Just did it :)

[Gabriel Petrelli]

I was getting these for a while and then it stopped, I was never aware it was an SQL injection attempt. Of course they didn't succeed in doing whatever it was they were trying to do and got tired. It makes me a bit more worried now that I know it was an SQL injection attempt to exploit the board software, I didn't know it at the time and didn't ban the IP address..

[broni]

Actually, I found more info about the issue: Potent malware link infects almost 300,000 webpages

[Michael]

That's not necessarily the same issue. What you experienced was a specific exploit for a specific forum software. And this exploit will only ever work for users who already have moderator privileges on the forum in question.

[mz_]

I just got this error this morning and I'm running 3.0.5.

EDIT: It's from a Google IP.

[FadE.]

I got this error from a trend mirco ip address :s