Support ⇒ Security ⇒ hack attempt? ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity

hack attempt? Reply to topic


I got 150 emails on december 5 , 6 per minute.
They were all the same like this:
Van: QQL Quick Quality Laboratory afvalwaterzuivering
[mailto@qql.nl]
Verzonden: vrijdag 5 december 2008 19:17
Aan: webmaster @ qql.nl
Onderwerp: SQL Error on QQL Quick Quality Laboratory afvalwaterzuivering

On /index.php?name=Content&pid=4
While executing query "INSERT INTO cms_security_flood
(flood_ip,flood_time,flood_count,log) VALUES (0x544d5ac9, '1228497428',
'0', DEFAULT)"

the following error occured: Duplicate entry 'TMZ' for key 1

In: /www/htdocs/qql/includes/classes/security.php on line: 308

Guest information:
User id: 1
Username: Anonymous
Admin: No
IP: 84.77.90.201
Host: 84.77.90.201

What can this be? A hacker's attempt or something else?
Should I be worried?

Wonder is the beginning of all wisdom.
Verwondering is het begin van alle wijsheid.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Windows xp/Apache 2.0/mysql 5.0.51a (client: 5.0.51a) php 5.2.5/ CPGNuke 9.2.1


At least something was flooding the system.
But it seems there's a bug, the security system should already ban instead of trying to insert each time.

Sounds like the SELECT query fails and it tries to ban the bot over and over again (which crashes the sql query).

Will talk with Nano about it, if this was already fixed.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


I had been getting something similar to this too in the past week.

Lead Theme Designer - WebSiteGuru Designs

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux 2.6.9 / Apache 2.2.6 / MySQL 5.0.27 / PHP 5 / DF Version 9.2.1


I found out that IP is a so called spam harvester.
That means it is a kind of bot?
the page it is adressing is called contact in the menu and containes the emailadres for the site.

Wonder is the beginning of all wisdom.
Verwondering is het begin van alle wijsheid.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Windows xp/Apache 2.0/mysql 5.0.51a (client: 5.0.51a) php 5.2.5/ CPGNuke 9.2.1


Yes, they are spam bot.

Lead Theme Designer - WebSiteGuru Designs

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux 2.6.9 / Apache 2.2.6 / MySQL 5.0.27 / PHP 5 / DF Version 9.2.1


Do you think they succeeded?
Or did the attempt fail?
How can I see that?

Wonder is the beginning of all wisdom.
Verwondering is het begin van alle wijsheid.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Windows xp/Apache 2.0/mysql 5.0.51a (client: 5.0.51a) php 5.2.5/ CPGNuke 9.2.1


I don't know, but IMO they did not succeeded.

Lead Theme Designer - WebSiteGuru Designs

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux 2.6.9 / Apache 2.2.6 / MySQL 5.0.27 / PHP 5 / DF Version 9.2.1


now i can't get into my site anymore.
I get database error.
What to do now?

edit:
I get an email with the following explanation:

While executing query "INSERT INTO cms_security_flood (flood_ip,flood_time,flood_count,log) VALUES (0x55912ea1, '1228782911', '0', DEFAULT)"

the following error occured: Duplicate entry 'U‘.¡' for key 1

In: /www/htdocs/qql/includes/classes/security.php on line: 308

Guest information:
User id: 1
Username: Anonymous
Admin: No
IP: 85.145.46.161
Host: s55912ea1.adsl.wanadoo.nl

That's me, that's my IP adress!

So what is happening?
Am I now banned from my own site?

Wonder is the beginning of all wisdom.
Verwondering is het begin van alle wijsheid.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Windows xp/Apache 2.0/mysql 5.0.51a (client: 5.0.51a) php 5.2.5/ CPGNuke 9.2.1


The site might have taught that you were flooding the site too (by refreshing, clicking the links in it too often). Search the forums how to remove your IP from banned IPs list.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
-


I can't get into admin either, so how can i unban myself?
I am the administrator of the site, do i have to do something in the database ?

Wonder is the beginning of all wisdom.
Verwondering is het begin van alle wijsheid.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Windows xp/Apache 2.0/mysql 5.0.51a (client: 5.0.51a) php 5.2.5/ CPGNuke 9.2.1


You could empty some IPs table, that name I can't remember, though that would remove other banned IPs aswell.

And... it's 4 Am, so better search the forum, I'm in no help-condition atm. Night.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
-


sleep well eastlane, I will look further.
I hope I banned myself and that is the matter, because that will take only 24 hours.

Wonder is the beginning of all wisdom.
Verwondering is het begin van alle wijsheid.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Windows xp/Apache 2.0/mysql 5.0.51a (client: 5.0.51a) php 5.2.5/ CPGNuke 9.2.1


If you banned yourself. go into db find table yourprefix_security delete all the entries with Flooding Detected ...... in the field ban_details


EDIT: Also delete your website cache (DO NOT DELETE THE .HTACCESS)

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Multiple Setups

Last edited by Dizfunkshunal on Tue Dec 09, 2008 4:37 pm; edited 1 time in total


Thanks Dizfunctional, that did the trick.
I can now reach the site again.
But I also needed to empty the cache.

Still no answer from Nano or DJMaze whether there was a bug in the flooding system though....

Wonder is the beginning of all wisdom.
Verwondering is het begin van alle wijsheid.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Windows xp/Apache 2.0/mysql 5.0.51a (client: 5.0.51a) php 5.2.5/ CPGNuke 9.2.1


Your Welcome Smile

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Multiple Setups

All times are UTC


Jump to: