Dandello Forum AdministratorYaBB Modder Offline I love YaBB 2.7! Posts: 2234 Location: The Land of YaBB Joined: Feb 12th, 2014 Gender: Mood: Annoyed Zodiac sign: Error log Sep 17th, 2014 at 3:37pm Mark & QuoteQuote Certain strings saved in the errorlog.txt can cause serious issues in showing the error log. These strings are the result of attempts to locate/access various server programs. Since these attempts threw errors, the miscreants failed in getting to those files - BUT the saved error string itself can create problems when being looked at in the error log. I'm working on preventative measures. Perfection is not possible. Excellence, however, is excellent. WWW IP Logged
Monni Language Offline Min izāmō Posts: 413 Location: Kaarina, Finland Joined: Jul 16th, 2014 Gender: Mood: Frustrated Zodiac sign: Re: Error log Reply #1 - Sep 17th, 2014 at 3:53pm Mark & QuoteQuote Aww... It's nice the error logging gets more safer after the first fix I suggested GTalk Skype/VoIP Facebook Twitter YouTube ICQ IP Logged
Dandello Forum Administrator Offline I love YaBB 2.7! Posts: 2234 Location: The Land of YaBB Joined: Feb 12th, 2014 Gender: Mood: Annoyed Zodiac sign: Re: Error log Reply #2 - Sep 17th, 2014 at 6:28pm Mark & QuoteQuote The current fix is to simply replace all the pointy brackets with html entities (with some work arounds for bold and breaks). That prevents bogus strings from messing up the html in the ErrorLog viewer. We also need a 'block IP in .htaccess' for those not using the .htaccess function in Guardian. (Some of us don't like the automatic blocking function in Guardian.) Perfection is not possible. Excellence, however, is excellent. WWW IP Logged
xnoddyx Global Moderator Offline I Love YaBB! Posts: 31 Location: UK:Scotland/Livingston Joined: Feb 18th, 2014 Gender: Zodiac sign: Re: Error log Reply #3 - Sep 18th, 2014 at 4:29pm Mark & QuoteQuote Dandello wrote on Sep 17th, 2014 at 6:28pm:The current fix is to simply replace all the pointy brackets with html entities (with some work arounds for bold and breaks). That prevents bogus strings from messing up the html in the ErrorLog viewer. We also need a 'block IP in .htaccess' for those not using the .htaccess function in Guardian. (Some of us don't like the automatic blocking function in Guardian.) yer as .htaccess can get big fast with automatic blocking on. as bill and ted say be excellent to each other(More to come) GTalk Facebook YouTube IP Logged
Dandello Forum Administrator Offline I love YaBB 2.7! Posts: 2234 Location: The Land of YaBB Joined: Feb 12th, 2014 Gender: Mood: Annoyed Zodiac sign: Re: Error log Reply #4 - Oct 3rd, 2014 at 9:41pm Mark & QuoteQuote We're currently testing a "three-strikes you're out" auto-ban function for 'guest' IPs throwing repeated errors in a very short time. This is an idea JonB and I have talked about - especially in light of the DOS attacks that have been aimed at YaBBForum.com. These aren't things caught by Guardian as we're looking at the same IP throwing errors in an inhumanly short time.. Perfection is not possible. Excellence, however, is excellent. WWW IP Logged
Monni Language Offline Min izāmō Posts: 413 Location: Kaarina, Finland Joined: Jul 16th, 2014 Gender: Mood: Frustrated Zodiac sign: Re: Error log Reply #5 - Oct 4th, 2014 at 7:44am Mark & QuoteQuote For .htaccess getting too long, the only viable solution is to deny address blocks instead of single addresses if there is more than few malicious attempts coming from same IP block but different IP... This has to be weighed carefully as some IP blocks cover quite large areas. This will work for crawlers and trojans trying to mass harvest non-existing or private pages, but fails on IP blocks that contain mainly cache or proxy servers. GTalk Skype/VoIP Facebook Twitter YouTube ICQ IP Logged
Dandello Forum Administrator Offline I love YaBB 2.7! Posts: 2234 Location: The Land of YaBB Joined: Feb 12th, 2014 Gender: Mood: Annoyed Zodiac sign: Re: Error log Reply #6 - Oct 4th, 2014 at 2:07pm Mark & QuoteQuote I think a future solution may be to figure out a way to 'time ban' IPs in the .htaccess - timestamp them and set a time limit after which they get removed. What's been observed is that the non-legitimate bots rotate through IP addresses. Perfection is not possible. Excellence, however, is excellent. WWW IP Logged
Bill Myers Tester Offline Using YaBB since 2002 Posts: 89 Location: Los Angeles, CA Joined: Feb 13th, 2014 Gender: Awards: 1 Mood: Blessed Zodiac sign: Re: Error log Reply #7 - Oct 4th, 2014 at 2:11pm Mark & QuoteQuote Monni wrote on Oct 4th, 2014 at 7:44am:For .htaccess getting too long ... Does this have to be an issue if spam-bots are no longer able to register, and spam-bot automation becomes moot because The Guardian™ is doing its job by blocking malicious scripts? I ask because a 2.4 YaBB forum I operate is inundated by spam-bots, and yet, they're never a bother for me because the forum continues to operate flawlessly. I emptied the IP ban list years ago, which continues to remain empty, the forum enjoys open registration without approvals, and guest posting is allowed. It seems to me that if an admin sets their forum's security settings accordingly, an error log can simply be read for info, and for amusement, and they can stop being concerned about spam-bot automation in whatever way those spam-bots try to be malicious. Morning, noon, or night, have a great one! WWW Facebook Twitter IP Logged
Dandello Forum Administrator Offline I love YaBB 2.7! Posts: 2234 Location: The Land of YaBB Joined: Feb 12th, 2014 Gender: Mood: Annoyed Zodiac sign: Re: Error log Reply #8 - Oct 4th, 2014 at 2:43pm Mark & QuoteQuote @Bill, we're not talking about keeping spambots from registering - we're talking about keeping them from attacking other portions of YaBB by inserting query stings Guardian doesn't catch (assuming it's turned on) and inundating the server with multiple errors per second. (And yes - PER SECOND!) Every single error one of these b@stards throws gets written to the errorlog - which, despite outside appearances, is not a simple process. We're talking about attacks aimed specifically at how YaBB's error logging and errorlog viewing is performed. And what they are trying to do is create a sting that will execute FROM THE ERRORLOG WHEN VIEWED! And if that fails, put enough garbage into the errorlog file that the viewer fails, the novice admin gets frustrated and goes to another forum software while bad-mouthing YaBB. Edited: And when I say specifically aimed at YaBB, I mean it - JonB checks things when these attacks happen on YaBBForum and the attacks always originate from the same locale - a spot where at least one disgruntled former YaBB dev person resides. Not exactly a smoking gun, but pretty suspicious considering things that have been found in the code and removed. Perfection is not possible. Excellence, however, is excellent. WWW IP Logged
xnoddyx Global Moderator Offline I Love YaBB! Posts: 31 Location: UK:Scotland/Livingston Joined: Feb 18th, 2014 Gender: Zodiac sign: Re: Error log Reply #9 - Oct 4th, 2014 at 3:16pm Mark & QuoteQuote Dandello wrote on Oct 4th, 2014 at 2:43pm:but pretty suspicious considering things that have been found in the code and removed. ? it isn't that again is it i was hoping it wasn't like that so it is looking like that then @#*$%&*~#@*$%#@#~ excuse my French. as bill and ted say be excellent to each other(More to come) GTalk Facebook YouTube IP Logged
Dandello Forum Administrator Offline I love YaBB 2.7! Posts: 2234 Location: The Land of YaBB Joined: Feb 12th, 2014 Gender: Mood: Annoyed Zodiac sign: Re: Error log Reply #10 - Oct 4th, 2014 at 3:29pm Mark & QuoteQuote Circumstantial evidence only - but yes. Some changes to YaBB's code in 2.6x have been deliberately left undocumented for that reason - why make it easy for the *tards? If they want to find an old weakness they can exploit they're going to darn well wade through however many thousands of lines of code to find what it looks like now. And JonB will be looking through the access logs and error logs to catch them trying. Perfection is not possible. Excellence, however, is excellent. WWW IP Logged
Bill Myers Tester Offline Using YaBB since 2002 Posts: 89 Location: Los Angeles, CA Joined: Feb 13th, 2014 Gender: Awards: 1 Mood: Blessed Zodiac sign: Re: Error log Reply #11 - Oct 4th, 2014 at 3:42pm Mark & QuoteQuote Thanks for the clarification. So it seems that somebody is targeting yabbforum.com specifically, and Jon's discovered this. If this is the case, then I'm glad Jon's on top of this since he's an expert at figuring out this kind of stuff, and he'll most likely be able to stop it at some point. Edited: Dandello wrote on Oct 4th, 2014 at 3:29pm:Some changes to YaBB's code in 2.6x have been deliberately left undocumented for that reason - why make it easy for the *tards? Privatization in an open source project concerns me. Edited: Important distinction that no longer has me concerned: Dandello wrote on Oct 4th, 2014 at 3:54pm:It's not private - just not publicly announced. Morning, noon, or night, have a great one! WWW Facebook Twitter IP Logged
Dandello Forum Administrator Offline I love YaBB 2.7! Posts: 2234 Location: The Land of YaBB Joined: Feb 12th, 2014 Gender: Mood: Annoyed Zodiac sign: Re: Error log Reply #12 - Oct 4th, 2014 at 3:54pm Mark & QuoteQuote It's not private - just not publicly announced. Anyone who cares to do a comparison between the old code and new can do so. But since nearly every line in YaBB has been changed in some way between 2.5.2 and 2.6x, they get to wade though a lot of code or they have to know exactly what they're looking for. (I mean - a LOT of changes haven't been publicly announced - do we have to list every single spot where Code (HTML)<td align="right"> got changed to Code (HTML)<td style="text-align:right"> ? :) Perfection is not possible. Excellence, however, is excellent. WWW IP Logged
Bill Myers Tester Offline Using YaBB since 2002 Posts: 89 Location: Los Angeles, CA Joined: Feb 13th, 2014 Gender: Awards: 1 Mood: Blessed Zodiac sign: Re: Error log Reply #13 - Oct 4th, 2014 at 4:24pm Mark & QuoteQuote Dandello wrote on Oct 4th, 2014 at 3:54pm:It's not private - just not publicly announced. I think I understand that distinction, so thanks for making that point. Morning, noon, or night, have a great one! WWW Facebook Twitter IP Logged
Monni Language Offline Min izāmō Posts: 413 Location: Kaarina, Finland Joined: Jul 16th, 2014 Gender: Mood: Frustrated Zodiac sign: Re: Error log Reply #14 - Oct 4th, 2014 at 5:07pm Mark & QuoteQuote Dandello wrote on Oct 4th, 2014 at 2:07pm:I think a future solution may be to figure out a way to 'time ban' IPs in the .htaccess - timestamp them and set a time limit after which they get removed. What's been observed is that the non-legitimate bots rotate through IP addresses. I agree... time stamping them is wise... Maybe putting the time stamp in a special comment line above the Deny line... And parsing, and preserving that line if still needed, every time when the .htaccess file is modified. GTalk Skype/VoIP Facebook Twitter YouTube ICQ IP Logged