Certain strings saved in the errorlog.txt can cause serious issues in showing the error log.
These strings are the result of attempts to locate/access various server programs.

Since these attempts threw errors, the miscreants failed in getting to those files - BUT the saved error string itself can create problems when being looked at in the error log.
I'm working on preventative measures.

The current fix is to simply replace all the pointy brackets with html entities (with some work arounds for bold and breaks). That prevents bogus strings from messing up the html in the ErrorLog viewer.

We also need a 'block IP in .htaccess' for those not using the .htaccess function in Guardian. (Some of us don't like the automatic blocking function in Guardian.)

We're currently testing a "three-strikes you're out" auto-ban function for 'guest' IPs throwing repeated errors in a very short time. This is an idea JonB and I have talked about  - especially in light of the DOS attacks that have been aimed at YaBBForum.com.

These aren't things caught by Guardian as we're looking at the same IP throwing errors in an inhumanly short time..

I think a future solution may be to figure out a way to 'time ban' IPs in the .htaccess - timestamp them and set a time limit after which they get removed. What's been observed is that the non-legitimate bots rotate through IP addresses.

@Bill, we're not talking about keeping spambots from registering - we're talking about keeping them from attacking other portions of YaBB by inserting query stings Guardian doesn't catch (assuming it's turned on) and inundating the server with multiple errors per second. (And yes - PER SECOND!)  Every single error one of these b@stards throws gets written to the errorlog - which, despite outside appearances, is not a simple process.

We're talking about attacks aimed specifically at how YaBB's error logging and errorlog viewing is performed. And what they are trying to do is create a sting that will execute FROM THE ERRORLOG WHEN VIEWED! And if that fails, put enough garbage into the errorlog file that the viewer fails, the novice admin gets frustrated and goes to another forum software while bad-mouthing YaBB.
Edited:

Circumstantial evidence only - but yes.   

Some changes to YaBB's code in 2.6x have been deliberately left undocumented for that reason - why make it easy for the *tards? If they want to find an old weakness they can exploit they're going to darn well wade through however many thousands of lines of code to find what it looks like now. And JonB will be looking through the access logs and error logs to catch them trying.

It's not private - just not publicly announced. Anyone who cares to do a comparison between the old code and new can do so. But since nearly every line in YaBB has been changed in some way between 2.5.2 and 2.6x, they get to wade though a lot of code or they have to know exactly what they're looking for.

(I mean - a LOT of changes haven't been publicly announced - do we have to list every single spot where

<td align="right"> 

got changed to

<td style="text-align:right"> 

?  :)

Dandello wrote on Oct 4^th, 2014 at 2:07pm:


I agree... time stamping them is wise... Maybe putting the time stamp in a special comment line above the Deny line... And parsing, and preserving that line if still needed, every time when the .htaccess file is modified.

Dandello wrote on Oct 4^th, 2014 at 9:30pm:

Do you think it's blocking that The Guardian™ would have blocked anyway, or are you telling us that those bots actually defeated YaBB's security? The reason I ask is because I get the following in our error log:

"You tried to use scripting in the url or form input, which is not allowed!"

However, I could care less about those errors because scripting still hasn't caused any problems. YaBB's security wall has stopped it all.

On the other hand, if you're telling us that The Guardian™ is outdated, and needs additional help to stop scripts, that's bad news indeed. If that's the case, then it seems I've been very lucky over the last few years since I've been able to stop scripting spam-bots cold without any issues.

As such, I'll remain happy that our 2.4 forum seems to be operating just fine.

Keep in mind that there will be what seem to be failed blockings of spam-bots because another "utility" has blocked them, although had they not been blocked by that utility, another utility would have blocked them. In other words, from my perspective, YaBB can still stand against spam-bots whether they're trying to pass through malicious code, or they're trying to register, and subsequently post their spam. Shall I no longer presume those things?

I had this a bit earlier today:
Sorry, this service is for registered members only.

~~~~~YaBB.pl?board=&action=viewprofile

17 attempts per minute, but I can not tell for how long as I only had my log set to 100 entries and it was filled up. I traced the IP back to Germany, and I upped my error log to 500 entries.

Ah, stopping them on multiple failed attempts would be very helpful in our forum ... just as you deccribed it ... this is what commonly happens in our forum as well ... probably pretty common in most YaBB forums.

In our forum I've appended the default error message of "Sorry, this service is for registered members only."

Instead, it reads, "Sorry, this service is for registered members only. However, membership is free, so please become a member by clicking Register on the menu above."

I believe that spam-bot attempts to view profiles is done to harvest any email addresses that may be listed. Partly because of that, our forum allows members to hide their email addresses from the public. I like that YaBB presents email addresses as a java script link instead of the email address itself even if a member makes it public. Of course, auto-bots can still harvest those otherwise hidden email addresses with a script.

Edited:

Dandello wrote on Oct 5^th, 2014 at 5:52am:

That's actually incorrect (at least as I've referenced with the links to other 2.4 forums below). In our 2.4 forum as I pointed out, links to a member's profile produces an error message, even when you click on a last poster name. The appended error message that comes up in our 2.4 forum is as follows:

"Sorry, this service is for registered members only. However, membership is free, so please become a member by clicking Register on the menu above."

For a quick reference, check out the following forums that are still using the 2.4 version (randomly chosen):

http://www.theartofbooks.com/forum/YaBB.pl

http://www.scurion.ch/cgi-bin/yabb24/YaBB.pl

http://www.ephs1960.com/cgi-bin/yabb2/YaBB.pl

http://www.fnxbasic.com/cgi-bin/yabb2/YaBB.pl

***********************************************

Dandello wrote on Oct 5^th, 2014 at 5:52am:

That's only a certain segment of auto-harvesters. Another segment of an auto-harvester is one that captures a web page, searches for email addresses, and then filters everything else out but those email addresses ... just one way to harvest that data.

Yet aother segment of an auto-harvester is one that employ scripts, which are written to perform all of the necessary steps that a human would otherwise perform while registering. Even someone like myself who isn't experienced at writing code can pretty easily write a script to register in a YaBB forum. First, the auto-harvester is loaded up to retrieve a forum's register page, and then keystrokes are recorded.

This all started back in the days of writing DOS programs to perform certain tasks, some of which I wrote myself back in the eighties, of which none of mine were malicious. The scripts I remember writing were automated "how to" computer instructions for people who needed basic help to operate their computers. I also wrote simple programs. In practice as it was done back then, they'd insert a 5^1/4 inch floppy disk that I programmed to automatically start, and they'd be good to go.

But I digress. :

Basically, the way automated registration in a forum is done is by recording key stokes that become a form filler. I'm not giving away any secrets here, and I'm not being specific enough to cause any harm. As such, "Form fillers are primarily designed for web browsers to fill in checkout pages and log users into their accounts." A forum's registration page is simply another way a form filler can be used to automate the process.

The end result for automated spam-bots is that they can register memberships in a forum (not just in YaBB), and then post their spam using yet another bot for that. However, for years forums have been able to stop spam bots cold just as YaBB is able to do.

Bill Myers wrote on Oct 5^th, 2014 at 8:20am:


It's a LINK to the profile, Bill. Even if it only generates an error it's still a link! Maybe you don't care that your error log is filled with thousands of clicks on links that will only produce errors, but wouldn't it be better to not have those links showing to non-members if they're ONLY GOING TO PRODUCE ERRORS?

Red Barchetta wrote on Oct 5^th, 2014 at 3:00pm:

Exactly. Don't show them what they can't use.

Dandello wrote on Oct 5^th, 2014 at 2:08pm:

What I care about more is that guests can see they're missing out on being able to access a member's profile. As for the url of the profile being shown, a better alternative would be to show a simple message, perhaps as follows:

"Only members can access another member's profile."

I had a much longer reply detailing why I think it's fine that a guest can see the link to a member's profile, although I qualify that with my statement above. As for filling up my error log, it doesn't harm my forum, and I like having the ability to see what's causing spam-bot errors.

Red Barchetta wrote on Oct 5^th, 2014 at 5:05pm:

I think that's more in line with Dandello's thinking. That's to say, she doesn't want guests to be able to see the url of a member's profile. However it's done, I hope that guests will still be able to see how they're missing out on viewing a member's profile unless they register (although I suppose that's a given). Greying out that option seems like a pretty good idea to me if that can be done.

As for me personally, even though I may have a difference of opinion from time to time about how YaBB should operate, I can't recall a single time when I've been unhappy with what she's done, which is pretty amazing when you think about it. This forum of hers is a shining example of how to best showcase a YaBB forum.

Edited:

Dandello wrote on Oct 5^th, 2014 at 6:15pm:

That was my thinking as well although I don't think it should be an either/or situation ... haven't fully thought this out yet ... you're pretty much always right about this stuff.

On a sad note for me personally that I hope won't end up being the case, and as I had previously stated publicly about what I thought would happen before I was invited to be a member of this forum, there's now a very distinct possibility that I'll be unable to participate in this forum after this post. And who knows how long any of my posts will remain, or be without censorship? This will not be my choice.

Meanwhile, I'll remain positive about what will happen, and hope for the best. 

Monni wrote on Oct 5^th, 2014 at 7:11pm:

While I'm still able to post, my thinking about this has changed in that it makes sense to remove links to user profiles for guests, which is already what YaBB does, but this goes further by taking away the hover message with no need to produce an error message. It also looks a lot cleaner that way. Plus, intuitively, I'm thinking guests will likely believe they can view profiles if they register, which as we already know is what happens.

Edited:

@Monni, I like your thinking.

If I haven't already mentioned it, thank you very much for helping to develop YaBB to make an already great forum better. It's very much appreciated!

As a clarification, whether I personally like something or I don't, I nonetheless always favor giving as many options to admin as can be made so that they can operate their forums in any way they choose.

Monni wrote on Oct 5^th, 2014 at 7:58pm:

I like this one as well.