Page Index Toggle Pages: 1 [2] 3  Send TopicPrint
Very Hot Topic (More than 25 Replies) Error log (Read 47477 times)
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Re: Error log
Reply #24 - Oct 5th, 2014 at 2:08pm
Print Post  
Bill Myers wrote on Oct 5th, 2014 at 8:20am:
links to a member's profile produces an error message


It's a LINK to the profile, Bill. Even if it only generates an error it's still a link! Maybe you don't care that your error log is filled with thousands of clicks on links that will only produce errors, but wouldn't it be better to not have those links showing to non-members if they're ONLY GOING TO PRODUCE ERRORS?
  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
xnoddyx
Global Moderator
*****
Offline


I Love YaBB!

Posts: 31
Location: UK:Scotland/Livingston
Joined: Feb 18th, 2014
Gender: Male
Re: Error log
Reply #23 - Oct 5th, 2014 at 1:41pm
Print Post  
Dandello wrote on Oct 4th, 2014 at 9:30pm:
The current utility I'm testing here has blocked 15 IP addresses that got past Guardian in the past 3 hours. The criteria - 3 errors from non-members in less than a not very large number of seconds. (And the server access log indicates those 15 IPs generated over 300 attempts to get in, all of which would have been written to the YaBB errorlog.)

And remember - this isn't a site with a lot of inbound links.

that's a good test definitely looking good bots are like Smiley lol
  

as bill and ted say be excellent to each other
(More to come)
Back to top
GTalkFacebookYouTube  
IP Logged
 
Bill Myers
New Member
*
Offline


Using YaBB since 2002

Posts: 46
Location: Los Angeles, CA
Joined: Feb 13th, 2014
Gender: Male
Re: Error log
Reply #22 - Oct 5th, 2014 at 8:20am
Print Post  
Dandello wrote on Oct 5th, 2014 at 5:52am:
And links to member profiles do appear for non-members in 2.4 - logout of a 2.4/2.5 forum, click on a last poster name and see what happens.

That's actually incorrect (at least as I've referenced with the links to other 2.4 forums below). In our 2.4 forum as I pointed out, links to a member's profile produces an error message, even when you click on a last poster name. The appended error message that comes up in our 2.4 forum is as follows:

"Sorry, this service is for registered members only. However, membership is free, so please become a member by clicking Register on the menu above."

For a quick reference, check out the following forums that are still using the 2.4 version (randomly chosen):

http://www.theartofbooks.com/forum/YaBB.pl

http://www.scurion.ch/cgi-bin/yabb24/YaBB.pl

http://www.ephs1960.com/cgi-bin/yabb2/YaBB.pl

http://www.fnxbasic.com/cgi-bin/yabb2/YaBB.pl

***********************************************

Dandello wrote on Oct 5th, 2014 at 5:52am:
... auto-harvesters are looking at the sourcecode, not the page as rendered by a browser.

That's only a certain segment of auto-harvesters. Another segment of an auto-harvester is one that captures a web page, searches for email addresses, and then filters everything else out but those email addresses ... just one way to harvest that data.

Yet aother segment of an auto-harvester is one that employ scripts, which are written to perform all of the necessary steps that a human would otherwise perform while registering. Even someone like myself who isn't experienced at writing code can pretty easily write a script to register in a YaBB forum. First, the auto-harvester is loaded up to retrieve a forum's register page, and then keystrokes are recorded.

This all started back in the days of writing DOS programs to perform certain tasks, some of which I wrote myself back in the eighties, of which none of mine were malicious. The scripts I remember writing were automated "how to" computer instructions for people who needed basic help to operate their computers. I also wrote simple programs. In practice as it was done back then, they'd insert a 51/4 inch floppy disk that I programmed to automatically start, and they'd be good to go.

But I digress. Roll Eyes

Basically, the way automated registration in a forum is done is by recording key stokes that become a form filler. I'm not giving away any secrets here, and I'm not being specific enough to cause any harm. As such, "Form fillers are primarily designed for web browsers to fill in checkout pages and log users into their accounts." A forum's registration page is simply another way a form filler can be used to automate the process.

The end result for automated spam-bots is that they can register memberships in a forum (not just in YaBB), and then post their spam using yet another bot for that. However, for years forums have been able to stop spam bots cold just as YaBB is able to do.
  

Morning, noon, or night, have a great one!
Back to top
IP Logged
 
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Re: Error log
Reply #21 - Oct 5th, 2014 at 5:52am
Print Post  
Bill Myers wrote on Oct 5th, 2014 at 5:27am:
"Sorry, this service is for registered members only."


That error is an indication of an attempt by a bot or a guest to access a user profile or another member-only feature. (And links to member profiles do appear for non-members in 2.4 - logout of a 2.4/2.5 forum, click on a last poster name and see what happens.)

Bill Myers wrote on Oct 5th, 2014 at 5:27am:
can still harvest those otherwise hidden email addresses with a script

The emails are rendered from javascript by a browser - generally harvesters do not use browsers, cannot read instructions and can't tell colors in pictures: because the auto-harvesters are looking at the sourcecode, not the page as rendered by a browser. (And I have a number of email addresses - the one's I get spam on are the one's I've used in meta tags, subscribed to services with and have been in the contact lists of people who haven't been real careful about who they've sent their contact list to. The ones protected by even the simplest javascript have yet to get spam.)
  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
Bill Myers
New Member
*
Offline


Using YaBB since 2002

Posts: 46
Location: Los Angeles, CA
Joined: Feb 13th, 2014
Gender: Male
Re: Error log
Reply #20 - Oct 5th, 2014 at 5:27am
Print Post  
Ah, stopping them on multiple failed attempts would be very helpful in our forum ... just as you deccribed it ... this is what commonly happens in our forum as well ... probably pretty common in most YaBB forums.

In our forum I've appended the default error message of "Sorry, this service is for registered members only."

Instead, it reads, "Sorry, this service is for registered members only. However, membership is free, so please become a member by clicking Register on the menu above."

I believe that spam-bot attempts to view profiles is done to harvest any email addresses that may be listed. Partly because of that, our forum allows members to hide their email addresses from the public. I like that YaBB presents email addresses as a java script link instead of the email address itself even if a member makes it public. Of course, auto-bots can still harvest those otherwise hidden email addresses with a script.

Edited:
Dandello wrote on Oct 5th, 2014 at 5:24am:
That particular errorlog entry is going to be taken care of in 2.6.2 by not showing the link to profiles when the user isn't a member.

In a 2.4 forum this is already the case. Is it not that way in 2.6.1?

Edited:
I answered my own question. It is that way for 2.6.1 as I just noticed. Wink
  

Morning, noon, or night, have a great one!
Back to top
IP Logged
 
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Re: Error log
Reply #19 - Oct 5th, 2014 at 5:24am
Print Post  
That particular errorlog entry is going to be taken care of in 2.6.2 by not showing the link to profiles when the user isn't a member. There won't be anything for the bots to 'click' on unless it was previously added to a list of possible exploitable links.

But that's an example of the persistence of bots - a human would have given up after only a couple of error notices.
  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
Red Barchetta
New Member
*
Offline



Posts: 46
Location: Miami, FL. USA
Joined: Oct 4th, 2014
Gender: Male
Re: Error log
Reply #18 - Oct 5th, 2014 at 4:09am
Print Post  
I had this a bit earlier today:
Sorry, this service is for registered members only. 

~~~~~YaBB.pl?board=&action=viewprofile


17 attempts per minute, but I can not tell for how long as I only had my log set to 100 entries and it was filled up. I traced the IP back to Germany, and I upped my error log to 500 entries.
  

Florida Classics and Muscle Car Automotive Forum Administrator
Back to top
WWW  
IP Logged
 
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Re: Error log
Reply #17 - Oct 5th, 2014 at 3:59am
Print Post  
These are errors created by bots that were trying to register or post in 1-10 second intervals. Their attempts to register or post were foiled by YaBB's security. BUT this utility detects the multiple failed attempts and blocks the IPs generating them on an .htaccess level. Guardian checks for bad strings and bad scripting - not multiple 'legal errors'. This keeps those IPs from repeatedly hitting the Register script, the Guest PM and the Guest Post scripts. Generally bots make 20-100 tries before giving up. That's 17+ errors for each of those IPs that didn't get written to the Errorlog because they were stopped before hand.

This is simply another, different, level of blocking spambots that should prove useful for forums that get hit with thousands failed of spambot hits per hour in the errorlog.
  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
Bill Myers
New Member
*
Offline


Using YaBB since 2002

Posts: 46
Location: Los Angeles, CA
Joined: Feb 13th, 2014
Gender: Male
Re: Error log
Reply #16 - Oct 5th, 2014 at 1:30am
Print Post  
Dandello wrote on Oct 4th, 2014 at 9:30pm:
The current utility I'm testing here has blocked 15 IP addresses that got past Guardian in the past 3 hours.

Do you think it's blocking that The Guardian™ would have blocked anyway, or are you telling us that those bots actually defeated YaBB's security? The reason I ask is because I get the following in our error log:

"You tried to use scripting in the url or form input, which is not allowed!"

However, I could care less about those errors because scripting still hasn't caused any problems. YaBB's security wall has stopped it all.

On the other hand, if you're telling us that The Guardian™ is outdated, and needs additional help to stop scripts, that's bad news indeed. If that's the case, then it seems I've been very lucky over the last few years since I've been able to stop scripting spam-bots cold without any issues.

As such, I'll remain happy that our 2.4 forum seems to be operating just fine. Smiley

Keep in mind that there will be what seem to be failed blockings of spam-bots because another "utility" has blocked them, although had they not been blocked by that utility, another utility would have blocked them. In other words, from my perspective, YaBB can still stand against spam-bots whether they're trying to pass through malicious code, or they're trying to register, and subsequently post their spam. Shall I no longer presume those things?
  

Morning, noon, or night, have a great one!
Back to top
IP Logged
 
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Re: Error log
Reply #15 - Oct 4th, 2014 at 9:30pm
Print Post  
The current utility I'm testing here has blocked 15 IP addresses that got past Guardian in the past 3 hours. The criteria - 3 errors from non-members in less than a not very large number of seconds. (And the server access log indicates those 15 IPs generated over 300 attempts to get in, all of which would have been written to the YaBB errorlog.)

And remember - this isn't a site with a lot of inbound links.
  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
Monni
Senior Member
****
Offline


Min izāmō

Posts: 413
Location: Kaarina, Finland
Joined: Jul 16th, 2014
Gender: Male
Re: Error log
Reply #14 - Oct 4th, 2014 at 5:07pm
Print Post  
Dandello wrote on Oct 4th, 2014 at 2:07pm:
I think a future solution may be to figure out a way to 'time ban' IPs in the .htaccess - timestamp them and set a time limit after which they get removed. What's been observed is that the non-legitimate bots rotate through IP addresses. 


I agree... time stamping them is wise... Maybe putting the time stamp in a special comment line above the Deny line... And parsing, and preserving that line if still needed, every time when the .htaccess file is modified.
  
Back to top
IP Logged
 
Bill Myers
New Member
*
Offline


Using YaBB since 2002

Posts: 46
Location: Los Angeles, CA
Joined: Feb 13th, 2014
Gender: Male
Re: Error log
Reply #13 - Oct 4th, 2014 at 4:24pm
Print Post  
Dandello wrote on Oct 4th, 2014 at 3:54pm:
It's not private - just not publicly announced.

I think I understand that distinction, so thanks for making that point. Smiley
  

Morning, noon, or night, have a great one!
Back to top
IP Logged
 
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Re: Error log
Reply #12 - Oct 4th, 2014 at 3:54pm
Print Post  
It's not private - just not publicly announced. Anyone who cares to do a comparison between the old code and new can do so. But since nearly every line in YaBB has been changed in some way between 2.5.2 and 2.6x, they get to wade though a lot of code or they have to know exactly what they're looking for.

(I mean - a LOT of changes haven't been publicly announced - do we have to list every single spot where
Code (HTML)
Select All
<td align="right"> 

got changed to
Code (HTML)
Select All
<td style="text-align:right"> 

Roll Eyes)
  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
Bill Myers
New Member
*
Offline


Using YaBB since 2002

Posts: 46
Location: Los Angeles, CA
Joined: Feb 13th, 2014
Gender: Male
Re: Error log
Reply #11 - Oct 4th, 2014 at 3:42pm
Print Post  
Thanks for the clarification.

So it seems that somebody is targeting yabbforum.com specifically, and Jon's discovered this. If this is the case, then I'm glad Jon's on top of this since he's an expert at figuring out this kind of stuff, and he'll most likely be able to stop it at some point.

Edited:
Dandello wrote on Oct 4th, 2014 at 3:29pm:
Some changes to YaBB's code in 2.6x have been deliberately left undocumented for that reason - why make it easy for the *tards?

Privatization in an open source project concerns me. Sad

Edited:
Important distinction that no longer has me concerned:

Dandello wrote on Oct 4th, 2014 at 3:54pm:
It's not private - just not publicly announced.
  

Morning, noon, or night, have a great one!
Back to top
IP Logged
 
Dandello
Forum Administrator
*****
Offline


I love YaBB 2.7!

Posts: 1759
Location: The Land of YaBB
Joined: Feb 12th, 2014
Gender: Female
Re: Error log
Reply #10 - Oct 4th, 2014 at 3:29pm
Print Post  
Circumstantial evidence only - but yes.   Angry

Some changes to YaBB's code in 2.6x have been deliberately left undocumented for that reason - why make it easy for the *tards? If they want to find an old weakness they can exploit they're going to damn well wade through however many thousands of lines of code to find what it looks like now. And JonB will be looking through the access logs and error logs to catch them trying.
  

Perfection is not possible. Excellence, however, is excellent.
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: 1 [2] 3 
Send TopicPrint