Forums / General / Attacks on ezPublish installs ? Blank Users registered

Attacks on ezPublish installs ? Blank Users registered

Previous topic

General

Next topic

Author	Message
Marco Zinn	Friday 23 September 2005 4:42:18 am Hi, since some weeks, i experience issues with 2 public ezPublish 3.4 installations. Now and then (every few days), someone seems to try to login the user site and then tries 17 times to register a user. The registration fails and creates 17 blank users, including the mails to the admin mail adress and mails to the (blank) user email adress, which get returned to the sender (server) mail adress. First, i thought, that this is a user, which has some problems to register an account, but it happened at least 3 times with EXACTLY the same "click pattern", according to the apache logfile. This makes me think, that this is an attack or at least something "scripted". My next guess was a search engine spidering the page, but there is no "Browser Agent" reported, either. This is what happens (i replaced actual URLs) 204.38.36.89 - - [23/Sep/2005:12:08:36 +0200] "GET / HTTP/1.1" 200 10179 "-" "-" 204.38.36.89 - - [23/Sep/2005:12:08:37 +0200] "GET /<defaultsiteaccesname>/<4th item in the top level menu> HTTP/1.1" 200 13360 "-" "-" 204.38.36.89 - - [23/Sep/2005:12:08:39 +0200] "POST /<defaultsiteaccesname>/user/login HTTP/1.1" 200 9971 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:08:41 +0200] "POST /<defaultsiteaccesname>/user/login HTTP/1.1" 200 10773 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:08:42 +0200] "GET /<defaultsiteaccesname>/<1st item in the latest-items-box> HTTP/1.1" 200 12029 "-" "-" 204.38.36.89 - - [23/Sep/2005:12:08:43 +0200] "GET /<defaultsiteaccesname>/user/register HTTP/1.1" 200 11923 "-" "-" 204.38.36.89 - - [23/Sep/2005:12:08:46 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:08:50 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:08:54 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:08:57 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:08:59 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:02 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:05 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:08 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:11 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:14 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:16 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:19 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:22 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:24 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:27 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:29 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:32 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:34 +0200] "GET /<defaultsiteaccesname>/intern HTTP/1.1" 200 9976 "-" "-" 204.38.36.89 - - [23/Sep/2005:12:09:36 +0200] "GET /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 9939 "-" "-" 204.38.36.89 - - [23/Sep/2005:12:09:38 +0200] "POST /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 10476 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:39 +0200] "POST /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 10075 "http://<domain>/" "-" No further request after this. As you see, the client does 17 POSTs to user/register. I thought, it would be a manual register, which accounters this bug: http://ez.no/bugs/view/7185 . But: The client does not request the "user registration successfull" HTML page, which he should see, even after an unsucessful page. Instead, he POSTS to the same page 17 times, with a 2-3 seconds delay. Also, the referrer URL is sometimes not set, where i think, a normale webbrowser should set it. The most strange thing: There is no user agent reported!! As i said, the click pattern, from the first GET / to the 17 POSTS, including the 2-3 seconds delay, are identical for at least 3 "events". My question: Did you experience something similar? Do you think, this is a scripted attack or some kind of "friendly" robot? It does not take down the site or so, but it created blank user accounts and the corresponding mails. Target sites run 3.4.2 and 3.4.4 at the moment. Marco http://www.hyperroad-design.com
Kirill Subbotin	Friday 30 September 2005 6:49:41 am I remember the similar problem - empty registred users... The situation was like this... (I just don't remember exactly): Bad url was requested from the page (wrong template or somethng), but the request was redirected to ez publish (because of wrong redir rules). After this some session data gets lost and user data becomes empty... It's how I remember it, and may be you have something similar. But we have fixed the possibilities for this problem in ez publish, although I don't remember exact versions.

Author

Message

Marco Zinn

Friday 23 September 2005 4:42:18 am

Hi,
since some weeks, i experience issues with 2 public ezPublish 3.4 installations.
Now and then (every few days), someone seems to try to login the user site and then tries 17 times to register a user.
The registration fails and creates 17 blank users, including the mails to the admin mail adress and mails to the (blank) user email adress, which get returned to the sender (server) mail adress.

First, i thought, that this is a user, which has some problems to register an account, but it happened at least 3 times with EXACTLY the same "click pattern", according to the apache logfile.
This makes me think, that this is an attack or at least something "scripted".
My next guess was a search engine spidering the page, but there is no "Browser Agent" reported, either.

This is what happens (i replaced actual URLs)

204.38.36.89 - - [23/Sep/2005:12:08:36 +0200] "GET / HTTP/1.1" 200 10179 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:08:37 +0200] "GET /<defaultsiteaccesname>/<4th item in the top level menu> HTTP/1.1" 200 13360 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:08:39 +0200] "POST /<defaultsiteaccesname>/user/login HTTP/1.1" 200 9971 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:41 +0200] "POST /<defaultsiteaccesname>/user/login HTTP/1.1" 200 10773 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:42 +0200] "GET /<defaultsiteaccesname>/<1st item in the latest-items-box> HTTP/1.1" 200 12029 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:08:43 +0200] "GET /<defaultsiteaccesname>/user/register HTTP/1.1" 200 11923 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:08:46 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:50 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:54 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:57 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:59 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:02 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:05 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:08 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:11 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:14 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:16 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:19 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:22 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:24 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:27 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:29 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:32 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:34 +0200] "GET /<defaultsiteaccesname>/intern HTTP/1.1" 200 9976 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:09:36 +0200] "GET /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 9939 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:09:38 +0200] "POST /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 10476 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:39 +0200] "POST /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 10075 "http://<domain>/" "-"
No further request after this.

As you see, the client does 17 POSTs to user/register. I thought, it would be a manual register, which accounters this bug: http://ez.no/bugs/view/7185 .
But: The client does not request the "user registration successfull" HTML page, which he should see, even after an unsucessful page.
Instead, he POSTS to the same page 17 times, with a 2-3 seconds delay.
Also, the referrer URL is sometimes not set, where i think, a normale webbrowser should set it. The most strange thing: There is no user agent reported!!

As i said, the click pattern, from the first GET / to the 17 POSTS, including the 2-3 seconds delay, are identical for at least 3 "events".

My question:
Did you experience something similar? Do you think, this is a scripted attack or some kind of "friendly" robot?
It does not take down the site or so, but it created blank user accounts and the corresponding mails.

Target sites run 3.4.2 and 3.4.4 at the moment.

Marco
http://www.hyperroad-design.com

Kirill Subbotin

Friday 30 September 2005 6:49:41 am

I remember the similar problem - empty registred users... The situation was like this... (I just don't remember exactly):
Bad url was requested from the page (wrong template or somethng), but the request was redirected to ez publish (because of wrong redir rules).
After this some session data gets lost and user data becomes empty...

It's how I remember it, and may be you have something similar. But we have fixed the possibilities for this problem in ez publish, although I don't remember exact versions.

Timing:	Jan 19 2025 11:48:38
Script start
Timing:	Jan 19 2025 11:48:38
Module start 'content'
Timing:	Jan 19 2025 11:48:39
Module end 'content'
Timing:	Jan 19 2025 11:48:39
Script end

Total runtime	1.3570 sec
Peak memory usage	4,096.0000 KB
Database Queries	191

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0087	589.0938	180.8203
Module start 'content'	0.0087	1.1356	769.9141	553.8984
Module end 'content'	1.1443	0.2125	1,323.8125	337.0625
Script end	1.3569		1,660.8750

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0043	0.3180	21	0.0002
Check MTime	0.0015	0.1137	21	0.0001
Mysql Total
Database connection	0.0009	0.0659	1	0.0009
Mysqli_queries	1.2756	94.0046	191	0.0067
Looping result	0.0024	0.1757	189	0.0000
Template Total	1.3181	97.1	2	0.6590
Template load	0.0022	0.1621	2	0.0011
Template processing	1.3159	96.9715	2	0.6579
Template load and register function	0.0001	0.0080	1	0.0001
states
state_id_array	0.0019	0.1374	1	0.0019
state_identifier_array	0.0026	0.1917	2	0.0013
Override
Cache load	0.0018	0.1355	54	0.0000
Sytem overhead
Fetch class attribute can translate value	0.0016	0.1151	3	0.0005
Fetch class attribute name	0.0014	0.1022	3	0.0005
XML
Image XML parsing	0.0008	0.0592	3	0.0003
class_abstraction
Instantiating content class attribute	0.0000	0.0004	3	0.0000
General
dbfile	0.0048	0.3541	27	0.0002
String conversion	0.0000	0.0021	3	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Cache	Type	Packlevel	SourceFiles
	CSS	0	extension/community/design/community/stylesheets/ext/jquery.autocomplete.css extension/community_design/design/suncana/stylesheets/scrollbars.css extension/community_design/design/suncana/stylesheets/tabs.css extension/community_design/design/suncana/stylesheets/roadmap.css extension/community_design/design/suncana/stylesheets/content.css extension/community_design/design/suncana/stylesheets/star-rating.css extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css extension/community_design/design/suncana/stylesheets/buttons.css extension/community_design/design/suncana/stylesheets/tweetbox.css extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css extension/sevenx/design/simple/stylesheets/star_rating.css extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css extension/sevenx/design/simple/stylesheets/main.v02.css extension/sevenx/design/simple/stylesheets/main.v02.res.css
	JS	0	extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js extension/community_design/design/suncana/javascript/jquery.ui.core.min.js extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js extension/community_design/design/suncana/javascript/jquery.easing.1.3.js extension/community_design/design/suncana/javascript/jquery.ui.tabs.js extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js extension/community_design/design/suncana/javascript/jquery.popmenu.js extension/community_design/design/suncana/javascript/jScrollPane.js extension/community_design/design/suncana/javascript/jquery.mousewheel.js extension/community_design/design/suncana/javascript/jquery.cycle.all.js extension/sevenx/design/simple/javascript/jquery.scrollTo.js extension/community_design/design/suncana/javascript/jquery.cookie.js extension/community_design/design/suncana/javascript/ezstarrating_jquery.js extension/community_design/design/suncana/javascript/jquery.initboxes.js extension/community_design/design/suncana/javascript/app.js extension/community_design/design/suncana/javascript/twitterwidget.js extension/community_design/design/suncana/javascript/community.js extension/community_design/design/suncana/javascript/roadmap.js extension/community_design/design/suncana/javascript/ez.js extension/community_design/design/suncana/javascript/ezshareevents.js extension/sevenx/design/simple/javascript/main.js

Attacks on ezPublish installs ? Blank Users registered

eZ debug

Main resources:

Timing points:

Time accumulators:

CSS/JS files loaded with "ezjscPacker" during request:

Templates used to render the page:

Usage	Requested template	Template	Template loaded
1	node/view/full.tpl	full/forum_topic.tpl	extension/sevenx/design/simple/override/templates/full/forum_topic.tpl
1	content/datatype/view/ezimage.tpl	<No override>	extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tpl
2	content/datatype/view/ezxmltext.tpl	<No override>	extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tpl
6	content/datatype/view/ezxmltags/line.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/line.tpl
6	content/datatype/view/ezxmltags/paragraph.tpl	<No override>	extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tpl
1	pagelayout.tpl	<No override>	extension/sevenx/design/simple/templates/pagelayout.tpl
Number of times templates used: 17 Number of unique templates used: 6