Attacks on ezPublish installs ? Blank Users registered

Next topic

Author	Message
Marco Zinn	Friday 23 September 2005 4:42:18 am Hi, since some weeks, i experience issues with 2 public ezPublish 3.4 installations. Now and then (every few days), someone seems to try to login the user site and then tries 17 times to register a user. The registration fails and creates 17 blank users, including the mails to the admin mail adress and mails to the (blank) user email adress, which get returned to the sender (server) mail adress. First, i thought, that this is a user, which has some problems to register an account, but it happened at least 3 times with EXACTLY the same "click pattern", according to the apache logfile. This makes me think, that this is an attack or at least something "scripted". My next guess was a search engine spidering the page, but there is no "Browser Agent" reported, either. This is what happens (i replaced actual URLs) 204.38.36.89 - - [23/Sep/2005:12:08:36 +0200] "GET / HTTP/1.1" 200 10179 "-" "-" 204.38.36.89 - - [23/Sep/2005:12:08:37 +0200] "GET /<defaultsiteaccesname>/<4th item in the top level menu> HTTP/1.1" 200 13360 "-" "-" 204.38.36.89 - - [23/Sep/2005:12:08:39 +0200] "POST /<defaultsiteaccesname>/user/login HTTP/1.1" 200 9971 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:08:41 +0200] "POST /<defaultsiteaccesname>/user/login HTTP/1.1" 200 10773 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:08:42 +0200] "GET /<defaultsiteaccesname>/<1st item in the latest-items-box> HTTP/1.1" 200 12029 "-" "-" 204.38.36.89 - - [23/Sep/2005:12:08:43 +0200] "GET /<defaultsiteaccesname>/user/register HTTP/1.1" 200 11923 "-" "-" 204.38.36.89 - - [23/Sep/2005:12:08:46 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:08:50 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:08:54 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:08:57 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:08:59 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:02 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:05 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:08 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:11 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:14 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:16 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:19 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:22 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:24 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:27 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:29 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:32 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:34 +0200] "GET /<defaultsiteaccesname>/intern HTTP/1.1" 200 9976 "-" "-" 204.38.36.89 - - [23/Sep/2005:12:09:36 +0200] "GET /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 9939 "-" "-" 204.38.36.89 - - [23/Sep/2005:12:09:38 +0200] "POST /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 10476 "http://<domain>/" "-" 204.38.36.89 - - [23/Sep/2005:12:09:39 +0200] "POST /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 10075 "http://<domain>/" "-" No further request after this. As you see, the client does 17 POSTs to user/register. I thought, it would be a manual register, which accounters this bug: http://ez.no/bugs/view/7185 . But: The client does not request the "user registration successfull" HTML page, which he should see, even after an unsucessful page. Instead, he POSTS to the same page 17 times, with a 2-3 seconds delay. Also, the referrer URL is sometimes not set, where i think, a normale webbrowser should set it. The most strange thing: There is no user agent reported!! As i said, the click pattern, from the first GET / to the 17 POSTS, including the 2-3 seconds delay, are identical for at least 3 "events". My question: Did you experience something similar? Do you think, this is a scripted attack or some kind of "friendly" robot? It does not take down the site or so, but it created blank user accounts and the corresponding mails. Target sites run 3.4.2 and 3.4.4 at the moment. Marco http://www.hyperroad-design.com
Kirill Subbotin	Friday 30 September 2005 6:49:41 am I remember the similar problem - empty registred users... The situation was like this... (I just don't remember exactly): Bad url was requested from the page (wrong template or somethng), but the request was redirected to ez publish (because of wrong redir rules). After this some session data gets lost and user data becomes empty... It's how I remember it, and may be you have something similar. But we have fixed the possibilities for this problem in ez publish, although I don't remember exact versions.

Author

Message

Friday 23 September 2005 4:42:18 am

Hi,
since some weeks, i experience issues with 2 public ezPublish 3.4 installations.
Now and then (every few days), someone seems to try to login the user site and then tries 17 times to register a user.
The registration fails and creates 17 blank users, including the mails to the admin mail adress and mails to the (blank) user email adress, which get returned to the sender (server) mail adress.

First, i thought, that this is a user, which has some problems to register an account, but it happened at least 3 times with EXACTLY the same "click pattern", according to the apache logfile.
This makes me think, that this is an attack or at least something "scripted".
My next guess was a search engine spidering the page, but there is no "Browser Agent" reported, either.

This is what happens (i replaced actual URLs)

204.38.36.89 - - [23/Sep/2005:12:08:36 +0200] "GET / HTTP/1.1" 200 10179 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:08:37 +0200] "GET /<defaultsiteaccesname>/<4th item in the top level menu> HTTP/1.1" 200 13360 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:08:39 +0200] "POST /<defaultsiteaccesname>/user/login HTTP/1.1" 200 9971 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:41 +0200] "POST /<defaultsiteaccesname>/user/login HTTP/1.1" 200 10773 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:42 +0200] "GET /<defaultsiteaccesname>/<1st item in the latest-items-box> HTTP/1.1" 200 12029 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:08:43 +0200] "GET /<defaultsiteaccesname>/user/register HTTP/1.1" 200 11923 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:08:46 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:50 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:54 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:57 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:59 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:02 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:05 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:08 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:11 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:14 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:16 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:19 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:22 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:24 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:27 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:29 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:32 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:34 +0200] "GET /<defaultsiteaccesname>/intern HTTP/1.1" 200 9976 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:09:36 +0200] "GET /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 9939 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:09:38 +0200] "POST /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 10476 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:39 +0200] "POST /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 10075 "http://<domain>/" "-"
No further request after this.

As you see, the client does 17 POSTs to user/register. I thought, it would be a manual register, which accounters this bug: http://ez.no/bugs/view/7185 .
But: The client does not request the "user registration successfull" HTML page, which he should see, even after an unsucessful page.
Instead, he POSTS to the same page 17 times, with a 2-3 seconds delay.
Also, the referrer URL is sometimes not set, where i think, a normale webbrowser should set it. The most strange thing: There is no user agent reported!!

As i said, the click pattern, from the first GET / to the 17 POSTS, including the 2-3 seconds delay, are identical for at least 3 "events".

My question:
Did you experience something similar? Do you think, this is a scripted attack or some kind of "friendly" robot?
It does not take down the site or so, but it created blank user accounts and the corresponding mails.

Target sites run 3.4.2 and 3.4.4 at the moment.

Marco
http://www.hyperroad-design.com

Kirill Subbotin

Friday 30 September 2005 6:49:41 am

I remember the similar problem - empty registred users... The situation was like this... (I just don't remember exactly):
Bad url was requested from the page (wrong template or somethng), but the request was redirected to ez publish (because of wrong redir rules).
After this some session data gets lost and user data becomes empty...

It's how I remember it, and may be you have something similar. But we have fixed the possibilities for this problem in ez publish, although I don't remember exact versions.

eZ debug

Timing:	Jan 18 2025 19:09:53
Script start
Timing:	Jan 18 2025 19:09:53
Module start 'layout'
Timing:	Jan 18 2025 19:09:53
Module start 'content'
Timing:	Jan 18 2025 19:09:54
Module end 'content'
Timing:	Jan 18 2025 19:09:54
Script end

Main resources:

Total runtime	0.6168 sec
Peak memory usage	4,096.0000 KB
Database Queries	54

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0047	588.0391	152.6406
Module start 'layout'	0.0047	0.0032	740.6797	39.4922
Module start 'content'	0.0078	0.6075	780.1719	548.8047
Module end 'content'	0.6153	0.0015	1,328.9766	16.4375
Script end	0.6168		1,345.4141

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0033	0.5310	16	0.0002
Check MTime	0.0015	0.2368	16	0.0001
Mysql Total
Database connection	0.0008	0.1284	1	0.0008
Mysqli_queries	0.5660	91.7654	54	0.0105
Looping result	0.0005	0.0856	52	0.0000
Template Total	0.5834	94.6	2	0.2917
Template load	0.0020	0.3279	2	0.0010
Template processing	0.5814	94.2548	2	0.2907
Template load and register function	0.0001	0.0165	1	0.0001
states
state_id_array	0.0014	0.2341	1	0.0014
state_identifier_array	0.0011	0.1767	2	0.0005
Override
Cache load	0.0017	0.2814	54	0.0000
Sytem overhead
Fetch class attribute can translate value	0.0014	0.2294	2	0.0007
Fetch class attribute name	0.0011	0.1848	3	0.0004
XML
Image XML parsing	0.0005	0.0843	2	0.0003
class_abstraction
Instantiating content class attribute	0.0000	0.0010	3	0.0000
General
dbfile	0.0015	0.2389	16	0.0001
String conversion	0.0000	0.0008	4	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

Usage	Requested template	Template	Template loaded
1	node/view/full.tpl	full/forum_topic.tpl	extension/sevenx/design/simple/override/templates/full/forum_topic.tpl
1	content/datatype/view/ezimage.tpl	<No override>	extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tpl
2	content/datatype/view/ezxmltext.tpl	<No override>	extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tpl
6	content/datatype/view/ezxmltags/line.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/line.tpl
6	content/datatype/view/ezxmltags/paragraph.tpl	<No override>	extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tpl
1	print_pagelayout.tpl	<No override>	extension/community/design/community/templates/print_pagelayout.tpl
Number of times templates used: 17 Number of unique templates used: 6

Time used to render debug report: 0.0001 secs