Welcome Guest, Not a member yet? Register   Sign In
SQL injection attack
#11

[eluser]Unknown[/eluser]
I agree with @jairoh_. The active recorde never can be sql injected.
#12

[eluser]Young Australia[/eluser]
I don't know if it was an injection attack but one of the site's I've built has been attacked.

the ee_members table suddenly contains 511 MB of data.

I was wondering how you resusitated your logins?

Michael
#13

[eluser]Young Australia[/eluser]
Oh by the way, it seems to have been some bot net because ee recorded 13495 different IP addresses as the source of the attack.

Michael
#14

[eluser]sv3tli0[/eluser]
If its injection why do you think that it started at this update ???
Injections can be made anywhere in your site to any table..
There must be only 1 hole.. Smile

Search your script for CUSTOM queries with not escaped fields ...
OR perhaps they can access your DB / PHPAdmin if you have or other way..
#15

[eluser]Pert[/eluser]
If it's members table and you have public sign up page, they can just send POST data to your receiving page, which creates all the records in DB.

That's why catpchas are used, so when captcha fails, you don't create user record.
#16

[eluser]sv3tli0[/eluser]
catpchas ?

If you escape the POST data there is no way to be made injection Smile
Captcha helps vs brute-force attacks limiting requests to the form..
#17

[eluser]Pert[/eluser]
Just pointing out random data in DB doesn't necessarily mean it was injection, but actual site functionality that allowed someone to create punch of user accounts.
#18

[eluser]Young Australia[/eluser]
Thanks all for your suggestions.

I don't think I use any custom queries, only the standard tags.

I didn't think I had created any sign up pages. I'll have to see if there is a default address for those.

Just did and member sign up was turned on without captchas. I turned sign up off and captchas on.

Thanks again.

Regards,
Michael
#19

[eluser]Pert[/eluser]
Booom, headshot! I still got it Wink




Theme © iAndrew 2016 - Forum software by © MyBB