It is currently 28 Mar 2024, 20:18




 Page 1 of 1 [ 9 posts ] 
Author Message
 Post subject: HACK ATTEMPT on LDDb.com
PostPosted: 02 Jan 2020, 05:08 
Site Admin
Site Admin
User avatar

Joined: 07 Aug 2002, 23:37
Posts: 4540
Location: Tokyo
Has thanked: 292 times
Been thanked: 1136 times
Thanks to blam1 for pointing out that the Global Shop sub-categories was sending back "Wrong country code, sorry"

The country code itself (ALL) was correct, it's what came after that wasn't!

Ex: %20%27-6863%20union%20all%20select%201,CONCAT(0x3a6f79753a,IFnull(CAST(COUNT(*)%20AS%20CHAR),0x20),0x3a70687a3a)%20FROM%20lddb_search._search_2008#&cat=video&key=3

Google for the first CONCAT Hex code and you'll see that quite many websites have also been infected:

https://www.google.com/search?q=0x3a6f79753a

It's not the database, admin account hasn't been compromised but somehow they found a way to poison/compromise the memcached data.

I invalidated all data to start from fresh again, but will monitor if they ever try again.

Julien
_________________
HARDWARE DATABASE
HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G
LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
Offline
 Profile  
 
 Post subject: Re: HACK ATTEMPT on LDDb.com
PostPosted: 02 Jan 2020, 05:46 
Advanced fan
Advanced fan
User avatar

Joined: 26 Jun 2019, 06:17
Posts: 570
Location: New Zealand
Has thanked: 138 times
Been thanked: 178 times
b*****ds!
Good on ya for reporting blam1
_________________
CLD-R7G
CLD-D590
VSA-E07 AC3RF+DTS
iScan DUO Processor
Check out my small but loved collection here..
Offline
 Profile  
 
 Post subject: Re: HACK ATTEMPT on LDDb.com
PostPosted: 02 Jan 2020, 08:25 
Absolute fan
Absolute fan
User avatar

Joined: 11 Jun 2008, 06:10
Posts: 1617
Location: Milky Way-Sol System-Terra-USA-North Carlolina.
Has thanked: 561 times
Been thanked: 238 times
Hat is off to blam1....
Cheers mate...

Repel borders !
_________________
Acta Non Verba .....
Si Vis Pacem Para Bellum ....
Si Gorgiamus Allos Subjectatos Nunc ......
Offline
 Profile  
 
 Post subject: Re: HACK ATTEMPT on LDDb.com
PostPosted: 02 Jan 2020, 13:56 
Jedi Candidate
Jedi Candidate
User avatar

Joined: 02 Apr 2006, 21:20
Posts: 2125
Location: United States
Has thanked: 75 times
Been thanked: 132 times
great job on blam1's part and Julien for this to be an attempt only.
Offline
 Profile  
 
 Post subject: Re: HACK ATTEMPT on LDDb.com
PostPosted: 04 Jan 2020, 23:18 
Hardcore fan
Hardcore fan
User avatar

Joined: 20 Feb 2011, 19:23
Posts: 1033
Location: United Kingdom
Has thanked: 30 times
Been thanked: 26 times
Excellent work both of you for fixing this.

Interestingly Google notified me that an account I used had been compromised but didn't tell me which. I changed all my passwords but I guess it was probably LDDB.

Well done spotting and sorting it : )
_________________
Pioneer DVL-919E, Onkyo TX-NR626, LG C8 OLED.
My Collection
Offline
 Profile  
 
 Post subject: Re: HACK ATTEMPT on LDDb.com
PostPosted: 10 Feb 2020, 13:15 
Site Admin
Site Admin
User avatar

Joined: 07 Aug 2002, 23:37
Posts: 4540
Location: Tokyo
Has thanked: 292 times
Been thanked: 1136 times
hippiedalek wrote:
Interestingly Google notified me that an account I used had been compromised but didn't tell me which. I changed all my passwords but I guess it was probably LDDB.


Google would only notify of major websites, not LDDb. And the passwords here are encrypted one-way, there's no way I can guess it even if I wanted to.

blam1 saw another round of attacks (from a Russian IP) so today I beefed up the firewall rules to try to catch these script kiddies before they make any damage.

Already caught 5 more, keeping them out for a month.
Should make them give up pretty quickly.

Julien
_________________
HARDWARE DATABASE
HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G
LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
Offline
 Profile  
 
 Post subject: Re: HACK ATTEMPT on LDDb.com
PostPosted: 30 Apr 2020, 03:48 
Site Admin
Site Admin
User avatar

Joined: 07 Aug 2002, 23:37
Posts: 4540
Location: Tokyo
Has thanked: 292 times
Been thanked: 1136 times
And one of the attacks was eventually successful in getting some data out.

The very few (~12) accounts with unencrypted passwords that could have been retrieved were updated and notified.

These attacks were based on a 2016 scripts readily available: https://github.com/samedog/PHPmvs/blob/master/PHPmvs.php

I'm getting a daily log of suspicious URLs that got caught and blocking their IPs for a month.
They happen in waves with sources spread around the world, meaning that they are part of a botnet made of compromised computers launching parallel attacks to improve efficiency.

These attacks basically cost nothing to perform: they do not pay the electricity for compromised computers, it runs automatically from temporary Amazon, Azure or Google clouds costings a few $/hour.

They will just increase over time, better be ready!

Julien
_________________
HARDWARE DATABASE
HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G
LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
Offline
 Profile  
 
 Post subject: Re: HACK ATTEMPT on LDDb.com
PostPosted: 08 May 2020, 08:34 
Site Admin
Site Admin
User avatar

Joined: 07 Aug 2002, 23:37
Posts: 4540
Location: Tokyo
Has thanked: 292 times
Been thanked: 1136 times
SQL injection attempt banning time (by IP) increased from 1 to 6 months.

Top 20 countries for such attacks:

+------------------+-------+
| Origin of attack | Total |
+------------------+-------+
| US               |  1046 |
| FR               |   134 |
| DE               |   127 |
| RU               |    95 |
| CN               |    94 |
| GB               |    54 |
| NL               |    53 |
| TR               |    50 |
| UA               |    45 |
| JP               |    30 |
| CA               |    29 |
| BR               |    26 |
| ES               |    23 |
| CZ               |    21 |
| PL               |    19 |
| SE               |    18 |
| AU               |    15 |
| IT               |    14 |
| VN               |    14 |
| SG               |    11 |
+------------------+-------+


USA is #1 because most disposable VMs from cloud service provides are originating from Amazon, Google or Microsoft.

Julien
_________________
HARDWARE DATABASE
HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G
LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
Offline
 Profile  
 
 Post subject: Re: HACK ATTEMPT on LDDb.com
PostPosted: 27 May 2020, 05:50 
Site Admin
Site Admin
User avatar

Joined: 07 Aug 2002, 23:37
Posts: 4540
Location: Tokyo
Has thanked: 292 times
Been thanked: 1136 times
Last (I hope!) round or of update on this type of attack.

I finally found the remaining piece of code that still allowed the cached version of the Global Shop to be poisoned (for 24h) by outside bogus URL probings.

It will be fully fixed for the LDDB v3.3 upgrade coming... maybe tonight!

Julien
_________________
HARDWARE DATABASE
HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G
LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
Offline
 Profile  
 
Display posts from previous:  Sort by  
 Page 1 of 1 [ 9 posts ] 


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: