And you thought you were...

maynard · Oct 2, 2020

Having a bad day.

Of course, if I was going to be there, it would be a good day.

Basil · Oct 2, 2020

Ok, so I'm sure by now some of you figured out that when you clicked on this thread it was triggering a security alert. If you didn't read the warning and kept clicking on it then your IP got blocked and you would no longer be allowed to access the site at all! (it says to read the warnings).

Why was this happening?

I employ a lot of security measures to prevent bad guys from hacking the site. One of the things are called "security rules" that look for specific phrases in a browser URL that could be associated with an attempted hack. When you click on a thread, it puts the thread title in your browser and will look something like this:

https://www.britishcarforum.com/bcf/showthread.php?120636-And-you-thought-you-were

In this case, the phrase "having-a-bad-day" was triggering one of the security rules designed to prevent what is called an SQL (database) injection attack. Now, what it is about that phase that could be associated with an SQL database injection I have no idea, but it does. This is the email I get when someone tried to access this thread (before I removed the phrase "having a bad day" from the title) and it shoes the details off the security rule and why the IP got blocked. (I've deleted the IP address of the member triggering the rule for security reasons)

Time: Fri Oct 2 11:33:18 2020 -0400
IP: (deleted for security) (US/United States/msnbot-(deleted for security).search.msn.com)
Failures: 5 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block [LF_MODSEC]

Log entries:

[Fri Oct 02 11:32:20.994522 2020] [:error] [pid 9543] [client (deleted IP for security):1596] [client (deleted IP)] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i?:[\\\\s()]case\\\\s*?\\\\()|(?:\\\\)\\\\s*?like\\\\s*?\\\\()|(?:having\\\\s*?[^\\\\s]+\\\\s*?[^\\\\w\\\\s])|(?:if\\\\s?\\\\([\\\\d\\\\w]\\\\s*?[=<>~]))" at ARGS_NAMES:120638-And-you-thought-you-were-having-a-bad-day-Question. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "65"] [id "942230"] [rev "2"] [msg "Detects conditional SQL injection attempts"] [data "Matched Data: having-a-bad-day- found within ARGS_NAMES:120638-And-you-thought-you-were-having-a-bad-day-Question: 120638-And-you-thought-you-were-having-a-bad-day-Question"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "www.britishcarforum.com"] [uri "/bcf/showthread.php"] [unique_id "X3dIBCSDD8hAhX@OwoOs1AAAAAQ"]

Don't worry too much if you don't understand it - I only half way understand it.

Basil · Oct 2, 2020

PS: I get an email any time an IP is blocked by the server - I have unblocked all the IP addressed I could find that had been recently blocked by accessing this thread before I edited the title.

LarryK · Oct 2, 2020

Good job being alert, as always.

maynard · Oct 2, 2020

Thanks. I wondered what happened.

Gliderman8 · Oct 2, 2020

He thought he was going to NYC.... the Pig Apple.

mikephillips · Oct 2, 2020

Just a little while ago, from the other pigs in the pen, "Hey Fred, isn't that a pile of edible garbage in that box over there?? You should check it out"....

Popeye · Oct 3, 2020

Basil, thanks for the security. Much appreciated - even though I don’t understand most of it!

Bayless · Oct 3, 2020

Well I know what SQL injection is but the rest is just mumbo jumbo. But glad you have strong security anyway.

And you thought you were...

Share this page

maynard

Yoda

Basil

Administrator

Basil

Administrator

LarryK

Yoda

maynard

Yoda

Gliderman8

Great Pumpkin

mikephillips

Yoda

Popeye

Obi Wan

Bayless

Yoda