Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By kmv on
I get a lot of noise in my logs, but the following PHP error grabbed my attention:
Type: php
Date: Monday, 9 February, 2009 - 13:46
User: Anonymous
Location: http://www.keiths-place.com/comment/reply/169
Referrer: http://www.keiths-place.com/blog/keith/2007/site-updates
Message: Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '=' query: SELECT COUNT(uid) FROM users WHERE LOWER(name) = '??????' in /home/keiths-place/public_html/includes/database.mysql.inc on line 174.
Severity: error
Hostname: 75.64.39.150
And here is the web log for their visit (their whole visit):
75.64.39.150 - - [09/Feb/2009:06:45:58 -0700] "GET /blog/keith/2007/site-updates HTTP/1.0" 200 16279 "-" "Mozilla/6.0 (compatible; MSIE 7.0a1; Windows NT 5.2; SV1)"
75.64.39.150 - - [09/Feb/2009:06:46:00 -0700] "POST /blog/keith/2007/comment/reply/169 HTTP/1.0" 404 3269 "http://www.keiths-place.com/blog/keith/2007/site-updates" "Mozilla/6.0 (compatible; MSIE 7.0a1; Windows NT 5.2; SV1)"
75.64.39.150 - - [09/Feb/2009:06:46:02 -0700] "POST /comment/reply/169 HTTP/1.0" 200 14660 "http://www.keiths-place.com/blog/keith/2007/site-updates" "Mozilla/6.0 (compatible; MSIE 7.0a1; Windows NT 5.2; SV1)"
What got my attention here is that whatever it was that the hax0rd Comcast user POSTed to me managed to get past the content filter on the comment form and down into the database layer to cause that error.
I am running Drupal 5.15
Thoughts?
Comments
I see a lot of noise like
I see a lot of noise like this... it looks like filters did their job, otherwise "???????" would have been DROP *.... I think.... Hackers scan for holes all the time.... But you never know..... Usually, the versions I see have straight injection attacks written all over them.... character encodings and alll...
--
"I'm not concerned about all hell breaking loose, but that a PART of hell will break loose... it'll be much harder to detect." - George Carlin
--
Personal: http://www.nicklewis.org
Work: http://www.entermedianow.com
--
"I'm not concerned about all hell breaking loose, but that a PART of hell will break loose... it'll be much harder to detect." - George Carlin
--
Personal: http://www.nicklewis.org
Work: http://www.zivtech.com
Adding the BadBehavior
Adding the BadBehavior module will probably block some/a lot of this type stuff..
Before assuming that there
Before assuming that there is a threat there, I would check for database configuration errors. Take a look at the structure of your users tables with phpmyadmin. Are the collations of all the columns utf8_general_ci? (especially the 'name' column).
If the connection charset is utf8 and the database charset of the users.name column is wrong (latin1), then probably an anonymous user trying to post a comment enters a utf8 name with foreign characters or apostrophes, Drupal compares this utf8 string with the latin-1 usernames, and naturally logs an error.
I don't see how "injecting" the error logs could be dangerous (although I am no security expert).