-=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- (c) WidthPadding Industries 1987 0|35|0 -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=-
Socoder -> Site & Server -> Syntax Hacks

Sun, 19 Feb 2023, 02:21
Syntaxbomb is down again. Hackers keep breaking in. A rewrite is being done by Qube and should be done later today.
Sun, 19 Feb 2023, 02:21
Sun, 19 Feb 2023, 04:07
I would hope this isn't a targeted attack. Watching my stats all the time shows a staggering number of bots that will scour the server for holes.

They must have a list of vulnerable scripts, and then try their damnedest to find any of those scripts on your server.
Daily, I get things like requests for admin.php, user.php, login.php, admin/login.php, and the usual suspects, but there's also a TON of script names that keep coming up over and over. From their names, it's evident that these are indeed Forum scripts, as well as Wordpress scripts, and ..
Dear god, the script-searching that goes on at AGameA.Wiki is scary as all hell.

.env, .aws, credentials, config, laravel (?), phpinfo, ab2h.. All requested in the space of about an hour, this morning.

Last night at 22:26: between 14, 15 and 16 seconds past the minute, about 50 or so folders were all requested (cgi-bin/, php/, test/, media/, shop/, api/, etc) with the wp-includes/wlwmanifest.xml file, so that's something to watch for.
I'm not sure where a hole in a wlwmanifest.xml file might be, but that's definitely something they're looking for.

For my own sanity, I threw a TON of these "not here, mate" requests into the .htaccess file, and a whole lot of them will redirect to an incredibly fake login page. Not all of them, most will simply default to the homepage of whichever site is being accessed, but whenever the fake login does get triggered, it records the ip address, and if there's too many of those requests in a short space of time, the IP gets banned for an hour or so. (So don't go trying to get to it, or you'll end up being locked out, yourself!!!)

It's a minor step, but I think it's helped keep things a little more secure.
I'd recommend such a step to Qube, if he reads this, but I expect he's far too busy, right now, trying to get things back to normal.

What's the best solution to all this?
I'm not sure. But I think scouring the logs will probably help quite a bit.
Dig through the logs, see if he can find the odd requests, then open the code up and see if there's anything that can be found/fixed.
Might end up having to disable one or two features for a short while, until he can find the exact causes.

Additionally, if the database is still intact, make a backup, scan through, and see if there's anything untoward in there. It might be a latent "dodgy post" that's causing the issue.

I wish Qube all the luck in the world, and hope it's not as tough as I'm imagining it in my head.

''Load, Next List!''
Sun, 19 Feb 2023, 16:30
New SyntaxBomb is up and running. Looks like Qube was able to keep the database intact, thankfully.
Great job, @Qube!

''Load, Next List!''
Sun, 19 Feb 2023, 17:07
Blimey!, Qube has been busy.