Hacker...

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
Post Reply
User avatar
bubbathegimp
Registered User
Posts: 132
Joined: Tue Sep 25, 2018 8:02 pm
Location: Off Plumb
Name: Bubba
Contact:

Hacker...

Post by bubbathegimp »

Apparently I have a Hacker in Poland trying to get in....

Sat Mar 14, 2020 11:28 am Filter by country: An invalid IP of 83.24.240.111 was detected in the HTTP header “HTTP_X_FORWARDED_FOR“ for username “Anonymous“.

Sat Mar 14, 2020 11:28 am Filter by country: An invalid IP of 1.0 translate.google.com TWSFE/0.9 was detected in the HTTP header “HTTP_VIA“ for username “Anonymous“.

https://community.spiceworks.com/tools/ ... 24.240.111

or am I interpreting this wrong?
(Still a Noob)

User avatar
Lumpy Burgertushie
Registered User
Posts: 67395
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Hacker...

Post by Lumpy Burgertushie »

did the "hacker" get in? if not there is nothing to worry about.

as far as I remember, there has not been a known successful hack of phpbb since 3.0 came out.


robert

User avatar
John connor
Registered User
Posts: 2492
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Hacker...

Post by John connor »

bubbathegimp wrote:
Sat Mar 14, 2020 9:02 pm
or am I interpreting this wrong?
(Still a Noob)
Yes.

And that IP is a residential IP address and the router is not an infected router turned into a zombie bot net. Further, they were using Google translate since they more than likely only know the Polish language and not English. To top that off, the X-forwarded-for is tripping up because the Polish user is using Google translate which acts as a proxy of sorts. So I imagine there's a conflict there with the X-forwarded-for IP address header and the real IP.

Where are these logs coming from?


Lumpy Burgertushie wrote:
Sun Mar 15, 2020 7:05 am
did the "hacker" get in? if not there is nothing to worry about.

as far as I remember, there has not been a known successful hack of phpbb since 3.0 came out.


robert
I hear this all the time, but with phpBB 3.0 I know damn well there were certain hacks I read about. Also, the software may be kosher now, but vulnerabilities can be found latter as is the case for any software or hardware. Be it a CPU, router, CMS, browser, you name it. Nothing, and I mean NOTHING is absolutely 100% "hack/crack" proof. Also, you have to consider the server and its patches for CVEs, etc. The software running on the sever could be up to par, but if the server has a vulnerability it's game over.

User avatar
bubbathegimp
Registered User
Posts: 132
Joined: Tue Sep 25, 2018 8:02 pm
Location: Off Plumb
Name: Bubba
Contact:

Re: Hacker...

Post by bubbathegimp »

As far as I can tell nobody got in...
Only thing I saw in the logs that looks suspicious..
Board seems OK so Far.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 22325
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: Hacker...

Post by Mick »

Many ‘bot masters’ and hackers use residential IP addresses, by the time they get caught, if they ever do, it’s too late the damage is done. Don’t be put off by the IP address, they mean little or nothing in the grand scheme.
John connor wrote:
Sun Mar 15, 2020 8:14 am
The software running on the sever could be up to par, but if the server has a vulnerability it's game over
Exactly.
"The more connected we get the more alone we become" - Kyle Broflovski

Please read: “Am I In The Right Place?” before posting.

User avatar
bubbathegimp
Registered User
Posts: 132
Joined: Tue Sep 25, 2018 8:02 pm
Location: Off Plumb
Name: Bubba
Contact:

Re: Hacker...

Post by bubbathegimp »

John connor wrote:
Sun Mar 15, 2020 8:14 am
bubbathegimp wrote:
Sat Mar 14, 2020 9:02 pm
or am I interpreting this wrong?
(Still a Noob)
Yes.

Where are these logs coming from?


My Maintenance logs...

User avatar
John connor
Registered User
Posts: 2492
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Hacker...

Post by John connor »

It sounds like the IP used for the X-forwarded-for and the real IP are the conflict as to why you see that. Since Google translate is a proxy of sorts that's most likely the reason. The host might be to blame for this error as well. Their software that generates the logs might not be able to discern from the X-forwarded-for and real IPs. I know this is an issue for vbulletin or older versions of vbulletin. I could change my X-forwarded-for IP and in the vbulletin logs I'd show up as a blank IP address.
Mick wrote:
Sun Mar 15, 2020 10:06 am
Many ‘bot masters’ and hackers use residential IP addresses

This is a possible vector but I said that this IP isn't a zombie bot net as I tested the IP.

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 51203
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Hacker...

Post by stevemaury »

John connor wrote:
Sun Mar 15, 2020 8:14 am

I hear this all the time, but with phpBB 3.0 I know damn well there were certain hacks I read about.
Would you care to cite some evidence in support of this? That's a rather provocative statement, considering.
John connor wrote:
Sun Mar 15, 2020 8:14 am
Also, the software may be kosher now, but vulnerabilities can be found latter as is the case for any software or hardware. Be it a CPU, router, CMS, browser, you name it. Nothing, and I mean NOTHING is absolutely 100% "hack/crack" proof. Also, you have to consider the server and its patches for CVEs, etc. The software running on the sever could be up to par, but if the server has a vulnerability it's game over.
None of which are under the control of phpBB.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

User avatar
John connor
Registered User
Posts: 2492
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Hacker...

Post by John connor »

stevemaury wrote:
Sat Mar 21, 2020 7:23 pm
Would you care to cite some evidence in support of this? That's a rather provocative statement, considering.
https://www.exploit-db.com/exploits/2007

https://www.phpsecure.info/SearchAdviso ... Rech=phpbb
stevemaury wrote:
Sat Mar 21, 2020 7:23 pm
None of which are under the control of phpBB.
I said that vulnerabilities are found all the time no matter the platform. Be it software or hardware. phpBB fixes security issues all the time. So do browsers. So do CPUs, drivers, firmware, you name it. That's why there is a CVE website to list them all.

You people seem over confident that your software is secure, and it may, but one day an exploit may be found and pried open.

User avatar
JLA
Registered User
Posts: 531
Joined: Tue Nov 16, 2004 5:23 pm
Location: USA
Name: JLA FORUMS
Contact:

Re: Hacker...

Post by JLA »

Don't worry about it - it is normal. Most board owners don't realize (depending on traffic) they have 10's of thousands or more of attempts against their site ever day. Try a useful log parser and take a close look at your site's traffic and you will be surprised at what you find.

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10373
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Hacker...

Post by Noxwizard »

John connor wrote:
Sun Mar 22, 2020 6:35 am
John connor wrote:I hear this all the time, but with phpBB 3.0 I know damn well there were certain hacks I read about.
stevemaury wrote:Would you care to cite some evidence in support of this? That's a rather provocative statement, considering.
https://www.exploit-db.com/exploits/2007
Please see section IV of this article about that exploit: https://blog.phpbb.com/2008/07/06/explo ... them-back/

As for your other link, the vast majority of those links are for phpBB 2, MODs for phpBB, or products that aren't phpBB anymore (e.g. postNuke). For CVEs, use the actual source since theirs won't just be links to broken sites: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb

We certainly aren't perfect and have had issues, but we haven't had a major issue in a very long time. While there was a recent RCE, it required access to a Founder account.

The reason you "hear this all the time" is because people make comments like yours without any research as to whether they're true statements and keep perpetuating untruths. Yes, phpBB 3.0 is out of maintenance, but that doesn't immediately make it insecure. Yes, a new exploit could be found "any day now", that's true for all software. I ask that you avoid using blanket statements and make more accurate posts in the future which allow others to come to informed decisions and not just see FUD.

-------

As for the original topic at hand, I see no one has provided an actual answer to the issue.
Filter by country: An invalid IP of <IP> was detected in the HTTP header “HTTP_X_FORWARDED_FOR“ ...
First, what the X_FORWARDED_FOR header is: (reference)
The X_FORWARDED_FOR header is used by a proxy or load balancer to indicate to a backend service what the user's actual IP address is because the service is going to see the proxy/load balancer's IP address where it would normally see the client's. This allows the backend service to do what it normally needs to do with that information. This header is normally expected to be a well-formatted IP address, though the format may vary between services.

The HTTP_VIA header is also mentioned: (reference)
This header is a little more free-form than the previous. It allows the service which is forwarding the request (e.g. the load balancer) to provide information about itself. This is useful if multiple forwards occur, it allows the system to prevent a forwarding loop by not fowarding the request to a server it's already been forwarded to. This might contain an IP address, but will probably also contain other protocol information as well.

These messages you are receiving appear to be related to the Filter by country extension in which you've already posted. The way that extension works is it takes every HTTP Header that could possibly contain an IP address and tries to run it against the MaxMind geo-location service. If a field doesn't contain a valid IP address, it's logged as a failure. Since it's checking a lot of fields that may or may not actually have an IP address (it doesn't know your setup and is just guessing), you're going to see a lot of errors logged.

Now to your specific errors:
bubbathegimp wrote:
Sat Mar 14, 2020 9:02 pm
Sat Mar 14, 2020 11:28 am Filter by country: An invalid IP of 83.24.240.111 was detected in the HTTP header “HTTP_X_FORWARDED_FOR“ for username “Anonymous“.
This looks like a bug in the extension since it was presented with a valid IP address. You should ask the extension author about it.
bubbathegimp wrote:
Sat Mar 14, 2020 9:02 pm
Sat Mar 14, 2020 11:28 am Filter by country: An invalid IP of 1.0 translate.google.com TWSFE/0.9 was detected in the HTTP header “HTTP_VIA“ for username “Anonymous“.
As I mentioned earlier, the HTTP_VIA header probably doesn't contain just an IP address, which is what the extension is expecting. In this case, it's been told 1.0 translate.google.com TWSFE/0.9, probably indicating that the Google Translate server (acting as a proxy to translate your website) received a HTTP 1.0 request, it provided its own hostname, and then its product version. Since this isn't an IP, the extension logged it as an error.

To summarize, this looks to just be how your extension works and not any kind of attempt to break into your site. In the future, if you are concerned about something like a potential attack, please post to our Incident Tracker instead.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

User avatar
bubbathegimp
Registered User
Posts: 132
Joined: Tue Sep 25, 2018 8:02 pm
Location: Off Plumb
Name: Bubba
Contact:

Re: Hacker...

Post by bubbathegimp »

Squid Test??...

Post Reply

Return to “General Discussion”