×
Kunena 5.1.5 Released - Security Release (14 Oct 2018)

The Kunena team has announce the arrival of Kunena 5.1.5 [K 5.1.5] which is now available for download as a native Joomla extension for J! 3.8.x. This version addresses most of the issues that were discovered in K 5.1 and issues discovered during the development stages of K 5.1. This is a Security release.

Question Kunena security problem

More
3 years 4 weeks ago - 3 years 4 weeks ago #1 by PieceOfCake
Hello everyone,

I am actually experiencing some security problems with my Joomla! v3.4.4 (Kunena 4.0.5)
For the first time (since 2 years) I got spams on one (and only one) post of my forum. I deleted the spams, they continued to reply this post and this one only.

So I found as only solution to close the guilty post.
Before closing it I found the following lines in my raw logs :

5.101.217.176 - - [20/Sep/2015:00:01:55 -0500] "GET /forum/trucs-et-astuces/51-le-warden-sous-eq2-builds-aa-raid-et-groupe-heal.html HTTP/1.0" 200 14280 " www.guerrier-celeste.fr/forum/trucs-et-a...groupe-heal.html#465 " "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36"
5.101.217.176 - - [20/Sep/2015:00:02:01 -0500] "POST /forum.html HTTP/1.0" 303 20 " www.guerrier-celeste.fr/forum/trucs-et-a...groupe-heal.html#465 " "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36"
5.101.217.176 - - [20/Sep/2015:00:02:02 -0500] "GET /forum/trucs-et-astuces/51-le-warden-sous-eq2-builds-aa-raid-et-groupe-heal.html HTTP/1.0" 200 14381 " www.guerrier-celeste.fr/51-le-warden-sou...groupe-heal.html#465 " "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36"
5.101.217.176 - - [20/Sep/2015:00:02:06 -0500] "GET /forum/credits.html HTTP/1.0" 200 12155 " www.guerrier-celeste.fr/forum/credits.html " "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36"
5.101.217.176 - - [20/Sep/2015:00:02:08 -0500] "GET /guide-de-survie/des-forums-des-reponses.html HTTP/1.0" 200 18681 " www.guerrier-celeste.fr/guide-de-survie/...ms-des-reponses.html " "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36"
5.101.217.176 - - [20/Sep/2015:00:02:18 -0500] "GET /guide-de-survie/des-forums-des-reponses.html HTTP/1.0" 200 18681 " www.guerrier-celeste.fr/guide-de-survie/...ms-des-reponses.html " "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
5.101.217.176 - - [20/Sep/2015:00:02:26 -0500] "GET /guide-de-survie/des-forums-des-reponses.html?tmpl=component&print=1&page= HTTP/1.0" 200 5505 " www.guerrier-celeste.fr/des-forums-des-r...ponent&print=1&page= " "Mozilla/5.0 (Android; Tablet; rv:36.0) Gecko/36.0 Firefox/36.0"
5.101.217.176 - - [20/Sep/2015:00:02:28 -0500] "GET /forum/index.html HTTP/1.0" 200 14037 " www.guerrier-celeste.fr/forum/index.html " "Mozilla/5.0 (Android; Tablet; rv:36.0) Gecko/36.0 Firefox/36.0"
5.101.217.176 - - [20/Sep/2015:00:02:30 -0500] "GET /forum/messagesrecents.html HTTP/1.0" 200 15209 " www.guerrier-celeste.fr/messagesrecents.html " "Mozilla/5.0 (Android; Tablet; rv:36.0) Gecko/36.0 Firefox/36.0"
5.101.217.176 - - [20/Sep/2015:00:02:33 -0500] "GET /forum/aide.html HTTP/1.0" 200 16039 " www.guerrier-celeste.fr/aide.html " "Mozilla/5.0 (Android; Tablet; rv:36.0) Gecko/36.0 Firefox/36.0"
5.101.217.176 - - [20/Sep/2015:00:02:35 -0500] "GET /forum/recherche.html HTTP/1.0" 200 12551 " www.guerrier-celeste.fr/recherche.html " "Mozilla/5.0 (Android; Tablet; rv:36.0) Gecko/36.0 Firefox/36.0"
5.101.217.176 - - [20/Sep/2015:00:02:37 -0500] "GET /forum/trucs-et-astuces/51-le-warden-sous-eq2-builds-aa-raid-et-groupe-heal/reply.html HTTP/1.0" 200 18177 " www.guerrier-celeste.fr/forum/trucs-et-a...oupe-heal/reply.html " "Mozilla/5.0 (Android; Tablet; rv:36.0) Gecko/36.0 Firefox/36.0"
5.101.217.176 - - [20/Sep/2015:00:02:42 -0500] "POST /forum.html HTTP/1.0" 303 20 " www.guerrier-celeste.fr/forum/trucs-et-a...oupe-heal/reply.html " "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:38.0) Gecko/20100101 Firefox/38.0"
5.101.217.176 - - [20/Sep/2015:00:02:56 -0500] "GET /forum/trucs-et-astuces/51-le-warden-sous-eq2-builds-aa-raid-et-groupe-heal.html HTTP/1.0" 200 16417 " www.guerrier-celeste.fr/forum/trucs-et-a...groupe-heal.html#594 " "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:38.0) Gecko/20100101 Firefox/38.0"

I must say that I am using captcha - recaptcha and an API Key of Stop Forum Spam as protection for the forum (the entire site is protected with recaptcha API, aesecure and Honey Pot Project at global level)
Since I closed the entire post (forum/trucs-et-astuces/51-le-warden-sous-eq2-builds-aa-raid-et-groupe-heal) I have no more spams.

Happy end ? not really since this moment, I have got a lot of connexions with a different IP each time and while analyzing my logs in details I found numerous entries which are all of this form :

141.101.132.169 - [22/Sep/2015:12:54:47 GET /guide-de-survie/des-forums-des-reponses.html?tmpl=component&print=1&page= HTTP/1.0 200 17578 www.guerrier-celeste.fr/des-forums-des-r...ponent&print=1&page= "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0"
141.101.132.169 - [22/Sep/2015:12:54:49 GET /forum/index.html HTTP/1.0 200 55318 www.guerrier-celeste.fr/forum/index.html "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0"
141.101.132.169 - [22/Sep/2015:12:54:51 GET /forum/messagesrecents.html HTTP/1.0 200 61263 www.guerrier-celeste.fr/messagesrecents.html "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0"
141.101.132.169 - [22/Sep/2015:12:54:53 GET /forum/aide.html HTTP/1.0 200 57594 www.guerrier-celeste.fr/aide.html "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0"
141.101.132.169 - [22/Sep/2015:12:54:56 GET /forum/recherche.html HTTP/1.0 200 47667 www.guerrier-celeste.fr/recherche.html "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0"
141.101.132.169 - [22/Sep/2015:12:54:58 GET /forum/user/task-change.html?topic_layout=threaded&044210eedf6d79d08916d53e42e3b143=1 HTTP/1.0 303 - www.guerrier-celeste.fr/forum/user/task-...d08916d53e42e3b143=1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0"
141.101.132.169 - [22/Sep/2015:12:55:00 GET /forum/user/task-change.html?topic_layout=threaded&044210eedf6d79d08916d53e42e3b143=1 HTTP/1.0 303 - www.guerrier-celeste.fr/task-change.html...d08916d53e42e3b143=1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0"
141.101.132.169 - [22/Sep/2015:12:55:02 GET /task-change.html?topic_layout=threaded&044210eedf6d79d08916d53e42e3b143=1 HTTP/1.0 404 3139 www.guerrier-celeste.fr/task-change.html...d08916d53e42e3b143=1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0"
141.101.132.169 - [22/Sep/2015:12:55:04 GET /forum.html HTTP/1.0 200 55901 www.guerrier-celeste.fr/forum.html "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0"
141.101.132.169 - [22/Sep/2015:12:55:11 GET /forum/breves-de-comptoir.html HTTP/1.0 200 70447 www.guerrier-celeste.fr/forum/breves-de-comptoir.html "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0"
141.101.132.169 - [22/Sep/2015:12:54:40 GET /guide-de-survie/des-forums-des-reponses.html HTTP/1.0 200 73729 www.guerrier-celeste.fr/guide-de-survie/...ms-des-reponses.html "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1"


it seems they are trying to use a task-change.html page which most of the time ends with a 404 error and although I am not sure this is the same hacker who spammed the post I had to close, I am not sure there is no security failure under that (seems they are trying to find one)

For the moment they could not spam my site again. I just have a bunch of unwanted connections recorded !
Do you have an idea of what is happening and how I have to manage that ?

you'll find my configuration report joined.




Best regards

This message contains confidential information

Database collation check: The collation of your table fields are correct

Joomla! SEF: Enabled | Joomla! SEF rewrite: Enabled | FTP layer: Disabled |

This message contains confidential information
htaccess: Exists | PHP environment: Max execution time: 120 seconds | Max execution memory: 256M | Max file upload: 128M

Kunena menu details:

Warning: Spoiler! [ Click to expand ]

Joomla default template details : jsn_epic_pro | author: JoomlaShine.com | version: 6.0.9 | creationdate: Unknown

Kunena default template details : JSN Epic | author: Joomlashine Team | version: 6.0.8 | creationdate: 12/04/2014

Kunena version detailed: Kunena 4.0.5 | 2015-08-17 [ Turnau ]
| Kunena detailed configuration:

Warning: Spoiler! [ Click to expand ]
| Kunena integration settings:
Warning: Spoiler! [ Click to expand ]
| Joomla! detailed language files installed:
Warning: Spoiler! [ Click to expand ]

Third-party components: None

Third-party SEF components: None

Plugins: None

Modules: None

Last edit: 3 years 4 weeks ago by rich. Reason: Configuration report correctly inserted

Please Log in or Create an account to join the conversation.

More
3 years 4 weeks ago #2 by 810
Replied by 810 on topic Kunena security problem
this is not a security problem, just spammers, Like here on k.org we also need to delete some post each day.

You have set everything ok.
The only what you can do is block some countries on the server part. But if you have real visitors from that country, you can't do that.

Please Log in or Create an account to join the conversation.

More
3 years 4 weeks ago - 3 years 4 weeks ago #3 by PieceOfCake
Replied by PieceOfCake on topic Kunena security problem
These are not really the spams that cause me problems (I could easily claims to the non registered users to be validate by a moderator).

No ! Problems are all those unwanted connections that are trying to find a way to enter the forum out of control. One try about every 6 minutes.

Regards
Last edit: 3 years 4 weeks ago by PieceOfCake.

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to add attachements.
  • Not Allowed: to edit your message.
Time to create page: 0.113 seconds