I am locked out of my site, I suddenly started getting hundreds of emails like this
Total impact: 59
Affected tags: xss, csrf, id, rfe, sqli, lfi
Variable: COOKIE.owa_v | Value: cdh=>b882ae39|||vid=>1332905173065178573|||fsts=>1332905173|||dsfs=>0|||nps=>2
Impact: 5 | Tags: xss, csrf
Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID: 25
Variable: COOKIE.owa_s | Value: cdh=>b882ae39|||last_req=>1332915502|||sid=>1332915497254528702|||dsps=>0|||referer=>(none)|||medium=>direct|||source=>(none)|||search_terms=>(none)
Impact: 9 | Tags: xss, csrf, id, rfe
Description: Detects JavaScript object properties and methods | Tags: xss, csrf, id, rfe | ID: 17
Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID: 25
Variable: COOKIE._pk_ref_2_e7d4 | Value: ["","",1333095878,"http://c2wallet.com/analytics/index.php?module=CoreHome&action=index&idSite=2&period=day&date=2012-03-29"]
Impact: 45 | Tags: xss, csrf, id, rfe, sqli, lfi
Description: Detects JavaScript with(), ternary operators and XML predicate attacks | Tags: xss, csrf | ID: 7
Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8
Description: Detects JavaScript object properties and methods | Tags: xss, csrf, id, rfe | ID: 17
Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID: 23
Description: Detects common XSS concatenation patterns 1/2 | Tags: xss, csrf, id, rfe | ID: 30
Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
Description: Detects MySQL comment-/space-obfuscated injections and backtick termination | Tags: sqli, id | ID: 57
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67
Centrifuge detection data Threshold: --- Ratio: --- Converted: ((++::
REMOTE_ADDR: 79.54.137.146
HTTP_X_FORWARDED_FOR: 79.54.137.146
HTTP_CLIENT_IP:
SCRIPT_FILENAME: /home/meetyour/public_html/flash/XML.php
QUERY_STRING: module=im&action=updateInvite&recipient=119600&_t=1333405775166
REQUEST_URI: /flash/XML.php?module=im&action=updateInvite&recipient=119600&_t=1333405775166
QUERY_STRING: module=im&action=updateInvite&recipient=119600&_t=1333405775166
SCRIPT_NAME: /flash/XML.php
PHP_SELF: /flash/XML.php
And when I tried to access the /administration I got the message:
Possible security attack!!! All data has been collected and sent to the site owner for analysis.
My security settings for the security impact threshold are at -1 as advised in various posts and also as it was by default. No module has been installed or other changes made before the alert emails started flooding my inbox, what the heck is going on?
Marco
