I had occasion to look at the login.log from one of our courses here, and I noticed these entries:
[Mon May 25 01:04:01 2020] LOGIN FAILED user unknown user_id="><script>alert('pubcookie_xss.nasl');</script> login_type=normal credential_source=params host=192.168.222.12 port=60134 UA=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) [Mon May 25 01:05:38 2020] LOGIN FAILED user unknown user_id=jffnms_user_sql_injection.nasl' UNION SELECT 2,'admin','$1$RxS1ROtX$IzA1S3fcCfyVfA9rwKBMi.','Administrator'-- login_type=normal credential_source=params host=192.168.222.12 port=37328 UA=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Then I looked in other courses and I see this happening frequently. A random sample of 6 courses, something like this is in 3 of them. And when it is there, it is happening on Mondays at 1:04 or so in the morning. In one course it happened 5 weeks in a row, then stopped in early May. In another course, it's been happening for two months. It's there in at least one course that use the LTI with our LMS, and it's there in at least one course that does not use the LMS at all.
I Googled some of what I see, and found this page:
This suggests something is trying to exploit some database security vulnerability. Thankfully it appears the attempt is failing, but I thought I should report this. I wonder if anyone using an older version of WW with an older database/password scheme would be vulnerable to whatever this is.
This makes me wonder if I should hide all our courses and just rely on students and faculty either using the LMS or following direct links to their courses.