I am in the process of updating to address the database vulnerability alert. HOWEVER …
There has been an unusually high number of signups in the past two weeks, most of them from Austria, Germany, India, the Netherlands, and Sweden. What I am noticing from many of them is multiple logins in a very short period of time.
Is this a sign of people attempting to exploit the database vulnerability? If so, what is the easiest remedy?
TIA
/Clay
We can’t be sure but this seems more likely about signup spam that we discussed here: Observations about spam signups
Are you able to see access logs coming to your /members/api/send-magic-link/ path? Then check if you have some repeating IPs there and if they are coming from Tor network (GitHub - okinjp/tor_ips: Tor Exit node IP addresses (Generate from metrics.torproject.org)) If so welcome to the club. The solution we could find until now is blocking Tor Network for send magic link endpoint.
I’m not sure if you can check if you are actually compromised after patching, but I recommend to rotate all the integrations keys and all passwords in your setup. It’s very unlikely to still compromised after that. -in the case you were compromised-
PD: If you have paid members and Stripe configured, you should also create new API keys in Stripe and reconfigure Ghost with the new ones, then delete or deactivate the old ones.
To check if there were attempts to compromise your site, look your web server logs for these two patterns:
slug%3A%5B or slug:[
If there was an attempt to compromise, you might see the actual SQL they attempted to run right in the query string, and thus in the logs.
The other thing to check in the web server logs if the size of the payload returned or the time to respond. Some web server logs include the number of bytes returned.
If you see that in response to this query, that was a much larger response was returned than usual or a much longer time to respond, that could indicate that data was exfiltrated.
