Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other
Author Message
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Fri Sep 03, 2004 6:09 pm Reply with quote

I'm seeing a lot of these bogus spam hunter type requests.
/cgi-bin/formmail.pl
/cgi-bin/mailform.pl
/cgi-bin/FormMail.pl
/mail.cgi
/cgi-bin/fmail.pl
/cgi-bin/form.cgi
/cgi-bin/contact.pl
/cgi/formmail
/cgi-bin/mail.cgi


Does anyone have an effective strategy for dealing with these? I'd guess that like other non existing files Apache is giong to grab them and send out a 404 response. I'm thinking something like a nifty quick and dirty Perl script to slow them down. Any ideas?

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Fri Sep 03, 2004 7:46 pm Reply with quote

I've been getting them alot lately too. Here's what I've done. I made a honeypot, so to speak, in the cgi-bin so that Apache will let them through. Then I added the URI string to NukeSentinel™ and appropriate action is taken. I'm not too sure it's as innocent as just Spam. Those programs are security risks in other ways if they haven't been upgraded.
 
View user's profile Send private message
SmackDaddy
Involved
Involved


Joined: Jun 02, 2004
Posts: 268
Location: Englewood, OH

PostPosted: Fri Sep 03, 2004 8:05 pm Reply with quote

Would simply love it if you could PM me the details of this honey pot and instructions on how to secure myself and my server for those sorts of things as well. Purty please? Wink Mr. Green

_________________
Smack out...
Only registered users can see links on this board! Get registered or login!

Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
Raven
PostPosted: Fri Sep 03, 2004 8:15 pm Reply with quote

Actually, forget I said that. I started down that path and then it dawned on me that they would have to hit my nuke site before Sentinel would take over. So, I have it on my list of things to do, using mod_rewrite to redirect them to an appropriate RETALIATION. That's right all you cry babies out there. I RETALIATE, GET EVEN, SEEK and DESTROY. I plant BOMBS in my responses that not only hang their PC's, it infects them with a virus that is so deadly it passes to the human body through osmosis from the mouse. Once it enters the body it's only a few minutes before their kiddie brain implodes and they look like this

Image

Disclaimer: Any resemblance to anyone you know is purely intentional! ROTFL
 
Raven
PostPosted: Fri Sep 03, 2004 8:32 pm Reply with quote

Here you go! Place this code in your cgi-bin as long as you aren't using it for anything, which I am not. I have this in all my cgi-bin folders.
Code:
RewriteEngine On

RewriteCond %{REQUEST_URI} "/cgi-bin/.*$" [NC]
RewriteRule ^(.+) http://your_domain.com/abuse/abuse.html

Obviously you replace your_domain and whatever abuse script you want Wink If you do use yours, then just make the checks for specific URI's.
 
sixonetonoffun
PostPosted: Fri Sep 03, 2004 8:37 pm Reply with quote

Speaking of plants and such. Here is a little twist on the NC Beta 6.5 script emailsforyou.php (Resembles Allevons work not sure?)
Only registered users can see links on this board! Get registered or login!

I don't know if there is much point to it but it will keep em busy for a while.

A side twist to the evil plot I name it index.php and put it in my /abuse/ directory after I added /abuse/ to the robots.txt
Disallow: /abuse/

Not an extremely effective tool in and of itself but I thought it might give some spam bots that aren't in the Harvester list more to do then just parse my site. Then I tossed in a link to /abuse/abuse.html just chits and giggles no clue where it might turn up.

If you'd like to see what it does just upload it and visit it on your server its a perfectly harmless page other then it takes a little time to render the 1001 email links per loop. I put some short long sleep commands in between to keep the stress on resources down to a minimum.
 
oprime2001
Worker
Worker


Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA

PostPosted: Fri Sep 03, 2004 9:13 pm Reply with quote

Raven wrote:
Here you go! Place this code in your cgi-bin as long as you aren't using it for anything, which I am not. I have this in all my cgi-bin folders.
Code:
RewriteEngine On

RewriteCond %{REQUEST_URI} "/cgi-bin/.*$" [NC]
RewriteRule ^(.+) http://your_domain.com/abuse/abuse.html

Obviously you replace your_domain and whatever abuse script you want Wink If you do use yours, then just make the checks for specific URI's.


Would the skiddies/spammers even be affected by the above sample code since most are prolly sending test email messages via a bot/script that does NOT even load the page? The skiddies/spammers would have to try to load these *mail scripts using a browser in order to be "abused" themselves, correct? Or am I off base here?

For other formmail-traps, here are a couple courtesy of Only registered users can see links on this board! Get registered or login!: 1) Only registered users can see links on this board! Get registered or login! 2) Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
sixonetonoffun
PostPosted: Fri Sep 03, 2004 9:35 pm Reply with quote

Part of the idea is to deny access and the other part is to allow for easier tracking. No doubt something better could be done but these are very quick on the fly solutions.

Another would be to add abuse/abuse.html to the String blocker so we'd get a notification when it is directly accessed.
Edit: Accept that doesn't work! Grr!
I think we need a portable ban/notify page or something. Oh yeah Hack Alert Doh! Wink


Last edited by sixonetonoffun on Fri Sep 03, 2004 9:59 pm; edited 1 time in total 
sixonetonoffun
PostPosted: Fri Sep 03, 2004 9:51 pm Reply with quote

Also note Only registered users can see links on this board! Get registered or login!
 
Raven
PostPosted: Fri Sep 03, 2004 10:10 pm Reply with quote

The last update was from 2002 on that exploit. Is that still correct? One would think that in 2 years this would have been resolved. And Six is correct. All I intended to do was to give you hackers (not crackers) a starting point.

I'm still in shock that no one, not even SmackDaddy, has replied to my 'retaliation' post. I really though it was funny. Guess I better get back on my meds ....
 
sixonetonoffun
PostPosted: Sat Sep 04, 2004 5:04 pm Reply with quote

Yeh its old but I would imagine there are still some of em around.

I think for the most part we all took the retaliation thread at face value. I have no love for these guys out there hunting to upload bots an such so they can DoS attack "innocent servers" its gotten out of hand.

It is time to fight back. I know when nimda was running wild there was a number of "fight back scripts" some that went so far as to remotely file browse the infected machines. I don't think there is anything wrong with protecting your machine or with hacking a zombie to let the admin/owner know they need to address the issues.

I used to capture packets and send out attention admin letters but it was kind of point less. One in about 50 would even make it to the user with the infected machine. The few that did were usually small offices running servers that didn't even realize the machine in question was connected to the internet. It just blows my mind the stuff that goes on out there.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©