Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
arnoldkrg
New Member
New Member



Joined: Sep 15, 2003
Posts: 20

PostPosted: Fri Jul 15, 2005 5:51 am Reply with quote

I know I am not the only one to have this problem. I understand it is happening at portedmods.com and other PHP-Nuke sites. I have been receiving continuous spam attempts in my forums at Ulsoft for several days now. Most attempts are to post links to poker and gambling sites. Once I realised what was happening, I disabled anonymous posting in the Forums and since then, no actual posts have made it through. However, there are so many attempts from upto 50 different IP addresses at any one time, I am worried that this may result in my bandwidth for my site being eaten up. I am going to have to now pay to increase my bandwidth to accommodate these attempts.

I have Sentinel installed and I keep adding IP Addresses for these bots to the banned list and also any sites which are listed as referrers for these things. Problem is, they just keep coming back with different IP addresses and referrers so it is impossible to keep up with them all.

Below are some examples from one particular IP adddress (but remember there are hundreds)

Raw access logs:

Quote:
200.106.160.70 - - [14/Jul/2005:22:04:14 +0100] "GET /modules.php?name=Forums&file=posting&mode=quote&p=500 HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M)"
200.106.160.70 - - [14/Jul/2005:22:04:14 +0100] "GET /modules.php?name=Forums&file=posting&mode=quote&p=500 HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M)"
200.106.160.70 - - [14/Jul/2005:22:04:15 +0100] "GET /modules.php?name=Forums&file=posting&mode=quote&p=500 HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; NetCaptor 6.5.0RC1)"
200.106.160.70 - - [14/Jul/2005:22:11:46 +0100] "GET /modules.php?name=Forums&file=posting&mode=quote&p=1127 HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)"
200.106.160.70 - - [14/Jul/2005:22:11:59 +0100] "GET /modules.php?name=Forums&file=posting&mode=quote&p=1420 HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; N_o_k_i_a)"
200.106.160.70 - - [14/Jul/2005:22:21:09 +0100] "GET /modules.php?name=Forums&file=posting&mode=quote&p=393 HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.0.3705)"


Latest visitors log:
Quote:
Host: 200.106.160.70 /modules.php?name=Forums&file=posting&mode=quote&p=920
Http Code: 403 Date: Jul 15 09:46:42 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1)

|
|
|
/modules.php?name=Forums&file=posting&mode=quote&p=1560
Http Code: 403 Date: Jul 15 09:49:22 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)

|
|
|
/modules.php?name=Forums&file=posting&mode=quote&p=1625
Http Code: 403 Date: Jul 15 09:49:28 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1)

|
|
|
/modules.php?name=Forums&file=posting&mode=quote&p=854
Http Code: 403 Date: Jul 15 09:51:03 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 3.0)

|
|
|
/modules.php?name=Forums&file=posting&mode=quote&p=93
Http Code: 403 Date: Jul 15 09:55:10 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M)

|
|
|
/modules.php?name=Forums&file=posting&mode=quote&p=151
Http Code: 403 Date: Jul 15 09:57:30 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)

|
|
|
/modules.php?name=Forums&file=posting&mode=quote&p=160
Http Code: 403 Date: Jul 15 09:58:10 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 5.0; YANDEX)

|
|
|
/modules.php?name=Forums&file=posting&mode=quote&p=1288
Http Code: 403 Date: Jul 15 09:58:11 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M)

|
|
|
/modules.php?name=Forums&file=posting&mode=quote&p=1483
Http Code: 403 Date: Jul 15 10:00:17 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; NetCaptor 6.5.0RC1)


I am quite prepared to add rewrite rules in my .htaccess to direct "quote" strings to a black hole but I dont know enough about the rewrite conditions to do it. If someone could give me an example of a rewrite condition (along the lines of the santy worm rush and highlight one) I would appreciate it and would live with the fact thgat this might disable quotes on my Forums. Any help and advice would be much appreciated.
 
View user's profile Send private message
money
New Member
New Member



Joined: Aug 24, 2003
Posts: 11

PostPosted: Fri Jul 15, 2005 1:27 pm Reply with quote

The log entries you posted here show he received a 403 error page with zero bytes returned. As long as these guys are receiving very little to no bytes, you shouldn't have to worry about bandwidth. If they start pounding too hard, they could effect the whole server whether your site blocks them or not.


The IP you posted here is in Columbia. For me, I have little tolerance for visitors from South and Central America because they have too many jerks on their nets. I blocked the whole 200 net. If you want to do the same, you can do it like this in your htaccess file:


RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^200\.
RewriteRule .* - [F]
 
View user's profile Send private message
djmaze
Subject Matter Expert



Joined: May 15, 2004
Posts: 727
Location: http://tinyurl.com/5z8dmv

PostPosted: Fri Jul 15, 2005 8:07 pm Reply with quote

blocking 200.106.160.70 is not a option.
I've already tried that but it uses random IP's all over the place.

The trick is to block the REFERER since that has almost always the same id compared to the always changing USER_AGENT

RewriteCond %{HTTP_REFERER} "texasholdemcenteral" [NC,OR]
RewriteCond %{HTTP_REFERER} "sportscribe" [NC,OR]
RewriteCond %{HTTP_REFERER} "yachtdurak" [NC,OR]
RewriteRule .* - [F]
 
View user's profile Send private message Visit poster's website
djmaze







PostPosted: Fri Jul 15, 2005 8:34 pm Reply with quote

P.S. here's a list of random ip's used for spamming by the above 3 referers on 1 day, to show you why banning a ip isn't sufficient enough

61.129.44.201
61.178.185.56
63.230.254.28
64.147.9.29
65.103.76.148
81.115.31.217
81.240.255.226
82.201.185.22
148.243.157.195
148.244.150.52
148.244.150.57
148.244.150.58
148.244.223.236
193.194.68.3
193.194.69.82
193.194.84.198
194.63.235.164
195.87.69.26
200.106.160.70
200.196.101.98
202.128.69.58
202.175.234.163
207.248.240.118
207.248.240.119
209.161.5.194
212.97.0.101
212.97.0.105
213.243.30.8
213.249.155.240
217.219.20.66
218.93.119.83
219.95.111.181

and here's a full list of referers: [ Only registered users can see links on this board! Get registered or login! ]
 
djmaze







PostPosted: Fri Jul 15, 2005 8:48 pm Reply with quote

last but not least, the following is the "whois" contact info for the spammed domains

Technical Contact [NIC-8754]:
Patrick, Mallory [ Only registered users can see links on this board! Get registered or login! ]
Private
Gregory Ln
59
Alta Vista
Colorado, US
80606
Phone: +1.9304615000
 
money







PostPosted: Tue Jul 19, 2005 8:55 am Reply with quote

Quote:
The trick is to block the REFERER since that has almost always the same id compared to the always changing USER_AGENT

He wasn't clear whether they were using totally different nets. In such a case, I agree IP blocking could be ineffective. Your suggestion to use referrer blocking though would not help him out either. As shown in the log entries posted above, there is nothing in the REFERER field.
 
arnoldkrg







PostPosted: Tue Jul 19, 2005 9:54 am Reply with quote

Most of the bots do have a referrer entry. I am using Sentinel to block the ips of offending referrers. Thy seem to be using the same set of IP addresses for different referrers. I keep checking my logs and if any of the bots are not showing referrers, I ban the IP manually

I now have around 200 ip addresses blocked and the new ip addresses used seems to be drying up a bit.

The solution is to just keep on top of it
 
money







PostPosted: Tue Jul 19, 2005 10:26 am Reply with quote

Great, you're all set except of course for it being a PITA to you.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©