cancel
Showing results for 
Search instead for 
Did you mean: 

Site being attacked..

7up
Community Veteran
Posts: 15,824
Thanks: 1,579
Fixes: 17
Registered: ‎01-08-2007

Site being attacked..

Hi all
I've got a minor problem.. nothing serious but a bit annoying..
I've got over 30 bots trying to autonomously sign my guestbook! They seem to be acting as the same group because as long as one signs it per day the rest of the attempts stop. If one fails then the next seems to try.. and the next.. and so on.
It appears to be testing for vulnerabilities in my script. The first 2 times it simply posted a html link to google. This was then stopped using strip_tags. The next day there was a BB code google link (which didn't work). Day after that it posted a totally random assortment of letters with .com appended to the end.
It would appear that it had been gradually testing suitability day by day to see if it could inject html/javascript. I can only assume that it wanted to insert javascript into the page which would redirect the viewing user to a site of its choice. Luckily I discovered it quickly enough to take action before it actually tried anything more serious.
Now I have a problem.. I've temporarily disabled the guestbook module and got the main script serving 403 errors when that module is called via url. This has resulted in the whole circle of about 30 bots randomly attempting to call my guestbook. Not a problem as its disabled. I've now got all their IP's listed in a DB and the script now outputs a 403 if a connection comes from one of them. I'm about to upload the modified guestbook which now uses a captcha image to verify its submissions but I'm a tad concerned about these bots being able to read them.
For the field names in the form my script generates a MD5 hash and uses that as the field name (IE the MD5 is parsed into the html field names). When the form is submitted my script then reads the MD5 hashes from an array to determine the field names etc. The bots seem to have overcome this easily and appear to be able to read the dynamically random field names and consequently submit the form data. Obviously if the things also manage to read my captcha I'm stuffed!
I can continue blacklisting IPs and just 403'ing them but likewise they can continue changing IP addresses too. I have a contact form which uses the same captcha and so far I've had no abuse from that but I think I've got all my eggs in one basket relying on captcha to keep the bots at bay. It already seems that no matter what I try its just going to be an ongoing struggle to deter them and that they'll eventually find a way around my defences somehow.
So.. any advice?
I need a new signature... i'm bored of the old one!
4 REPLIES 4
fourfourdevon
Grafter
Posts: 1,101
Thanks: 2
Registered: ‎10-09-2010

Re: Site being attacked..

You sound technically competent, if I was you, and you need the guestbook, I would look to use a DNSBL if you can to permanently keep all the bots off me.
jelv
Seasoned Hero
Posts: 26,785
Thanks: 971
Fixes: 10
Registered: ‎10-04-2007

Re: Site being attacked..

Could you incorporate one of the API calls to http://www.stopforumspam.com/ ?
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
7up
Community Veteran
Posts: 15,824
Thanks: 1,579
Fixes: 17
Registered: ‎01-08-2007

Re: Site being attacked..

Hi guys
Jelv, thats a pretty useful looking site. Thanks for that. I'll try to incorporate something into my site to use their service.
@fourfour, thanks also for that idea. Gotta be honest I don't completely understand it all but I will certainly look at it in more depth.
I need a new signature... i'm bored of the old one!
fourfourdevon
Grafter
Posts: 1,101
Thanks: 2
Registered: ‎10-09-2010

Re: Site being attacked..

I think Jelv's solution looks the most useful to your application.  I wouldn't bother looking further unless it turns out to not actually work.