Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Site being attacked..
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Everything else
- :
- Site being attacked..
Site being attacked..
28-12-2010 12:10 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi all
I've got a minor problem.. nothing serious but a bit annoying..
I've got over 30 bots trying to autonomously sign my guestbook! They seem to be acting as the same group because as long as one signs it per day the rest of the attempts stop. If one fails then the next seems to try.. and the next.. and so on.
It appears to be testing for vulnerabilities in my script. The first 2 times it simply posted a html link to google. This was then stopped using strip_tags. The next day there was a BB code google link (which didn't work). Day after that it posted a totally random assortment of letters with .com appended to the end.
It would appear that it had been gradually testing suitability day by day to see if it could inject html/javascript. I can only assume that it wanted to insert javascript into the page which would redirect the viewing user to a site of its choice. Luckily I discovered it quickly enough to take action before it actually tried anything more serious.
Now I have a problem.. I've temporarily disabled the guestbook module and got the main script serving 403 errors when that module is called via url. This has resulted in the whole circle of about 30 bots randomly attempting to call my guestbook. Not a problem as its disabled. I've now got all their IP's listed in a DB and the script now outputs a 403 if a connection comes from one of them. I'm about to upload the modified guestbook which now uses a captcha image to verify its submissions but I'm a tad concerned about these bots being able to read them.
For the field names in the form my script generates a MD5 hash and uses that as the field name (IE the MD5 is parsed into the html field names). When the form is submitted my script then reads the MD5 hashes from an array to determine the field names etc. The bots seem to have overcome this easily and appear to be able to read the dynamically random field names and consequently submit the form data. Obviously if the things also manage to read my captcha I'm stuffed!
I can continue blacklisting IPs and just 403'ing them but likewise they can continue changing IP addresses too. I have a contact form which uses the same captcha and so far I've had no abuse from that but I think I've got all my eggs in one basket relying on captcha to keep the bots at bay. It already seems that no matter what I try its just going to be an ongoing struggle to deter them and that they'll eventually find a way around my defences somehow.
So.. any advice?
I've got a minor problem.. nothing serious but a bit annoying..
I've got over 30 bots trying to autonomously sign my guestbook! They seem to be acting as the same group because as long as one signs it per day the rest of the attempts stop. If one fails then the next seems to try.. and the next.. and so on.
It appears to be testing for vulnerabilities in my script. The first 2 times it simply posted a html link to google. This was then stopped using strip_tags. The next day there was a BB code google link (which didn't work). Day after that it posted a totally random assortment of letters with .com appended to the end.
It would appear that it had been gradually testing suitability day by day to see if it could inject html/javascript. I can only assume that it wanted to insert javascript into the page which would redirect the viewing user to a site of its choice. Luckily I discovered it quickly enough to take action before it actually tried anything more serious.
Now I have a problem.. I've temporarily disabled the guestbook module and got the main script serving 403 errors when that module is called via url. This has resulted in the whole circle of about 30 bots randomly attempting to call my guestbook. Not a problem as its disabled. I've now got all their IP's listed in a DB and the script now outputs a 403 if a connection comes from one of them. I'm about to upload the modified guestbook which now uses a captcha image to verify its submissions but I'm a tad concerned about these bots being able to read them.
For the field names in the form my script generates a MD5 hash and uses that as the field name (IE the MD5 is parsed into the html field names). When the form is submitted my script then reads the MD5 hashes from an array to determine the field names etc. The bots seem to have overcome this easily and appear to be able to read the dynamically random field names and consequently submit the form data. Obviously if the things also manage to read my captcha I'm stuffed!
I can continue blacklisting IPs and just 403'ing them but likewise they can continue changing IP addresses too. I have a contact form which uses the same captcha and so far I've had no abuse from that but I think I've got all my eggs in one basket relying on captcha to keep the bots at bay. It already seems that no matter what I try its just going to be an ongoing struggle to deter them and that they'll eventually find a way around my defences somehow.
So.. any advice?
I need a new signature... i'm bored of the old one!
Message 1 of 5
(1,810 Views)
4 REPLIES 4
Re: Site being attacked..
28-12-2010 12:32 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
You sound technically competent, if I was you, and you need the guestbook, I would look to use a DNSBL if you can to permanently keep all the bots off me.
Message 2 of 5
(398 Views)
Re: Site being attacked..
28-12-2010 1:35 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Could you incorporate one of the API calls to http://www.stopforumspam.com/ ?
jelv (a.k.a Spoon Whittler) Why I have left Plusnet (warning: long post!) Broadband: Andrews & Arnold Home::1 (FTTC 80/20) Line rental: Pulse 8 Home Line Rental (£14.40/month) Mobile: iD mobile (£4/month) |
Message 3 of 5
(398 Views)
Re: Site being attacked..
28-12-2010 4:48 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi guys
Jelv, thats a pretty useful looking site. Thanks for that. I'll try to incorporate something into my site to use their service.
@fourfour, thanks also for that idea. Gotta be honest I don't completely understand it all but I will certainly look at it in more depth.
Jelv, thats a pretty useful looking site. Thanks for that. I'll try to incorporate something into my site to use their service.
@fourfour, thanks also for that idea. Gotta be honest I don't completely understand it all but I will certainly look at it in more depth.
I need a new signature... i'm bored of the old one!
Message 4 of 5
(398 Views)
Re: Site being attacked..
28-12-2010 4:52 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I think Jelv's solution looks the most useful to your application. I wouldn't bother looking further unless it turns out to not actually work.
Message 5 of 5
(398 Views)
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page