Page 1 of 1

Persistent spambot - can't block it

Posted: Mon Jan 31, 2011 2:08 pm
by anivad
My site keeps getting intermittently hit by this spambot; I have no idea how it's getting past my security measures and posing as a user:

Image

Currently it's using the username '2009', which I've just blocked. Previous attacks have also been using years: '2005', '1998', '2007', etc.

This is in an include file at the beginning of each page:

Code: Select all

session_start();

if(isset($_COOKIE['winm'])) {

$uname = $_COOKIE['winm']['uname'];
$pword = $_COOKIE['winm']['pword'];

include 'db.php';

$sql = "SELECT uname, pword FROM login WHERE uname = '$uname' AND pword = 'pword'";
$result = mysql_query($sql);
$num_rows = mysql_num_rows($result);

if ($num_rows = 1) {
	$_SESSION['login'] = "1";
	$_SESSION['uname'] = "$uname";
	}
}

$scheck = (!(isset($_SESSION['login']) &&  $_SESSION['login'] != ''));
and on the page source code itself:

Code: Select all

$uname = $_SESSION['uname'];

if($scheck) {
$cname = "Guest";
}
else {
$cname = $uname;
}
If $cname = 'Guest', then the spam-prevention measures get called up. Which hasn't been happening, which means that this bot has been bypassing that altogether and tricking the code into thinking that it's a registered user.

Login page:

Code: Select all

if ($_SERVER['REQUEST_METHOD'] == 'POST'){
	$uname = $_POST['username'];
	$pword = $_POST['password'];
	$cookie = $_POST['setcookie'];
	$time = time();

// Database details for connection

	$SQL = "SELECT * FROM login WHERE uname = '$uname' AND pword = '$pword'";
	$result = mysql_query($SQL) or die (mysql_error());
	$num_rows = mysql_num_rows($result);

	if ($result) {
		if ($num_rows > 0) {
			session_start();
			$_SESSION['login'] = "1";
			$_SESSION['uname'] = "$uname";
			if($cookie) {
			setcookie("winm[uname]", $uname, $time + 2592000);
			setcookie("winm[pword]", $pword, $time + 2592000);
			}
			header ("Location: loginsuccess.htm");
		}
		else {
			session_start();
			$_SESSION['login'] = "";
			error('Login failed. Check that you are registered, and that your username and password are correct.');
		}
	}

	mysql_close($db_handle);

	}

}

?>
Those sections of code were written several months apart, so it's possible that there was some inconsistency there as a result, but I can't work out where. Help would be great, thanks!

Re: Persistent spambot - can't block it

Posted: Mon Jan 31, 2011 2:19 pm
by John Cartwright
Oh god, you've got some insecure stuff going on there. Firstly, SQL injection:

Code: Select all

$uname = "admin";
$pword = "' OR '1'='1"

$SQL = "SELECT * FROM login WHERE uname = '$uname' AND pword = '$pword'";

//results in

SELECT * FROM login WHERE uname = 'admin' AND pword = '' OR '1' = '1'
which means they don't need a password to access any of your accounts. ALWAYS, and I mean ALWAYS, pass all user input through mysql_real_escape_string() when applying them to queries.

Code: Select all

$SQL = "SELECT * FROM login WHERE uname = '". mysql_real_escape_string($uname) ."' AND pword = '". mysql_real_escape_string($pword) ."' LIMIT 1
Next, never set the password in the users cookie. Better yet, don't store any sensitive information there. Cookies can be stolen / viewed maliciously by the right person.

Thirdly, if you want to implement a remember me functionality, generate a unique key for them and store that in their cookie / database to validate against eachother. These kinds of systems are inherently insecure to begin with, but there are many tutorials out there that explain measures to take beyond this to make it less "insecure". I.e., IP checks.

Re: Persistent spambot - can't block it

Posted: Mon Jan 31, 2011 2:39 pm
by anivad
Thanks!