Persistent spambot - can't block it
Posted: Mon Jan 31, 2011 2:08 pm
My site keeps getting intermittently hit by this spambot; I have no idea how it's getting past my security measures and posing as a user:

Currently it's using the username '2009', which I've just blocked. Previous attacks have also been using years: '2005', '1998', '2007', etc.
This is in an include file at the beginning of each page:
and on the page source code itself:
If $cname = 'Guest', then the spam-prevention measures get called up. Which hasn't been happening, which means that this bot has been bypassing that altogether and tricking the code into thinking that it's a registered user.
Login page:
Those sections of code were written several months apart, so it's possible that there was some inconsistency there as a result, but I can't work out where. Help would be great, thanks!

Currently it's using the username '2009', which I've just blocked. Previous attacks have also been using years: '2005', '1998', '2007', etc.
This is in an include file at the beginning of each page:
Code: Select all
session_start();
if(isset($_COOKIE['winm'])) {
$uname = $_COOKIE['winm']['uname'];
$pword = $_COOKIE['winm']['pword'];
include 'db.php';
$sql = "SELECT uname, pword FROM login WHERE uname = '$uname' AND pword = 'pword'";
$result = mysql_query($sql);
$num_rows = mysql_num_rows($result);
if ($num_rows = 1) {
$_SESSION['login'] = "1";
$_SESSION['uname'] = "$uname";
}
}
$scheck = (!(isset($_SESSION['login']) && $_SESSION['login'] != ''));Code: Select all
$uname = $_SESSION['uname'];
if($scheck) {
$cname = "Guest";
}
else {
$cname = $uname;
}Login page:
Code: Select all
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
$uname = $_POST['username'];
$pword = $_POST['password'];
$cookie = $_POST['setcookie'];
$time = time();
// Database details for connection
$SQL = "SELECT * FROM login WHERE uname = '$uname' AND pword = '$pword'";
$result = mysql_query($SQL) or die (mysql_error());
$num_rows = mysql_num_rows($result);
if ($result) {
if ($num_rows > 0) {
session_start();
$_SESSION['login'] = "1";
$_SESSION['uname'] = "$uname";
if($cookie) {
setcookie("winm[uname]", $uname, $time + 2592000);
setcookie("winm[pword]", $pword, $time + 2592000);
}
header ("Location: loginsuccess.htm");
}
else {
session_start();
$_SESSION['login'] = "";
error('Login failed. Check that you are registered, and that your username and password are correct.');
}
}
mysql_close($db_handle);
}
}
?>