PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Jul 18, 2019 3:13 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 40 posts ]  Go to page 1, 2, 3  Next
Author Message
PostPosted: Sun Apr 07, 2013 9:55 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
SITUATION:
I developed and have operated a website for my old U.S. Navy ship for over a decade, and one feature is an open bulletin board that allows old shipmates, or family members or friends, to post messages of interest to, or seek information about, other former crew members. I deliberately chose to not require logging in and not require a moderator to approve messages, for simplicity, but I did design a simple email notification to myself whenever anyone adds a new message (there is no provision for editing). The notification email contains the content of the message, the supposed email of the poster, the IP address from $_SERVER['REMOTE_ADDR'], and a link to a PHP script that allows me to delete any spurious message just by clicking on the link. Simple. It has worked well for more than a decade. Probably 2 or 3 times a year, I get a notification that is obviously spurious (spam or just gibberish), and I click on the link and it's gone. Until now!

PROBLEM:
A notorious IP address, as it turns out, began posting spurious messages 3 days ago at 40 minute intervals, with webmail addresses that I'm sure are phony, initially all from one IP address in St. Petersburg, Russia, but now I'm getting a couple of other IP addresses, too. The body of the message is different each time, but always with a lot of sexual references and links (which I have not followed). It's like a game of whack-a-mole, if I'm home, or even with my tablet, I get the notification email, click the link, and the message is deleted, but 40 minutes later (or just recently, much sooner, from different IP addresses) there's another one. My site doesn't get much traffic (there are only a few hundred of us former crew members still alive--the ship was decommissioned in 1955!), so I don't know why he even bothers.

WHAT I DID:
After the first day of this, I decided to add a simple IP blocking function to my script that displays the form. I know that he is using this script, because it's the one that sends the email notifications. I have tested my blocking function by putting in my own IP address, and sure enough, when I try to reach that page, it simply delivers a blank screen. But when I put in the several IP addresses he has used so far, they aren't blocking his entries!

MY QUESTION:
I'm not interested in advice that I should not have an open bulletin board system like this. I know how to set up a registered user system, and I operate several of those. What I can't figure out is why the method I described just above doesn't block him. Even if the IP address is being spoofed somehow, it's the one that's being returned by S_SERVER['REMOTE_ADDR'], so it identifies one of his attacks, so why isn't it killing the rest of the script that adds the record and sends me the notification email?

There! I just saw 2 more messages pop up in my email. Here I go to whack down the latest mole!

I'd sure appreciate it if one of you security gurus could help me understand how he's doing this. If you can suggest a method of blocking him, that would be even cooler! Of course, I can just shut down the script, at least temporarily (I only get a few legitimate posts a year, typically, so it's not a big deal).

[Edit: If someone is interested in the details of this, I'll be glad to PM you with my site URL, my code, the identification of the spammer, etc.]


Last edited by califdon on Mon Dec 30, 2013 2:31 pm, edited 4 times in total.
Modified Subject line


Top
 Profile  
 
PostPosted: Mon Apr 08, 2013 12:43 am 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
Have you already checked the server access logs? To see exactly what URLs they're hitting? The block you put in place apparently works for that particular path so maybe there's something else happening.

As for a solution, how about blocking messages that contain bad keywords? CAPTCHA? Can you block entire address ranges?


Top
 Profile  
 
PostPosted: Mon Apr 08, 2013 12:54 am 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Thanks for the comments, requinix. I need to check the server access logs, if I can get to them (it's hosted at GoDaddy.com). I just now discovered that he must be spoofing the IP address, because the last one he just hit me with shows an IP address in the 192.168. range, which is the internal private block! But what has me confused is that I'm getting his IP address from the PHP global array $_SERVER, and even if it's spoofed, that's the "signature" that I use to issue an "exit" from the PHP script, and that seems to work when I include my own IP address, to test it. So, for this purpose, it shouldn't even matter if the IP address is real or fake. I may just take down that page and see what happens. I must say, it is certainly annoying!


Top
 Profile  
 
PostPosted: Mon Apr 08, 2013 1:13 am 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
Address spoofing is very uncommon - generally more effort than it's worth, especially considering the abundance of free proxies. Is it possible there's a firewall or forwarder so the source address is being covered up? Could they be using a machine inside the GoDaddy network (which I say even though 192.168/16 is more civilian than the 10/24 I'd expect for a business)? Might there be a $_SERVER["HTTP_X_FORWARDED_FOR"] set?

Sorry about asking so many questions but I think it might be easier to throw information at you and let you decide what's most likely and worth looking into.


Top
 Profile  
 
PostPosted: Mon Apr 08, 2013 1:33 am 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Believe me, I appreciate all the ideas I can get on this. What bugs me is that it shouldn't matter whether the address is spoofed or not; if the $_SERVER global says it is W.X.Y.Z, and on that basis, I branch to an 'exit', the script oughtta die! I just wrote a solid exit; at the top of the script that writes to the database. If another one gets through, it means that he somehow got my field names and db connection credentials and isn't even running my script, as far as I can see. But that can't be true, or I wouldn't be getting the email notifications at all! That would mean he's gotten into GoDaddy's servers, which is really bad! Tomorrow I'm gonna see if GoDaddy support can help me. Actually, they're usually pretty good, but of course, they don't offer programming or design help, which I understand. Shoot! I'm up past my bedtime, I'm gonna hang it up for tonight. Hey, you're up late, too!


Top
 Profile  
 
PostPosted: Mon Apr 08, 2013 3:52 am 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
Don't take this the wrong way, but I love this! This is better than any other type of puzzle to me (of course it sucks for your site). I find it easier on a server where I can have SSH access, but there are tools available... (interesting enough, they are actual hack scripts, c99shell usually, that I use for good!)

First thing is first, on the issue of the IP address coming up as 192.168.x.x, I would try to determine if there is an IP address on the server in that network to determine if it is a script on the same server or network running to auto-submit.

If it isn't, or you can't tell, check the full headers of the e-mail you are receiving, make sure the ones listing that IP are actually coming from your server. You started blocking them before, and if they were hacked into the server, may have just thrown the script on a local machine to run, and were just lazy enough to not change the script to send e-mail out.

the local network issue aside, for the die() statement, where did you put in the script? You mentioned about that it would block displaying the form, but if they already know what data to push via POST back to the server, blocking seeing the form will do no good, it needs to be at a place that for the processing of the form. Just wanted to make sure on that point of where it was at.

If you want, PM me the info, I'm up for the "day" now, and would look around for you.

-Greg


Top
 Profile  
 
PostPosted: Mon Apr 08, 2013 7:12 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Can you post the blocking code at least? Sometimes even old hats (hehe) make stupid mistakes - I know I've done my share of them, in production code no less :/

And I can agree with twine: real-life puzzles are the best!


Top
 Profile  
 
PostPosted: Mon Apr 08, 2013 1:44 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Thanks, all! Greg, no problem at all, I understand the challenge, I feel it too. First of all, the good news: since disabling the script that receives the form data and writes to the database (and sends the notification email), I've had almost 12 hours of no additional hacks, so he was definitely using my script. And I did check my email headers and the notifications are definitely coming from my GoDaddy server. I had the same question about whether he had somehow broken into the server and made a copy of my script, but this latest test of disabling the script (I just inserted an exit; statement near the top) would seem to rule that out, as well as just sending the POST data, without using the script (which then would not have sent the notification email). But the puzzle hasn't been solved yet.

Here's my blocking code (and thanks for joining the discussion, Mordred, now I've got the real expert on the case!):
Syntax: [ Download ] [ Hide ]
...
   if(blacklist($_SERVER['REMOTE_ADDR'])== true) exit;
...

function blacklist($ip){
    $listed = true;
    $dnsbl_lookup = array(
        "dnsbl-1.uceprotect.net",
        "dnsbl-2.uceprotect.net",
        "dnsbl-3.uceprotect.net",
        "dnsbl.dronebl.org",
        "dnsbl.sorbs.net",
        "zen.spamhaus.org"
    );
    $lookups = count($dnsbl_lookup);
    $total = 0;
    if($ip){
        $reverse_ip = implode(".", array_reverse(explode(".", $ip)));
        foreach($dnsbl_lookup as $host){
            if(checkdnsrr($reverse_ip.".".$host.".", "A")){
                $total++;
            }
        }
    }
    $mybl = array(
         "188.243.232.111",
         "188.243.234.127",
//        "173.228.16.19",        // MY IP -- DEBUG
         "86.96.56.80",
         "219.150.204.30",
         "86.96.41.217",
         "172.16.1.254",
         "176.205.178.105",
         "218.207.82.93".
         "110.77.233.39",
         "94.59.169.202",
         "199.127.103.214".
         "19.147.146.14",
         "54.235.210.159",
         "217.164.216.219"
    );
    foreach($mybl as $baddy){
         if($baddy == $ip) {
            $total = $total + 2;
         }
    }
    if($total > 1) {
        return true;
    }else{
        return false;
    }
}

I found the first part online and cooked up the local array from the IP's I've seen from my notification emails, based on $_SERVER['REMOTE_ADDR']. I weighted it so that it takes either being in my local array or being in at least 2 DSNBL's to reject a request.

Gee, it hurts to admit it publicly, but I've made dumb mistakes in coding before, too! So if I've missed something, don't worry about hurting my feelings by pointing it out, now that I've exposed myself anyway.

I'll leave the script disabled for a few more hours, maybe all day, then let it run again, and see if the attacks resume. Fortunately, as I've said, this is a very low traffic site and I'm not concerned about some down time for this one feature. I'll PM each of you with the site URL, I'm a little reluctant to advertise it publicly here, in the context of this security breach.

I've also logged all the hack requests into a spreadsheet and attached a text version to this post, showing the IP addresses and the time in minutes between requests from the main IP address. OOPS, it won't allow me to attach either an .xls or .txt file! It stays pretty close to 40 minutes between requests from the same IP, except for occasional 80 minute separations (maybe I missed a couple??). Must be an automated operation, but far short of a DDOS.

OK, I'll post the log file I created as a spreadsheet, as Text:
Syntax: [ Download ] [ Hide ]
Date            Time    Minutes IP Address
4/3/2013        3:49 PM         188.143.234.127
4/5/2013        7:25 AM         188.143.232.111
4/5/2013        8:08 AM  43     188.143.232.111
4/5/2013        8:44 PM  36     188.143.232.111
4/5/2013        9:21 AM  37     188.143.232.111
4/5/2013        9:58 AM  37     188.143.232.111
4/5/2013        10:35 AM 37     188.143.232.111
4/5/2013        11:12 AM 37     188.143.232.111
4/5/2013        11:48 AM 36     188.143.232.111
4/5/2013        12:25 PM 37     188.143.232.111
4/5/2013        1:02 PM  27     188.143.232.111
4/5/2013        1:39 PM  37     188.143.232.111
4/5/2013        2:16 PM  37     188.143.232.111
4/5/2013        2:53 PM  37     188.143.232.111
4/5/2013        6:31 PM  38     188.143.232.111
4/5/2013        7:08 PM  37     188.143.232.111
4/5/2013        7:45 PM  37     188.143.232.111
4/5/2013        8:22 PM  37     188.143.232.111
4/5/2013        9:36 PM  74     188.143.232.111
4/5/2013        10:14 PM 38     188.143.232.111
4/5/2013        10:51 PM 37     188.143.232.111
4/5/2013        11:29 PM 38     188.143.232.111
4/6/2013        12:06 PM 37     188.143.232.111
4/5/2013        12:44 AM 38     188.143.232.111
4/5/2013        1:23 AM  39     188.143.232.111
4/5/2013        2:00 AM  37     188.143.232.111
4/5/2013        2:37 AM  37     188.143.232.111
4/5/2013        3:15 AM  38     188.143.232.111
4/5/2013        3:52 AM  37     188.143.232.111
4/5/2013        5:06 AM  74     188.143.232.111
4/5/2013        5:44 AM  38     188.143.232.111
4/5/2013        6:21 AM  37     188.143.232.111
4/5/2013        6:59 AM  38     188.143.232.111
4/5/2013        7:36 AM  37     188.143.232.111
4/5/2013        8:14 AM  38     188.143.232.111
4/5/2013        8:52 AM  38     188.143.232.111
4/5/2013        10:08 AM 16     188.143.232.111
4/5/2013        10:46 AM 34     188.143.232.111
4/7/2013        2:04 AM 198     188.143.232.111
4/7/2013        2:43 AM  39     188.143.232.111
4/7/2013        3:23 AM  43     188.143.232.111
4/7/2013        4:02 AM  39     188.143.232.111
4/7/2013        4:43 AM  41     188.143.232.111
4/7/2013        5:22 AM  39     188.143.232.111
4/7/2013        6:02 AM  40     188.143.232.111
4/7/2013        6:41 AM  39     188.143.232.111
4/7/2013        7:20 AM  39     188.143.232.111
4/7/2013        7:59 AM  39     188.143.232.111
4/7/2013        9:19 AM  80     188.143.232.111
4/7/2013        9:58 AM  39     188.143.232.111
4/7/2013        10:39 AM 41     188.143.232.111
4/7/2013        11:17 AM 38     188.143.232.111
4/7/2013        11:57 AM 41     188.143.232.111
4/7/2013        12:38 PM 41     188.143.232.111
4/7/2013        1:06 PM         188.143.234.127
4/7/2013        1:17 PM  39     188.143.232.111
4/7/2013        1:56 PM  39     188.143.232.111
4/7/2013        2:35 PM         86.96.56.80
4/7/2013        2:35 PM         219.150.204.30
4/7/2013        3:15 PM  79     188.143.232.111
4/7/2013        3:33 PM         86.96.41.217
4/7/2013        3:33 PM         172.16.1.254
4/7/2013        3:54 PM  39     188.143.232.111
4/7/2013        4:33 PM         176.205.178.105
4/7/2013        4:34 PM         218.207.82.93
4/7/2013        4:34 PM  40     188.143.232.111
4/7/2013        5:11 PM  37     188.143.232.111
4/7/2013        5:33 PM         110.77.233.39
4/7/2013        5:33 PM         94.59.169.202
4/7/2013        5:51 PM  38     188.143.232.111
4/7/2013        6:30 PM  39     188.143.232.111
4/7/2013        6:34 PM         199.127.103.214
4/7/2013        6:36 PM         119.147.146.14
4/7/2013        7:10 PM  40     188.143.232.111
4/7/2013        7:41 PM         54.235.210.159
4/7/2013        7:41 PM         217.164.216.219
4/7/2013        7:50 PM  40     188.143.232.111
4/7/2013        8:32 PM  42     188.143.232.111
4/7/2013        8:47 PM         211.232.138.177
4/7/2013        8:48 PM         113.161.70.62
4/7/2013        9:13 PM  41     188.143.232.111
4/7/2013        9:53 PM         220.173.143.38
4/7/2013        9:54 PM         192.168.30.1
4/7/2013        9:56 PM         92.99.139.86
4/7/2013        9:57 PM         95.70.30.152
4/7/2013        11:16 PM 76     188.143.232.111
 


Top
 Profile  
 
PostPosted: Mon Apr 08, 2013 3:12 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
I've reviewed my Apache logs over part of this period, and they mostly confirm what I logged from my notification emails, BUT there ARE discrepancies! For example, I do NOT find any log entry for the odd 192.168.x.x entry, although I find the ones immediately before and after! Now I'm REALLY confused!


Top
 Profile  
 
PostPosted: Mon Apr 08, 2013 7:26 pm 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
that is pretty strange, as AFIK, you can't spoof the IP of the server making the quest, as the server needs to know where to route traffic back out to. (of course I guess if you are only forcing the post and don't care of the response, wouldn't matter, just don't see someone going to that much effort to spam a site..

Did you hear anything back from GoDaddy?


Top
 Profile  
 
PostPosted: Mon Apr 08, 2013 7:44 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Haven't called GoDaddy yet, but I will tomorrow. I went through the same thought process about IP's, but in any case it wouldn't matter, since my blocking algorithm doesn't care if the IP is legit, it just checks what it is told, and if that's one that I've added into my local blacklist array, it should halt the execution right there. I just returned from a errand that took an hour plus, having opened up my script again, and sure enough, I've had 4 new hacks, same kind of content (really filthy) but from new IP addresses! This could be spoofing or it could be a botnet, but it was new IP's that I hadn't added to my blacklist. Maybe that's a bit of a clue. My blacklist() function includes sending queries to a half dozen or so DNSBL's, just for good measure, but I manually looked up several of the IP's in some of the DNSBL's and they weren't listed there anyway.

Oh, there! I just got 2 more, just in the space of time of my writing this reply! Maybe I've made him mad. LOL! I'm going to shut it down again.


Top
 Profile  
 
PostPosted: Mon Apr 08, 2013 8:12 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
I examined the contents of these messages and found that 80% of them contained the word "lolita", so I added that to my stopwords array (that I've had in there all along, looking for pharmaceutical words, which were a problem for awhile, but not nearly like this). I'm going to turn it on again and see what happens.


Top
 Profile  
 
PostPosted: Tue Apr 09, 2013 1:36 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
So, the problem is far more mundane than I thought :) I can see two problems in your setup:

1. Offending IPs in the logs are 188.143.234.127 and 188.143.232.111 while the IPs you've blocked are "188.243.232.111", "188.243.234.127",

2. Some of the other entries in $mybl are not separated by a comma, but by a dot :twisted:

I'd say, califdon, that past you really wanted to check how present you is doing with his eyesight. Having had the same things done to me by my past me, we should make a club: "Past me is a bastard"! :P


Top
 Profile  
 
PostPosted: Tue Apr 09, 2013 2:17 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Oh, some other notes:
I'm not sure how useful the DNSBL thing would be (since most spam attacks nowadays come from botnets), but sure as hell it would slow your page down. 6 synchronous DNS queries are not something to play with in a "real-er" production environment.
IP blacklists are useful for not-much-resourceful spammers, but a wordlist (take care with that - there are words like spegrilled spamt (specialist) that can bite you back) and ultimately a captcha would be a better choice.

You can try an easier human-transparent captcha with a hidden form field that a bot would fill, but a human would not.


Top
 Profile  
 
PostPosted: Tue Apr 09, 2013 11:55 am 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Many, many thanks, Mordred! And I accept your invitation to join the new club! And you are so right, my eyesight really is one part of my problem, but my failure to check such obvious errors can't be excused by that, either. We all know how hard it is to proofread one's own code, though, don't we?

I've had some thoughts about the DNSBLs, too, and thank you again for confirming that. I will remove that part of the function. Indeed, since these current attacks seem to be a botnet and seem to be automated (every 40 minutes), a good captcha would probably be more effective than anything else. I will look into that and probably add a captcha.

Very helpful observations!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 40 posts ]  Go to page 1, 2, 3  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group