PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Sep 18, 2019 3:14 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 40 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
PostPosted: Tue Apr 09, 2013 1:43 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Urrrrkk!! I just realized that I do have a captcha on the form (remember, I wrote this code more than 10 years ago)! It's apparently not a very secure one, or he's bypassing the form, perhaps just POSTing directly to my script??? Hmmm, I'm going to have to think through how my whole database interface works, to see how he's avoiding or defeating my captcha!! New challenge!


Top
 Profile  
 
PostPosted: Tue Apr 09, 2013 2:52 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Update: The attacks are not coming as frequently as before, and they are all from different IP addresses, but it appears that neither my captcha on the form page or the 'nasty words' check that I do, is preventing the hacker from posting! Does that suggest that he is just using POST requests to spoof my action script? And if so, how is he avoiding my captcha (a simple Ajax-based routine I got a decade ago, but I don't see how it can be easily defeated)?

I really don't understand why he is focusing on my site, which is low traffic. It must be either random or he sees that I'm responding and he sees it as a challenge, the putz!


Top
 Profile  
 
PostPosted: Wed Apr 10, 2013 1:29 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Well, if you're making those captcha checks only on the client side, then yes - directly posting the form will trivially bypass it. You should pass the captcha key to the form and repeat the same checks on the server side again.


Top
 Profile  
 
PostPosted: Wed Apr 10, 2013 2:12 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Wed Apr 10, 2013 11:21 am 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Thanks again to all. Having support from you guys really makes it feel like I'm not the Lone Ranger -- at least I've got Tonto on my side! (Sorry if the reference doesn't mean so much to you younger guys!) Now for the good news: I haven't seen a breach in a whole day!

WHAT I DID:
I'm embarrassed to admit this, but it looks like the problem was entirely my careless programming. Once Mordred's sharp eye spotted my error in the IP address I was blocking, and the 2 periods that needed to be commas in my values list for the bad words array, I think they both worked as I thought they should. And further, I'm going to take his advice on the captcha and pass the code to the form and check it again at the server, something that I don't think I've seen done in the captcha examples I've seen, but which makes good sense.

In any case, THANKS to all, and I think this case is closed--at least, I hope so!


Top
 Profile  
 
PostPosted: Wed Apr 10, 2013 3:46 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US
As the USS Electra steams quietly into the sunset... :)

_________________
(#10850)


Top
 Profile  
 
PostPosted: Wed Apr 10, 2013 4:33 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
:D except that she did that in November 1955! I helped decommission her.


Top
 Profile  
 
PostPosted: Thu Apr 11, 2013 12:26 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US
Yeah, I remember you telling me that story long ago. I just like the visual! ;)

_________________
(#10850)


Top
 Profile  
 
PostPosted: Tue Nov 19, 2013 11:17 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
The attacks described above ended abruptly shortly after my last previous post, some 6 months ago, but it is beginning again! This time, there is no nasty language, but each post contains a different web link (which I haven't followed, but no doubt are either malware infested or at the very least, spam) and they all are coming from new and different IP addresses. It began about a week ago with onesy-twosy posts, and recently escalated to maybe 3 to 6 posts per day, then skipping a day or two. I'm not sure it's from the same hacker, but I now suspect that it's indeed a bot net and that the originator has cranked up a new one because the old one got destroyed. It seems odd that there would be such a low activity bot net, though. He's certainly not getting much bang for his buck, because of the relatively low volume and attacking my site is ridiculous because my traffic volume is so low! At its current level, it's hardly even an annoyance anymore. I get a couple of emails a day that I can just click on a link and delete the post from my database. But the idea that someone is doing this is sure disgusting!


Top
 Profile  
 
PostPosted: Wed Nov 20, 2013 1:50 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
Have you changed the code to verify the captcha's on the server side?

These guys usually get paid per post. They build massive databases with fake accounts, scripts, and exploits. Sites with no exploits requires them to type in captchas all day long, but their tools automate the login/posting process.


Top
 Profile  
 
PostPosted: Fri Nov 22, 2013 6:16 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA


Top
 Profile  
 
PostPosted: Sat Nov 23, 2013 6:02 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146


Top
 Profile  
 
PostPosted: Sat Nov 23, 2013 6:23 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Thanks, Eric. Those are very helpful suggestions and if the attacks continue (I haven't received any for several days now), I will try to implement several of those suggestions. Yes, I am worried by the apparent dual exploits that I observed very recently. Admittedly, I'm not an experienced security developer, but I don't understand how nearly half of a recent flurry of bad posts bypassed my notification email routine; since that clearly worked, why would the other half of them during the same time period trigger the emails?? My conclusion was that there is now an "old" botnet and a "new" botnet and they are just allowing the "old" one to continue in parallel. I'm sure I'm not the only target, that would be silly, so maybe the "old" botnet is still useful to them on other targets. Does that make sense?

Anyway, I think that I will go to the trouble of generating a token of some sort and checking it on the server, and I like the email verification technique, too, even though it does impose a small inconvenience on the visitor.

I sure appreciate all the suggestions and advice I have received here from more experienced developers!

Don


Top
 Profile  
 
PostPosted: Mon Dec 30, 2013 2:29 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
It has been well over a month and I haven't seen a single additional bad post. I'm not sure that anything I did resulted in the improvement, though. This is more or less what happened 3 years ago when the site experienced a similar attack. I suspect that either the hacker has been caught, or that he just gave up and moved on to more productive targets. It was certainly a learning experience for me, and my intention is to continue reviewing the coding of the site and implementing some more efficient security strategies--but with a little less urgency. Thanks again to all.


Top
 Profile  
 
PostPosted: Mon Dec 30, 2013 5:39 pm 
Offline
Forum Newbie

Joined: Sat Dec 28, 2013 5:02 pm
Posts: 15
Hi guys!

My newly created log file got interesting today, in the last 24 hrs I got over 200 attempts from spam bots trying to get into my forum. After digging into it it was kinda like a Fortune Cookie gone bad......kinda anyways. This picture shows where the added Chinese language to one of my Q&A text box's so naturally at first my note pad did now know how to display these characters as you can see so I decided to cut and paste it into an e-mail to a friend of mine and all of a sudden the special characters were that Chinese language, so I plugged that into Google translate. What do you guys make of this? Some kids fooling around? Under each line is the translation.


Attachments:
log-file.JPG
log-file.JPG [ 60.19 KiB | Viewed 7898 times ]
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 40 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group