PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Jun 26, 2019 8:12 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 40 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
PostPosted: Tue Apr 09, 2013 1:43 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Urrrrkk!! I just realized that I do have a captcha on the form (remember, I wrote this code more than 10 years ago)! It's apparently not a very secure one, or he's bypassing the form, perhaps just POSTing directly to my script??? Hmmm, I'm going to have to think through how my whole database interface works, to see how he's avoiding or defeating my captcha!! New challenge!


Top
 Profile  
 
PostPosted: Tue Apr 09, 2013 2:52 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Update: The attacks are not coming as frequently as before, and they are all from different IP addresses, but it appears that neither my captcha on the form page or the 'nasty words' check that I do, is preventing the hacker from posting! Does that suggest that he is just using POST requests to spoof my action script? And if so, how is he avoiding my captcha (a simple Ajax-based routine I got a decade ago, but I don't see how it can be easily defeated)?

I really don't understand why he is focusing on my site, which is low traffic. It must be either random or he sees that I'm responding and he sees it as a challenge, the putz!


Top
 Profile  
 
PostPosted: Wed Apr 10, 2013 1:29 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Well, if you're making those captcha checks only on the client side, then yes - directly posting the form will trivially bypass it. You should pass the captcha key to the form and repeat the same checks on the server side again.


Top
 Profile  
 
PostPosted: Wed Apr 10, 2013 2:12 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
califdon wrote:
It must be either random or he sees that I'm responding and he sees it as a challenge

On a psychological level this is a challenge to the attacker; you mention that the site is low traffic so the reasoning could be "no-one is watching the site so why not take the chance" (and to test their skills)? You attempting to stop it ups the stakes.

On the upside (if you like being optimistic) it seems that attacker has a limited skill-set which could also explain the attacks on a site that isn't mainstream + the attacks being trivial in nature

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Wed Apr 10, 2013 11:21 am 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Thanks again to all. Having support from you guys really makes it feel like I'm not the Lone Ranger -- at least I've got Tonto on my side! (Sorry if the reference doesn't mean so much to you younger guys!) Now for the good news: I haven't seen a breach in a whole day!

WHAT I DID:
I'm embarrassed to admit this, but it looks like the problem was entirely my careless programming. Once Mordred's sharp eye spotted my error in the IP address I was blocking, and the 2 periods that needed to be commas in my values list for the bad words array, I think they both worked as I thought they should. And further, I'm going to take his advice on the captcha and pass the code to the form and check it again at the server, something that I don't think I've seen done in the captcha examples I've seen, but which makes good sense.

In any case, THANKS to all, and I think this case is closed--at least, I hope so!


Top
 Profile  
 
PostPosted: Wed Apr 10, 2013 3:46 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13590
Location: New York, NY, US
As the USS Electra steams quietly into the sunset... :)

_________________
(#10850)


Top
 Profile  
 
PostPosted: Wed Apr 10, 2013 4:33 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
:D except that she did that in November 1955! I helped decommission her.


Top
 Profile  
 
PostPosted: Thu Apr 11, 2013 12:26 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13590
Location: New York, NY, US
Yeah, I remember you telling me that story long ago. I just like the visual! ;)

_________________
(#10850)


Top
 Profile  
 
PostPosted: Tue Nov 19, 2013 11:17 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
The attacks described above ended abruptly shortly after my last previous post, some 6 months ago, but it is beginning again! This time, there is no nasty language, but each post contains a different web link (which I haven't followed, but no doubt are either malware infested or at the very least, spam) and they all are coming from new and different IP addresses. It began about a week ago with onesy-twosy posts, and recently escalated to maybe 3 to 6 posts per day, then skipping a day or two. I'm not sure it's from the same hacker, but I now suspect that it's indeed a bot net and that the originator has cranked up a new one because the old one got destroyed. It seems odd that there would be such a low activity bot net, though. He's certainly not getting much bang for his buck, because of the relatively low volume and attacking my site is ridiculous because my traffic volume is so low! At its current level, it's hardly even an annoyance anymore. I get a couple of emails a day that I can just click on a link and delete the post from my database. But the idea that someone is doing this is sure disgusting!


Top
 Profile  
 
PostPosted: Wed Nov 20, 2013 1:50 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
Have you changed the code to verify the captcha's on the server side?

These guys usually get paid per post. They build massive databases with fake accounts, scripts, and exploits. Sites with no exploits requires them to type in captchas all day long, but their tools automate the login/posting process.


Top
 Profile  
 
PostPosted: Fri Nov 22, 2013 6:16 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Eric! wrote:
Have you changed the code to verify the captcha's on the server side?

These guys usually get paid per post. They build massive databases with fake accounts, scripts, and exploits. Sites with no exploits requires them to type in captchas all day long, but their tools automate the login/posting process.


Here's a status update: First, it looks like the hacker is using 2 techniques, one of which bypasses my script, because nearly half of the bad posts did NOT generate emails to me, and it was only when I gathered statistics for THIS forum post that I realized that, on the same days that I got one or more bad post messages, there were one or more other bad posts, in the same format, that didn't generate my notification emails and were still visible on the site!! I have removed them with phpmyadmin. My guess is that there are now 2 different botnets out there. And now, the past several days, there have been no bad posts at all. Here's how many bad posts per day were made, in the same format, in recent weeks, after months of absolutely zero bad posts:
10/14: 1
10/15: 2
10/16: 1
11/09: 2
11/10: 5
11/11: 3
11/12: 1
11/13: 3
11/14: 8
11/15: 1
11/16: 5
11/18: 1

Each post comes from a different IP address, but all are nearly identical in format. Here are just 2 examples:

Quote:
Record was added in the usselectra.org log book from 188.143.232.111:

ID=395
DATETIME=2013-10-15 10:43:59
NAME=Brooke
ADDRESS=UBGBAZTzXrxTGUeUzW
STATE=NY
EMAIL=freelife@yahoo.com
RANK=yWXQahYl
SERVEDFROM=NY
SERVEDTO=ONZrkGIpcbPQA
MESSAGE=Get a job https://[url redacted]/zoviraxbuyeug rx acyclovir marked up six times before being sold to the consumer.

Quote:
Record was added in the usselectra.org log book from 46.105.114.75:

ID=420
DATETIME=2013-11-14 01:05:22
NAME=Victoria
ADDRESS=ABqGSxSqDvfWYy
STATE=NY
EMAIL=behappy@yahoo.com
RANK=zOFIbuJC
SERVEDFROM=NY
SERVEDTO=gqdBFZdzetTcox
MESSAGE=Excellent work, Nice Design http://[url redacted]/trazodone/ trazodone er to another claim line in the same claim form, enter the other prior approval/authorization


To answer your question, back last Spring, I changed the Captcha to a simple question: What number was painted on the hull of Electra? A live person could easily answer that by looking at the photo on the home page, but I figured a bot could not. I also added a hidden <input> field, in case a bot was harvesting my html and filling in all fields. On the server side, if there is a $_POST value for that field, I know the form wasn't filled in by a human and I reject it. I guess my next step is to add to my notification email whether or not there was anything submitted for that field. Oh, and I just added a regex check for "http" in the message, since there is really no need for any legitimate poster to include a URL. I should have done that long ago. We'll see if the posting stops now.

Anyway, the patterns here are quite interesting to me. Although the IP addresses are different, a few have shown up more than once; the supposed email addresses entered (I'm sure they are not valid) are different, but mostly from a few of the major email hosts: msn, yahoo, gmail, hotmail; I receive only a small number of bad posts on any one day and some days are skipped entirely; every one of them is in a strict format, including a URL, some of which look like they may be valid (if they are spamming or really trying to get traffic to some sites, they would have to be, of course, but I haven't tried to visit any of them--maybe I'll do that on a different computer, where I wouldn't mind so much if it was infected with malware--maybe my Linux machine); and there is always a very short phrase before the URL and a nonsense string of words, often not even a sentence, usually containing the name of a pharmaceutical, after the URL.

I'm curious as hell about what the hacker is up to, as well as how he's getting around several of the things that I (in my innocence) tried to do to catch his bad posts.

Don


Top
 Profile  
 
PostPosted: Sat Nov 23, 2013 6:02 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
As you're finding IP addresses are pretty meaningless.

Also since your question's answer doesn't change, it is pretty easy to automate a login. Same for the hidden fields, pretty trivial. One step above that is to generate a javascript token and submit that too with the form data. But authenticating and checking the token is a lot of work. The spammer would have to sit down and emulate your javascript token scheme or use some kind of web-kit login tool that will run javascript.

Blocking URL's is often very effective at stopping spammers, many sites can't get away with limiting users like that though. I'll bet you see a drop now.

Do you validate user's email addresses with a link? This some times helps slow down automatic account creation tools. But many of them also monitor yahoo/gmail/etc. for response links and then submit them automatically too.

Quote:
First, it looks like the hacker is using 2 techniques, one of which bypasses my script, because nearly half of the bad posts did NOT generate emails to me....

This is more worrying because if you expect every post to generate messages to you then they have probably found a hole in your system and your code is not working as expected. This could mean there are deeper problems. Perhaps you need to write some monitoring code to trap these cases and log some debug info so you can what is going on.

The other case where they follow your login fields and posting like a valid user, then there isn't a whole lot more you can do than monitor and delete. Sometimes they even spam the old fashioned manual way. Spammers spam spam spam.

Since you seem to be interested in these guys, I should add that if you want to track them then it's best not to change your code to block them, but to track them and collect more data on them. You can feed them a cookie for tracking and see if they swallow. You can also see if they are accepting images, javascript. Are they using real useragents strings? Once your code triggers on a possible spammer you can record all their requests, time frames and activity to see if there is something there that reveals what they are doing.


Top
 Profile  
 
PostPosted: Sat Nov 23, 2013 6:23 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Thanks, Eric. Those are very helpful suggestions and if the attacks continue (I haven't received any for several days now), I will try to implement several of those suggestions. Yes, I am worried by the apparent dual exploits that I observed very recently. Admittedly, I'm not an experienced security developer, but I don't understand how nearly half of a recent flurry of bad posts bypassed my notification email routine; since that clearly worked, why would the other half of them during the same time period trigger the emails?? My conclusion was that there is now an "old" botnet and a "new" botnet and they are just allowing the "old" one to continue in parallel. I'm sure I'm not the only target, that would be silly, so maybe the "old" botnet is still useful to them on other targets. Does that make sense?

Anyway, I think that I will go to the trouble of generating a token of some sort and checking it on the server, and I like the email verification technique, too, even though it does impose a small inconvenience on the visitor.

I sure appreciate all the suggestions and advice I have received here from more experienced developers!

Don


Top
 Profile  
 
PostPosted: Mon Dec 30, 2013 2:29 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
It has been well over a month and I haven't seen a single additional bad post. I'm not sure that anything I did resulted in the improvement, though. This is more or less what happened 3 years ago when the site experienced a similar attack. I suspect that either the hacker has been caught, or that he just gave up and moved on to more productive targets. It was certainly a learning experience for me, and my intention is to continue reviewing the coding of the site and implementing some more efficient security strategies--but with a little less urgency. Thanks again to all.


Top
 Profile  
 
PostPosted: Mon Dec 30, 2013 5:39 pm 
Offline
Forum Newbie

Joined: Sat Dec 28, 2013 5:02 pm
Posts: 15
Hi guys!

My newly created log file got interesting today, in the last 24 hrs I got over 200 attempts from spam bots trying to get into my forum. After digging into it it was kinda like a Fortune Cookie gone bad......kinda anyways. This picture shows where the added Chinese language to one of my Q&A text box's so naturally at first my note pad did now know how to display these characters as you can see so I decided to cut and paste it into an e-mail to a friend of mine and all of a sudden the special characters were that Chinese language, so I plugged that into Google translate. What do you guys make of this? Some kids fooling around? Under each line is the translation.


Attachments:
log-file.JPG
log-file.JPG [ 60.19 KiB | Viewed 7419 times ]
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 40 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group