Hacker posting to my website [RESOLVED--well, sort of]

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Hacker posting to my website [RESOLVED--well, sort of]

Post by Celauran »

The email field is obvious, but we have no idea what the other two fields are meant to represent. Are there other fields in the form not included in this document? Not much to work with, I'm afraid.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Hacker posting to my website [RESOLVED--well, sort of]

Post by califdon »

Yeah, you're really getting hit! I'm not surprised it's Chinese, there's a lot of very active spammers there (well, it's a huge country!). Are there URL links in them? I'd say there's no point in complaining to anybody, they're not going to do anything to them. Better to concentrate on how to detect them and just not accept the baddies into your database. The detection is the hard part. For Chinese characters, I suppose you could test anything that is supposed to be English text to see if it contains any non-ASCII characters (I can't think right now just how to do that, but I'm sure it's possible), but that wouldn't help for plain English spams. A good Captcha routine might help, but as someone pointed out earlier in this thread, Captchas can be hacked, too. I wouldn't count on this being kids fooling around, though. That's possible, but I think it's more likely that it's a serious spammer who is getting paid by others to get their URLs in front of thousands of pairs of eyes. It's a shame some people aren't willing to do honest work, like maybe prostitution?? [Just kidding, gotta break the tension.]

The options that I can think of include:
  • Code it as a moderated forum, where a post isn't accepted until it has been reviewed by a moderator; but that means that somebody has to read all the posts!
  • Require the poster to supply a valid email address, then send an email to that address, with a validation link to a script that matches the ID of the post and actually posts it; there's probably a way to defeat that, too, but presumably that gives you somebody's real email address that you could later trace.
  • Use a strong Captcha that sends the Captcha data to the server for validation, as mentioned in another post earlier in this thread.
Good luck on this. I hope some of the other guys will respond to you.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Hacker posting to my website [RESOLVED--well, sort of]

Post by Celauran »

The trouble, I think, is that these all look like throwaway Gmail accounts. They could easily retrieve and follow the confirmation links, but having the account reported and blocked probably wouldn't mean much to them. They'd just create another and another and another.... CAPTCHAs can be defeated, honeypots can be defeated, but certainly implementing either or both of those would be a step in the right direction.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Hacker posting to my website [RESOLVED--well, sort of]

Post by califdon »

Hi Celauran. Happy New Year! :-) You're right, that's the downside of free email accounts like Gmail.

To clarify Tex's post for anyone who didn't read his own thread, it's a PHPBB forum and Tex is a vb.net developer, just getting his feet wet with Linux and PHP. His original thread is viewtopic.php?f=1&t=138955&p=690109#p690109.
tex
Forum Newbie
Posts: 15
Joined: Sat Dec 28, 2013 4:02 pm

Re: Hacker posting to my website [RESOLVED--well, sort of]

Post by tex »

I would only report the ones that actually got through and posted spam. So far all I do are three things and its working well, at least for now. One is the Q&A with a question that cannot be easily Goggled, Email confirmation, and 1 post moderation. But last month I was not doing all three and my site got hit bad. The past few years all I had was two of these three and my old Q&A question must of made their list. I also hear these spammers upgraded their scripts or what ever they use and I guess the got a database with all the common Q&A answers so now forum administrators need harder ones. Cat and mouse game for sure.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Hacker posting to my website [RESOLVED--well, sort of]

Post by califdon »

Tex, do the posts include URL links? That's the most common kind of spam. If they do, how about just rejecting any post that includes "http://"? I did that on my site and I haven't had a single bad post get thru since I did that. If you don't need to allow legitimate links, that might be a first line of defense.
tex
Forum Newbie
Posts: 15
Joined: Sat Dec 28, 2013 4:02 pm

Re: Hacker posting to my website [RESOLVED--well, sort of]

Post by tex »

Yes the spammers did post links, but my members do post links that are legitimate as well we share links in our signatures. I hate to loose freedom due to these bandits! Of course pictures of hot babes are OK. Just kidding, I had a long night.

Thanks califdon for introducing my post here on your topic.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Hacker posting to my website [RESOLVED--well, sort of]

Post by Celauran »

What about restricting the ability to post links until a certain post count threshold has been reached? Or requiring posts containing links to require moderation until a similar threshold has been reached?
tex
Forum Newbie
Posts: 15
Joined: Sat Dec 28, 2013 4:02 pm

Re: Hacker posting to my website [RESOLVED--well, sort of]

Post by tex »

Yeah that is a good idea. I like to also look at code development and detection and auto deletion ideas, such like was mentioned here.
codex561
Forum Newbie
Posts: 4
Joined: Tue May 13, 2014 9:54 pm

Re: Hacker posting to my website [RESOLVED--well, sort of]

Post by codex561 »

2 things I would do is either add captcha and/or not allow posts with links.
Post Reply