Re: [users@httpd] How to deny access based on user agent - help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



once I experienced similar problem with spammer looking for vulnerabilities
in my feedback form scripts. Of course he used proxies, so denying by IP
would have no sense.

So I hide the script behind a single shtml page, so that no one could ever
know what the real name of any script is. All cgi requests on that site
started to be handled by same shtml file, where conditional SSI instructions
distributed tasks to different scripts by "watermarks" in query string
(using regexps). So all forms had action="index.shtml".

Spammer started scanning cgi-bin folder looking for scripts named like mail,
formmail, friendmail, tellyourfriend, etc.. So the feedback script was
renamed to abdbxq.cgi. Still the remaining annoyance was to see the spammer
flooding my site with requests for nonexisting mail.cgi, formail.pl, and
simmilar combinations and hundreds of hits per day. Servers error log was
filled with "File does not exist". So I added this to my .htaccess:

RewriteEngine on
RewriteRule ^(.*)(mail|library|list|form|tell|friend)(.*) http://localhost
[nc]

Since then my server logs are clean :-)

But that's just security through obscurity. It only gets you so far. I've seen newer variations on this that don't look for common exploits - they spider the site (or maybe it's a human crawler; my bet's on a spider) and look for contact forms, either with common or uncommon names. Once they find a page with a form on it, they submit like crazy to find vulnerabilities. I've seen the same behavior on three different servers, so I know it's not an isolated attack. Often they'll start by submitting the same email address to all the fields on the form, then move on to injecting mail headers into the form input, sometimes with a single dot on a line (to fool sendmail into thinking it's a new message). There's often a common email address in all the bogus ones, usually an AOL address - I'll assume they're setting up free accounts, then abandoning them after they're done with an attack. The last time I saw one of these, they used the same IP until it was blocked, then moved on to another one. Our ultimate solution was to change the form scripts to strip out newline characters - it makes submitted comments look funny, but there's no chance of header injection attacks.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux