once I experienced similar problem with spammer looking for vulnerabilitiesin my feedback form scripts. Of course he used proxies, so denying by IP would have no sense. So I hide the script behind a single shtml page, so that no one could ever know what the real name of any script is. All cgi requests on that sitestarted to be handled by same shtml file, where conditional SSI instructionsdistributed tasks to different scripts by "watermarks" in query string (using regexps). So all forms had action="index.shtml".Spammer started scanning cgi-bin folder looking for scripts named like mail,formmail, friendmail, tellyourfriend, etc.. So the feedback script wasrenamed to abdbxq.cgi. Still the remaining annoyance was to see the spammerflooding my site with requests for nonexisting mail.cgi, formail.pl, and simmilar combinations and hundreds of hits per day. Servers error log was filled with "File does not exist". So I added this to my .htaccess: RewriteEngine on RewriteRule ^(.*)(mail|library|list|form|tell|friend)(.*) http://localhost [nc] Since then my server logs are clean :-)
But that's just security through obscurity. It only gets you so far. I've seen newer variations on this that don't look for common exploits - they spider the site (or maybe it's a human crawler; my bet's on a spider) and look for contact forms, either with common or uncommon names. Once they find a page with a form on it, they submit like crazy to find vulnerabilities. I've seen the same behavior on three different servers, so I know it's not an isolated attack. Often they'll start by submitting the same email address to all the fields on the form, then move on to injecting mail headers into the form input, sometimes with a single dot on a line (to fool sendmail into thinking it's a new message). There's often a common email address in all the bogus ones, usually an AOL address - I'll assume they're setting up free accounts, then abandoning them after they're done with an attack. The last time I saw one of these, they used the same IP until it was blocked, then moved on to another one. Our ultimate solution was to change the form scripts to strip out newline characters - it makes submitted comments look funny, but there's no chance of header injection attacks.
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|