How to ban a certain filename from the system?

[cretu]

Hi All,

This might sound like a stupid question, but, hear me out.

We have a spammer, using different IP addresses each time he signs up for the plan, so he's submission looks legimite and we after he initiates "Spam script" from our servers, blocking his IP does not help at all.

Anyway, he's always using same method to spam: he FTPs Perl script called "pvdmail.pl", in the same folder and runs it against flat database file. Of course, we have limit of e-mail sent set in WHM and SIM notification when load goes up, but when we turn attention to load and account spamming, he's usually able to send anywhere from 150 to 250 messages.

Here's my questions, is there a trick.hack.method to stop/ban certain file name from even running? IN this case it would be "pvdmail.pl". This might save us lots of trouble (well, until, he renames the script).

Please let me know.

I appreciate it!

Cretu

[noimad1]

Originally posted by cretu
Hi All,

This might sound like a stupid question, but, hear me out.

We have a spammer, using different IP addresses each time he signs up for the plan, so he's submission looks legimite and we after he initiates "Spam script" from our servers, blocking his IP does not help at all.

Anyway, he's always using same method to spam: he FTPs Perl script called "pvdmail.pl", in the same folder and runs it against flat database file. Of course, we have limit of e-mail sent set in WHM and SIM notification when load goes up, but when we turn attention to load and account spamming, he's usually able to send anywhere from 150 to 250 messages.

Here's my questions, is there a trick.hack.method to stop/ban certain file name from even running? IN this case it would be "pvdmail.pl". This might save us lots of trouble (well, until, he renames the script).

Please let me know.

I appreciate it!

Cretu

Where you able to figure this one out?

[chirpy]

You could prevent FTP uploading of a filename easily enough through proftpd using either DenyFilter or PathDenyFilter:

http://www.proftpd.org/docs/faq/Conf...tml#DenyFilter
http://www.proftpd.org/docs/faq/Conf...PathDenyFilter

But there are easy ways around that, and as you say, they could simply rename the file.

[noimad1]

Originally posted by chirpy
You could prevent FTP uploading of a filename easily enough through proftpd using either DenyFilter or PathDenyFilter:

http://www.proftpd.org/docs/faq/Conf...tml#DenyFilter
http://www.proftpd.org/docs/faq/Conf...PathDenyFilter

But there are easy ways around that, and as you say, they could simply rename the file.

Yea...I use pure-ftp....

I have a problem with one specific customer and a file of his....I know he could re-name the file, but I am testing him out on something. It's kind of a long story....

[Damian]

Adding the following to the top of your httpd.conf file should stop the file from doing anything useful.

RedirectMatch ^.*\pvdmail\.cgi > /dev/null

Remember to restart Apache after adding the line.

You may also want to add others, to cater for any variants that he chooses to use. e.g.

RedirectMatch ^.*\pvdmail\.pl > /dev/null
RedirectMatch ^.*\Pvdmail\.* > /dev/null
RedirectMatch ^.*\PVDMAIL\.* > /dev/null
etc....

[noimad1]

Originally posted by Damian
Adding the following to the top of your httpd.conf file should stop the file from doing anything useful.

RedirectMatch ^.*\pvdmail\.cgi > /dev/null

Remember to restart Apache after adding the line.

You may also want to add others, to cater for any variants that he chooses to use. e.g.

RedirectMatch ^.*\pvdmail\.pl > /dev/null
RedirectMatch ^.*\Pvdmail\.* > /dev/null
RedirectMatch ^.*\PVDMAIL\.* > /dev/null
etc....

Thanks, I will give that a try...BTW, cool name.

Regards,
Damion