The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DoSed by spam-bots, jeeeze I am getting tired of this!

Discussion in 'General Discussion' started by jols, Jan 28, 2007.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Scenario - The load goes nuts on one of our servers and (sometimes) crashes to the point that we have to do a hardware restart.

    When the server re-starts I get in there and run this at shell:

    tail -3000 /usr/local/apache/logs/access_log

    Then I see miles and miles and miles of these kinds of entries, all made within a very short period of time:

    193.49.9.5 - - [28/Jan/2007:14:10:05 -0600] "name=gay+boy&email=mitka%40byto.de&ereply=yes&subject=gay+sex&count=4&board=board1&action=postnow&message=%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fyoung-gay-teen-boy.html%3Eyoung+gay+teen+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy-video.html%3Egay+boy+video%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-college-boy.html%3Egay+college+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fcute-gay-boy.html%3Ecute+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy.html%3Egay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy-picture.html%3Egay+boy+picture%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Ffree-gay-boy.html%3Efree+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fyoung-gay-boy.html%3Eyoung+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fpreteen-gay-boy.html%3Epreteen+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fyoungest-gay-boy.html%3Eyoungest+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy-gallery.html%3Egay+boy+gallery%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fboy-first-time-gay.html%3Eboy+first+time+gay%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-school-boy.html%3Egay+school+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy-movie.html%3Egay+boy+movie%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fhot-gay-boy.html%3Ehot+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-man-and-boy.html%3Egay+man+and+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fvery-young-gay-boy.html%3Every+young+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy-pic.html%3Egay+boy+pic%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy-kissing.html%3Egay+boy+kissing%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-little-boy.html%3Egay+little+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2F%3Egay+boy%3C%2Fa%3E++%0D%0Agay+boy+free.+S+seeking+blond+latino+pictures+and+free+young+gay+boy+%0D%0Aanal+amp+loving+on+a+that+court.+Porn+hentai+pics+rape+gay+blond+gay%0D%0A+free+movies+girls+porn+adult+gay+boy+online+gay+boy+pictures+boy+uk%0D%0A+forceful+sri+gay+gay+and+tried+gay+gay+gay+boy+boy+women+horny+on%0D%0A+teen+boy+models+gay+boy+boys+male+escorts+boy+beautiful+with+boy+some+%0D%0Aboy+boy+gay+gay+japanese+funnyjunk+jan+boys+rockstar+boy+scouts%0D%0A+dictionary+boy+asian+gay+asian+video+asian+asian+trevvy+gay+boy+%0D%0Aview+boy+boy+search+gay+boy+gay+teen+boys+boy+boy+middot+boy+indian%0D%0A+flip+gay+gay+2006+s+boy+and+boy+difficult+gay+gay+incest+men+picture%0D%0A+boy+gay+boy+boy+%5B+%5D+69+gay+girl+87k+cached+gay+boy+boys+hot+boy+2oo7+%0D%0Asingle+boy+gay+boy+boy+summer+lesbian+gay+boy+hot+girl+gay+boy+xxx+boy%0D%0A+boy+trannies+fucking+gay+boy+file070116+cock+boy+web+hundreds+boy%0D%0A+pcmdopen+amp+fullpage+with+boy+boy+2621+cute+free+read+times+times+gay%0D%0A+gay+boy+this+boy+gay+jonboy007s+gay+boy+cached+picture+cached+boy+view%0D%0A+gay+gay+results+to+search+html+gay+mailing+more+gay+gay+laugh+gay+106k+%0D%0Ahardcore+rape+s+29k+cached+gay+boy+" 501 -


    Sooooooo, how can we block this crap? Sort? Adding more mod_security rules? What?

    Thanks very much for any ideas here.
     
    #1 jols, Jan 28, 2007
    Last edited: Jan 28, 2007
  2. Nhojohl

    Nhojohl Well-Known Member

    Joined:
    Nov 28, 2006
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    It looks like someone is running a script that doesn't sanitize inputs or something.... At least that's what I think it is.... I'd look for some scripts clients might be running that send out mail and take a deeper peek into em.
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I think the spam-bot is dumping this crap into all fields of any fill out form that they can find. This is particularly hard on the system when these forms come form MySQL driven apps such as WordPress blogs and what have you.

    All of our servers get hit with this from time to time.

    Nobody has a solution for this?
     
  4. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    Doesn't Wordpress and other apps have updates that restrict the amount of times the form can be accessed by a specific IP in a specific time?
     
  5. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Are you using CSF?
     
  6. wardv

    wardv Member

    Joined:
    Aug 10, 2005
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    If all requests are made from 1 IP address, it is easy to add some firewall rules to limit the connection per IP address. The load will still be high, but your apache server should be able to handle it.
     
  7. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Not sure, but if the spam-bot is hitting all the forms on the server at more-or-less the same time, then this would not prevent the server load from skyrocketing.
     
  8. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Yes indeed.
     
  9. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I agree, but these attacks come from what seems like an endless series of IP addresses. So firewall blocks have very minimal effects if any at all.

    From what I understand, the Apache server would have a far better chance of handling long input strings like this if we could only get up to 2.0, but from what I understand so far, with cPanel we are more-or-less stuck in the basement with 1.3.x Right?
     
  10. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Anybody have any experience blocking this sort fo thing with Sort?
     
  11. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Run this command to list IPs with most connections at the prompt:
    /bin/netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | more
    If you are under Syna attack, and unless you have a good hardware firewall, there is nothing you can do. The software firewalls out there are useless.

    One of our clients was under heavy Syn attack for two consecutive days. Our Cisco Guard Firewall significantly minimized the attacks and kept the server online up and running.
     
  12. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I feel what you are going through. :( it sux!!! These bots will pick on guestbooks, formmail forms, forums ..anything with a form on it these is some sort of automated script already designed to post to it OR there is some live human at the other end configuring one of these bots to exploit your sites. It's a constant process of us against them.

    I have see a couple of my lower ram boxes crash when they starts getting heavy. Those same servers upgraded with more ran seem to handle it better. However it still drives up the loads and the outcome is never good for your customer either. It's a complete waste of our resources. Just like email spam. The bottom line is the scripts need to be more secure and better written to filter this. Guestbooks with "human" image verifications will work. In fact if they had the human image verification on forums, guestbooks, formmail and all the most popular open source apps we wouldn't have this problem so bad. I went to the trouble to help my customers install some image verification on their guestbooks and it fixed this problem for us.

    I have seen it possible to block some of these using your firewall. You will eventually get hit by more IPs doing the same thing. It is also possible to block them with mod_security I suppose. The problem is the spammers will always find a way. So fro for us it's been a matter of fixing all the scripts or implementing the image verification. It takes forever and is different for each user based on what apps they run. But in the long run it makes the spammers go away and makes your customer's guestbook look a whole lot cleaner.

    A good article that explains a simplified way of using this is here:
    http://www.phpjabbers.com/captcha-image-verification-php19.html
     
  13. Kelmas

    Kelmas Well-Known Member

    Joined:
    Nov 6, 2006
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    You should definitely have Captcha in forms that anonymous users can submit. And in forums don't let unregistered users to post. When running vBulletin, make sure you change random image generation settings from time to time. That will make many spam bots away. Not all, but quite many.
     
  14. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38

    Thanks for your post.

    Hmmm, yup. Sounds like you are struggeling with the exact same issue. Thanks for your post.

    I have found that mod_security works to some extent. That is, if you notice the same word or phrase being input over and over, I have found that just poping in a new rule like this:



    SecFilter "gay-boy"

    or this:

    SecFilter "naked.html"

    etc.

    seems to take care of thing for a while. At least then, if there is attempted input with "gay-boy" etc. they will get a forbidden error, and the Apache system will not get loaded down.

    But like any other kind of keyword defense against spam, the security rules of bad keywords just keep growing longer and longer and longer, taking tons of time just to fight this crap every day.

    So I am wondering about SNORT? Or perhaps a way of limiting input to ANY http field to something like 36 characters, or something like that.
     
  15. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Yes but this only works if you know where the forms are, and if all of your hosted customers are willing to go to the effort of installing this. We find that many will just put up a guestbook, leave it open for anonymous posts, and just forget about it.
     
  16. gupi

    gupi Well-Known Member

    Joined:
    Apr 27, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    well, a pretty good (and simple to install) image verification script can be found at _http//www.white-hat-web-design.co.uk/articles/php-captcha.php
     
  17. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks, but again, if you have 400 accounts on the server with maybe 550 web sites overall, and if you manage several similar servers, it is untenable to fish out all the online forms and the go around installing this for everyone.

    So, I need a magic bullet here.

    Snort?
     
  18. gupi

    gupi Well-Known Member

    Joined:
    Apr 27, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    You can co-operate with your clients.
    Show them the tutorial and give them a week to implement the script.

    But IMHO, you *** shouldn't *** get to such a big number of 'unprotected' sites.
    Be proactive and you'll have less to work.
     
  19. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Okay, better yet:

    Is there a way to make it so if someone tries to post spam, a lightening bolt will leap out of the spammers CPU and fry them into a pile of smoldering muck?

    I would pay big bucks for a script that would do this right now. It would mean that I could actually start to get my life back.
     
  20. gupi

    gupi Well-Known Member

    Joined:
    Apr 27, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    How do you tell a spam from a legit message ?

    Possible solutions for your issue:
    - outsource the captcha implementing script
    - increase the mod_sec rules
    - voodoo (not sure, never tried)
     
Loading...

Share This Page