DoSed by spam-bots, jeeeze I am getting tired of this!

[jols]

Scenario - The load goes nuts on one of our servers and (sometimes) crashes to the point that we have to do a hardware restart.

When the server re-starts I get in there and run this at shell:

tail -3000 /usr/local/apache/logs/access_log

Then I see miles and miles and miles of these kinds of entries, all made within a very short period of time:

193.49.9.5 - - [28/Jan/2007:14:10:05 -0600] "name=gay+boy&email=mitka%40byto.de&ereply=yes&subject=gay+sex&count=4&board=board1&action=postnow&message=%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fyoung-gay-teen-boy.html%3Eyoung+gay+teen+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy-video.html%3Egay+boy+video%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-college-boy.html%3Egay+college+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fcute-gay-boy.html%3Ecute+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy.html%3Egay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy-picture.html%3Egay+boy+picture%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Ffree-gay-boy.html%3Efree+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fyoung-gay-boy.html%3Eyoung+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fpreteen-gay-boy.html%3Epreteen+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fyoungest-gay-boy.html%3Eyoungest+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy-gallery.html%3Egay+boy+gallery%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fboy-first-time-gay.html%3Eboy+first+time+gay%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-school-boy.html%3Egay+school+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy-movie.html%3Egay+boy+movie%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fhot-gay-boy.html%3Ehot+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-man-and-boy.html%3Egay+man+and+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fvery-young-gay-boy.html%3Every+young+gay+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy-pic.html%3Egay+boy+pic%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-boy-kissing.html%3Egay+boy+kissing%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2Fgay-little-boy.html%3Egay+little+boy%3C%2Fa%3E++%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fmitka.byto.de%2F%3Egay+boy%3C%2Fa%3E++%0D%0Agay+boy+free.+S+seeking+blond+latino+pictures+and+free+young+gay+boy+%0D%0Aanal+amp+loving+on+a+that+court.+Porn+hentai+pics+rape+gay+blond+gay%0D%0A+free+movies+girls+porn+adult+gay+boy+online+gay+boy+pictures+boy+uk%0D%0A+forceful+sri+gay+gay+and+tried+gay+gay+gay+boy+boy+women+horny+on%0D%0A+teen+boy+models+gay+boy+boys+male+escorts+boy+beautiful+with+boy+some+%0D%0Aboy+boy+gay+gay+japanese+funnyjunk+jan+boys+rockstar+boy+scouts%0D%0A+dictionary+boy+asian+gay+asian+video+asian+asian+trevvy+gay+boy+%0D%0Aview+boy+boy+search+gay+boy+gay+teen+boys+boy+boy+middot+boy+indian%0D%0A+flip+gay+gay+2006+s+boy+and+boy+difficult+gay+gay+incest+men+picture%0D%0A+boy+gay+boy+boy+%5B+%5D+69+gay+girl+87k+cached+gay+boy+boys+hot+boy+2oo7+%0D%0Asingle+boy+gay+boy+boy+summer+lesbian+gay+boy+hot+girl+gay+boy+xxx+boy%0D%0A+boy+trannies+fucking+gay+boy+file070116+cock+boy+web+hundreds+boy%0D%0A+pcmdopen+amp+fullpage+with+boy+boy+2621+cute+free+read+times+times+gay%0D%0A+gay+boy+this+boy+gay+jonboy007s+gay+boy+cached+picture+cached+boy+view%0D%0A+gay+gay+results+to+search+html+gay+mailing+more+gay+gay+laugh+gay+106k+%0D%0Ahardcore+rape+s+29k+cached+gay+boy+" 501 -


Sooooooo, how can we block this crap? Sort? Adding more mod_security rules? What?

Thanks very much for any ideas here.

 

[Nhojohl]

It looks like someone is running a script that doesn't sanitize inputs or something.... At least that's what I think it is.... I'd look for some scripts clients might be running that send out mail and take a deeper peek into em.

 

[jols]

I think the spam-bot is dumping this crap into all fields of any fill out form that they can find. This is particularly hard on the system when these forms come form MySQL driven apps such as WordPress blogs and what have you.

All of our servers get hit with this from time to time.

Nobody has a solution for this?

 

[SageBrian]

I think the spam-bot is dumping this crap into all fields of any fill out form that they can find. This is particularly hard on the system when these forms come form MySQL driven apps such as WordPress blogs and what have you.

All of our servers get hit with this from time to time.

Nobody has a solution for this?

Doesn't Wordpress and other apps have updates that restrict the amount of times the form can be accessed by a specific IP in a specific time?

 

[jayh38]

Are you using CSF?

 

[wardv]

If all requests are made from 1 IP address, it is easy to add some firewall rules to limit the connection per IP address. The load will still be high, but your apache server should be able to handle it.

 

[jols]

Doesn't Wordpress and other apps have updates that restrict the amount of times the form can be accessed by a specific IP in a specific time?

Not sure, but if the spam-bot is hitting all the forms on the server at more-or-less the same time, then this would not prevent the server load from skyrocketing.

 

[jols]

Are you using CSF?

Yes indeed.

 

[jols]

If all requests are made from 1 IP address, it is easy to add some firewall rules to limit the connection per IP address. The load will still be high, but your apache server should be able to handle it.

I agree, but these attacks come from what seems like an endless series of IP addresses. So firewall blocks have very minimal effects if any at all.

From what I understand, the Apache server would have a far better chance of handling long input strings like this if we could only get up to 2.0, but from what I understand so far, with cPanel we are more-or-less stuck in the basement with 1.3.x Right?

 

[jols]

Anybody have any experience blocking this sort fo thing with Sort?

 

[AndyReed]

Anybody have any experience blocking this sort fo thing with Sort?

Run this command to list IPs with most connections at the prompt:
/bin/netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | more
If you are under Syna attack, and unless you have a good hardware firewall, there is nothing you can do. The software firewalls out there are useless.

One of our clients was under heavy Syn attack for two consecutive days. Our Cisco Guard Firewall significantly minimized the attacks and kept the server online up and running.

 

[rpmws]

I feel what you are going through. it sux!!! These bots will pick on guestbooks, formmail forms, forums ..anything with a form on it these is some sort of automated script already designed to post to it OR there is some live human at the other end configuring one of these bots to exploit your sites. It's a constant process of us against them.

I have see a couple of my lower ram boxes crash when they starts getting heavy. Those same servers upgraded with more ran seem to handle it better. However it still drives up the loads and the outcome is never good for your customer either. It's a complete waste of our resources. Just like email spam. The bottom line is the scripts need to be more secure and better written to filter this. Guestbooks with "human" image verifications will work. In fact if they had the human image verification on forums, guestbooks, formmail and all the most popular open source apps we wouldn't have this problem so bad. I went to the trouble to help my customers install some image verification on their guestbooks and it fixed this problem for us.

I have seen it possible to block some of these using your firewall. You will eventually get hit by more IPs doing the same thing. It is also possible to block them with mod_security I suppose. The problem is the spammers will always find a way. So fro for us it's been a matter of fixing all the scripts or implementing the image verification. It takes forever and is different for each user based on what apps they run. But in the long run it makes the spammers go away and makes your customer's guestbook look a whole lot cleaner.

A good article that explains a simplified way of using this is here:
http://www.phpjabbers.com/captcha-image-verification-php19.html

 

[Kelmas]

You should definitely have Captcha in forms that anonymous users can submit. And in forums don't let unregistered users to post. When running vBulletin, make sure you change random image generation settings from time to time. That will make many spam bots away. Not all, but quite many.

 

[jols]

I feel what you are going through. it sux!!! These bots will pick on guestbooks, formmail forms, forums ..anything with a form on it these is some sort of automated script already designed to post....[/url]

Thanks for your post.

Hmmm, yup. Sounds like you are struggeling with the exact same issue. Thanks for your post.

I have found that mod_security works to some extent. That is, if you notice the same word or phrase being input over and over, I have found that just poping in a new rule like this:



SecFilter "gay-boy"

or this:

SecFilter "naked.html"

etc.

seems to take care of thing for a while. At least then, if there is attempted input with "gay-boy" etc. they will get a forbidden error, and the Apache system will not get loaded down.

But like any other kind of keyword defense against spam, the security rules of bad keywords just keep growing longer and longer and longer, taking tons of time just to fight this crap every day.

So I am wondering about SNORT? Or perhaps a way of limiting input to ANY http field to something like 36 characters, or something like that.

 

[jols]

You should definitely have Captcha in forms that anonymous users can submit. And in forums don't let unregistered users to post. When running vBulletin, make sure you change random image generation settings from time to time. That will make many spam bots away. Not all, but quite many.

Yes but this only works if you know where the forms are, and if all of your hosted customers are willing to go to the effort of installing this. We find that many will just put up a guestbook, leave it open for anonymous posts, and just forget about it.

 

[gupi]

well, a pretty good (and simple to install) image verification script can be found at _http//www.white-hat-web-design.co.uk/articles/php-captcha.php

 

[jols]

well, a pretty good (and simple to install) image verification script can be found at _http//www.white-hat-web-design.co.uk/articles/php-captcha.php

Thanks, but again, if you have 400 accounts on the server with maybe 550 web sites overall, and if you manage several similar servers, it is untenable to fish out all the online forms and the go around installing this for everyone.

So, I need a magic bullet here.

Snort?

 

[gupi]

Thanks, but again, if you have 400 accounts on the server with maybe 550 web sites overall, and if you manage several similar servers, it is untenable to fish out all the online forms and the go around installing this for everyone.

So, I need a magic bullet here.

Snort?

You can co-operate with your clients.
Show them the tutorial and give them a week to implement the script.

But IMHO, you *** shouldn't *** get to such a big number of 'unprotected' sites.
Be proactive and you'll have less to work.

 

[jols]

Okay, better yet:

Is there a way to make it so if someone tries to post spam, a lightening bolt will leap out of the spammers CPU and fry them into a pile of smoldering muck?

I would pay big bucks for a script that would do this right now. It would mean that I could actually start to get my life back.

 

[gupi]

Okay, better yet:

Is there a way to make it so if someone tries to post spam, a lightening bolt will leap out of the spammers CPU and fry them into a pile of smoldering muck?

I would pay big bucks for a script that would do this right now. It would mean that I could actually start to get my life back.

How do you tell a spam from a legit message ?

Possible solutions for your issue:
- outsource the captcha implementing script
- increase the mod_sec rules
- voodoo (not sure, never tried)