homepage Welcome to WebmasterWorld Guest from 54.211.68.132
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Inane Website Comments
I know it is hacking attempts, just not sure why
carfac




msg:4037249
 8:51 pm on Dec 4, 2009 (gmt 0)

On my website, I allow users to add/submit additional information. Perhaps on my Blue Widget page, someone might want me to know that the six inch Blue Widgets were only made from 1996-1998, and then replaced by 6 1/2" models. Or, perhaps someone might want to submit a link to a Youtube video of Blue Widgets in action. Whatever.

It would seem to me that it is VERY OBVIOUS this is not a comment submission area, and that it is heavily moderated in that I take the submission, and if I deem it appropriate, I work it into my Blue Widget page in my words or ways, I NEVER quote a submission.

So why do I get submissions that make no sense? Some forms are fully filled out (name, e-mail, comment), some have a name only. For the comment, I get the "page title". Or sometimes the page URL (that would be MY PAGE Url, not a spammer url). And that is it- title and/or URL. WTH?

It happens so regularly, I know they are trying to do something. But what? I am mystified! I even added a captcha, they still keep coming in!

I also do have page comments (which are also moderated)- they NEVER try to add there... just my "Add Additional Info" or "Add Youtube link" pages....

 

Rosalind




msg:4037304
 9:45 pm on Dec 4, 2009 (gmt 0)

Some of it is done automatically by scripts, whilst the captcha filling can be farmed out to 3rd-world sweatshop captcha inputters. What you're seeing isn't uncommon. The other possibility is that your captcha has been cracked, which is very likely if it's just one of those "copy these letters" deals.

There's no complete solution, because this is an arms race between spammers and regular webmasters. But you can get ahead by getting as far away as possible from using standard form elements. Try replacing your captcha with a trivia question about Blue Widgets, or putting in hidden form fields that should not be filled, and so on.

rocknbil




msg:4037458
 2:42 am on Dec 5, 2009 (gmt 0)

So why do I get submissions that make no sense?

They are "tasting." Seeing what they can do with it. Their "bots" are testing the form fields, seeing which once are required, seeing if they receive an email from it, seeing if they can inject directly into mail headers . . . . which may also mean, what you are seeing is not the whole story. Because they keep at it, I tend to believe this might be the case.

One question: do you receive an email notification when these are submitted?

If you do, you **definately** are not seeing the whole story. What if I can somehow submit the following into an email address field?

email@example.com\n bcc:spam1@example.com,spam2@example.com . . . (thousands here)

The \n is a newline. So if this works, I've just created my OWN BCC field in your mail headers, and sent thousands of emails using your server. And being a BCC, you'll never know it.

Another example is to inject a multipart header and multipart email in the "message body". Same thing, you only see the "main" part, which may have nothing at all in it. The real meat is in the multipart, and it's already been done and sent by the time you get that, they don't care what you receive. The confusion, I imagine, is just a "bonus."

Also know that they don't need to be "on your form" to do it. If I know the URI of the form, I can post to it from command line, from anywhere, which is what bots do.

If you have coded this up, or had someone do it for you, I suggest you start doing one thing, immediately. Add a bit to your script that logs the raw data input from these forms. Open a file somewhere, every time something is submitted, dump the raw input into it, put a time stamp and IP address on it. Review it often. You'll be surprised . . . but this is where you start. Next is figuring out why, and most likely it's related to poor input filtering of data, which is what has made you a target. This is extremely different from the data you will get from your server logs.

CAPTCHA is totally hackable, I've seen it happen. I've no clue how they do it, I just know they do. In-form tricks - a hidden field that is supposed to stay empty, changing form field names, the trivia question challenge, other front end fixes - these will give temporary or maybe even permanent relief, but they won't deter the truly determined.

For that there is really only one solution, and it's STILL not "hack - proof". Filter your data well enough to make it as much a pain for them to abuse your site as they are a pain to you. If you can make them go off to greener pastures, it's all good.

Status_203




msg:4038689
 1:43 pm on Dec 7, 2009 (gmt 0)

"Because they keep at it, I tend to believe this might be the case."

I have some rather over-engineered forms on my websites. All submissions are recorded, failures record *all* details. I have persistent "tastings" that haven't even worked out which field is which (it changes ;) ) let alone having "broken the (custom) captcha". There are bots out there whose owners don't seem to mind if they keep banging their heads against the wall. I'm not seeing these attempts evolve closer to a solution at all.

rocknbil




msg:4038905
 6:27 pm on Dec 7, 2009 (gmt 0)

Agreed . . . sometimes they just fire them up and point them to a site and forget about them. I imagine there's the same level of amateur hackers as there are amateur we developers.

But it's good to keep your fingers on the pulse . . . knowing is better than just assuming everything is OK until there's a problem.

Leosghost




msg:4038962
 7:56 pm on Dec 7, 2009 (gmt 0)

There are bots out there whose owners don't seem to mind if they keep banging their heads against the wall.

these are often nets..switched on ..given a "central" to get a list from and then told run ..they are "set and forget" until "success then report to herder" ..the second wave of net then runs phase 2 ..followed by phase 3 et al until either you see the breach and close it ..or they achieve their objective ..

at which point they may move on ..

like rocknbill says ..if you make it harder ..they may be switched to something else ..eventually ..before they can cause you grief ..

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved