RadioDJ - Free Radio Automation Software Forum

RadioDJ v1.7+ => v1.7+ - Support Forum => Topic started by: Capt_Fuzzy on August 31, 2015, 02:36:21 AM

Title: Requests got spammed...
Post by: Capt_Fuzzy on August 31, 2015, 02:36:21 AM
I recently discovered that I had over 1200 requests in my list, they all were from different IPs and the names were just gibberish, random numbers, letters, etc.
All the entries appear to request songs that aren't even in the database because they all say "This track doesn't exist anymore in the database!".

Is there a way to "bulk delete" these entries?
It will take me forever to delete all 1200+ if I can only do one at a time...

This is a total nuisance...  :(
Title: Re: Requests got spammed...
Post by: wrm on August 31, 2015, 07:18:36 AM
Steve,

if you have HeidiSQL installed it's a piece of cake to cobble up a query to do these deletions. If you get stuck let me know and I'll provide additional details on how to do that.

Regards

Bill
Title: Re: Requests got spammed...
Post by: wrm on August 31, 2015, 07:22:39 AM
Steve,

Here are two queries to run ................


select * from requests


This should give you the entire contents. From that list you can determine the starting point, and ending points and then execute something like:

delete from where requests where ID > 50

(I chose the number 50 based upon my requests. your value could be something different.


Regards

Bill
Title: Re: Requests got spammed...
Post by: Capt_Fuzzy on August 31, 2015, 07:32:21 AM
I am still learning how to use HeidiSQL and don't really know how to do that...

I just deleted them manually, took about 2 hrs but I got em cleaned out...  :D  :cool:
Title: Re: Requests got spammed...
Post by: Chaos Radio! on August 31, 2015, 01:27:42 PM
So the same thing happened to my station not as bad or as many, but you (Capt Fuzzy) came up as the last request entry, and the song requested was the first song on the request page?

To the experienced RadioDJ users (jhonny, DJ Gary Marius) Is this anything we need to worry about would be my question?

All the requests except 2 went through, those two came up with a song no longer exists error. I saw no attempts to hack the data base on the SQL logs.

Any help would be great.

[attachment deleted by admin]
Title: Re: Requests got spammed...
Post by: DJ Garybaldy on August 31, 2015, 01:59:27 PM
I think the only way around this would to be to add a question catchpha like we have at the bottom of the contact form on my blog http://djgarybaldy.co.uk/dmca/ (http://djgarybaldy.co.uk/dmca/)

I have no idea how hard or easy it is to program one of these into the Demo script/Wordpress request pages. My coding skills are basic to say the least.  :bash:

Only time I've ever heard of a problem with spammers hitting someone's request pages was when they had removed the "Name" requirement.
Title: Re: Requests got spammed...
Post by: Capt_Fuzzy on August 31, 2015, 02:00:42 PM
Hmm, they came up as being from me?

Now that is weird...  ???

I can assure you that it wasn't me, that IP isn't even close to mine.  :cool:
Title: Re: Requests got spammed...
Post by: Chaos Radio! on August 31, 2015, 03:15:48 PM
Hmm, they came up as being from me?

Now that is weird...  ???

I can assure you that it wasn't me, that IP isn't even close to mine.  :cool:

Don't think they came from you but it is strange that they used your name as it is on these forums. Where and how this is happening would be the question?

Have you checked your Heidi Database error log to see if it is getting hit by IP's trying to hack it? I only ask because this happened to be earlier in the year.
Title: Re: Requests got spammed...
Post by: DJ Garybaldy on August 31, 2015, 03:18:03 PM
I find it's sometimes best to changed the SQL port and choose a stronger password if your instance of SQL is getting hacked.

I run my scripts on port 3307 rather than the standard 3306 port & it's rare we get any such attempts on our SQL server.

Title: Re: Requests got spammed...
Post by: Chaos Radio! on August 31, 2015, 03:25:37 PM
I find it's sometimes best to changed the SQL port and choose a stronger password if your instance of SQL is getting hacked.

I run my scripts on port 3307 rather than the standard 3306 port & it's rare I get any such attempts on our SQL server.

I have had no IP's logged on my database error log since Andy Degroo help me with setting the security stronger, that was over 6 months ago.

But that could be a great idea for the future, when you change the port do you have to do it in a fresh set up?


I also always use the Gibson Research password creator since the hack happened, https://www.grc.com/passwords.htm (https://www.grc.com/passwords.htm)
Title: Re: Requests got spammed...
Post by: DJ Garybaldy on August 31, 2015, 04:04:41 PM
It should be as simple as changing the SQL port in the .ini file inside the MariaDB/Mysql folder. and restarting SQL

I went about it the long way round - Backed up the DB>Uninstalled MariaDB>Then reinstalled changing the port on the setup screen.>Restored the database.
Title: Re: Requests got spammed...
Post by: Chaos Radio! on August 31, 2015, 04:09:06 PM
It should be as simple as changing the SQL port in the .ini file inside the MariaDB/Mysql folder. and restarting SQL

I went about it the long way round - Backed up the DB>Uninstalled MariaDB>Then reinstalled changing the port on the setup screen.>Restored the database.

Wow, thanks sounds simple I will give this a try. Never can have too much security! :ok:
Title: Re: Requests got spammed...
Post by: DJ Garybaldy on August 31, 2015, 05:17:54 PM
Quote
I also always use the Gibson Research password creator since the hack happened, https://www.grc.com/passwords.htm

Just had a look that's a neat enough idea. The passwords we use for our sites/servers etc are all well thought out and one password checking site reckons it would take a computer over 200 years to crack our current PW so I think we're safe (Touches wood)

I learned the hard way about secure passwords about 13 years ago when I bought my first PC . Ever since then I've made them as obscure as possible ...
Title: Re: Requests got spammed...
Post by: Brodephat on August 31, 2015, 10:26:13 PM
You may want to impliment something like this: http://perishablepress.com/blackhole-bad-bots/ (http://perishablepress.com/blackhole-bad-bots/)

I've used it on several of my sites and it does help. It should be easy to add to the request page or any other page you want to protect.

I saw you request page a couple of days ago and knew right away the bots had got to you.

I'll be adding this and doing some other things to my request page as well.
Title: Re: Requests got spammed...
Post by: DJ Garybaldy on August 31, 2015, 10:33:51 PM
Quote
You may want to impliment something like this: http://perishablepress.com/blackhole-bad-bots/

Nice find .... we will have a try at implementing this.
Title: Re: Requests got spammed...
Post by: Capt_Fuzzy on August 31, 2015, 11:17:35 PM
I decided to give this a shot, hopefully it doesn't ban anyone that it shouldn't...  :D
Title: Re: Requests got spammed...
Post by: Brodephat on September 01, 2015, 12:16:20 AM
It doesn't ban people but it does ban bad bots which is what hit your site.
Title: Re: Requests got spammed...
Post by: Capt_Fuzzy on September 01, 2015, 01:39:52 AM
The setup was very easy, one thing that they don't tell you in the setup is that YOU must make the robots.txt file, but it didn't take me long to figure that out.  :D
So far, I haven't seen any spam attempts, so we will see how this goes...
Title: Re: Requests got spammed...
Post by: AndyDeGroo on September 01, 2015, 02:10:57 AM
This has happened before. The main issue is that request.php from original demo scripts relies on HTTP headers to determine final IP address and those can be spoofed.

I just looked over the code in request.php and found that there is also a potential SQL injection. I'm not going to go into detail, because that could put many demo script users in danger.
Those hit by this spam should check if their database has not been altered. Best way to do that is by doing a backup and comparing the resulting .sql file with a recent beackup using WinMerge.

I think it's about time to rewrite the demo scripts fro scratch to make them more secure and compatible with latest PHP versions (mainly the deprecated mysql extension after PHP 5.3).
Title: Re: Requests got spammed...
Post by: Capt_Fuzzy on September 01, 2015, 03:13:49 AM
Good idea Andy...  :cool:
Title: Re: Requests got spammed...
Post by: Chaos Radio! on September 01, 2015, 04:12:22 AM
Thank you Andy, Brodephat and Gary for all the help. I get so few requests I think I am going to just stop allowing them, better safe than sorry.... ;D
Title: Re: Requests got spammed...
Post by: DJ Garybaldy on September 01, 2015, 01:19:29 PM
We've tested that blackhole script and it slowed our websites down..... Removed it and sites loading faster.  :bash:

Wasn't aware of any SQL injection scripts in the demo script.... Is that the same for the Wordpress plugin? I'm still on v0.5 although i don't have my request script visible.
Title: Re: Requests got spammed...
Post by: Capt_Fuzzy on September 01, 2015, 02:31:27 PM
We've tested that blackhole script and it slowed our websites down..... Removed it and sites loading faster.  :bash:

Wasn't aware of any SQL injection scripts in the demo script.... Is that the same for the Wordpress plugin? I'm still on v0.5 although I don't have my request script visible.
Hmm, that's interesting, I haven't noticed any "slowing" on my site, but that's not to say that it doesn't or can't happen... ;D
Title: Re: Requests got spammed...
Post by: DJ Garybaldy on September 01, 2015, 10:33:37 PM
It's literally amazing how many spammers hackers idiots really want to cause damage to someone's website etc.....

My blog appears to be getting hit by 1 IP trying to log into the admin area 20+ tries so far today .... Glad i don't have my request page up and running I'd be getting spammed with that.

I guess that's why secure passwords are vital in the world of Internet Radio. 

Just checked mine with this site https://howsecureismypassword.net/ (https://howsecureismypassword.net/) and it came up with an answer of 846 billion years! :huh: to crack my current password on my blog.

It's annoying when these hack attempts happen but having your own VPS has benefits at times. Full control over which IP's we ban.
Title: Re: Requests got spammed...
Post by: Capt_Fuzzy on September 01, 2015, 11:07:21 PM
Well, for what it's worth, blackhole seems to be working, I've had requests but no more spamming of the request list...  :cool:
Title: Re: Requests got spammed...
Post by: AndyDeGroo on September 02, 2015, 11:02:19 AM
We've tested that blackhole script and it slowed our websites down..... Removed it and sites loading faster.  :bash:

Wasn't aware of any SQL injection scripts in the demo script.... Is that the same for the Wordpress plugin? I'm still on v0.5 although i don't have my request script visible.
The original WordPress plugin suffers from same flaw. $reqIP is used verbatim as returned from getRealIpAddr() function, which looks HTTP headers usually added by proxy servers. All variables should be escaped before using in queries, even if they seem to come from reliable source and HTTP headers are not one of those.
In short:
Code: [Select]
$reqIP = getRealIpAddr();
$reqIP = mysql_escape_string($reqIP);

Fortunately, the injection point can't be used to alter database and there is no error output in case of failure, which could allow to scrape whole database.

I suggest removing getRealIpAddr() and use the real remote address $_SERVER['REMOTE_ADDR'] unless majority of site visitors are behind a proxy or the site is using a revere proxy.

In that case, the function should be improved to validate input from headers.
Code: [Select]
<?php
/**
 * Determine and validate visitor's IP even behind proxy
 * @param bool Pass true to get comma separated list of addresses
 * @return string IP address or comma-separated list of addresses
 **/
function getRealIpAddr$all false ) {

$ips_arr array_filter(array(
filter_input(INPUT_SERVER'HTTP_CLIENT_IP'FILTER_VALIDATE_IPFILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER'HTTP_X_FORWARDED_FOR'FILTER_VALIDATE_IPFILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER'HTTP_X_FORWARDED'FILTER_VALIDATE_IPFILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER'HTTP_FORWARDED_FOR'FILTER_VALIDATE_IPFILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER'HTTP_FORWARDED'FILTER_VALIDATE_IPFILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER'REMOTE_ADDR'FILTER_VALIDATE_IPFILTER_FLAG_NO_RES_RANGE)
));
return $all implode(','$ips_arr) : reset($ips_arr);
}
?>


So, there you have it. A function to validate most common headers, get (first or all) valid IP address from HTTP headers or the REMOTE_ADDR as fallback.
Title: Re: Requests got spammed...
Post by: Brodephat on September 06, 2015, 09:28:52 PM
Another possible solution (I have seen it work but never tried it on this) is to add a hidden input field to the request page that asks for your name and message, then set the input checking so that if the hidden field is filled out, block it.

This in theory should work because a human can't see the field and thus will never fill it out leaving it blank, however a bot would fill it out because they generally fill in all the input fields.

I have used the blackhole script on several html and php sites and it works very well. In fact you may want to turn off the part that sends you emails when it blocks a bad bot. There will be plenty!
Title: Re: Requests got spammed...
Post by: Casper-emmen on September 06, 2015, 10:19:18 PM
I've had this same issue some time ago.
What worked for me was the following:
I've created a user called "website" for the database, then configured the wordpress plugin so that it connects as user "website", and then I configured the database in Heidi so that user "website" has to come from the ip adress of the webserver.
I got rid of the spam this way.