Requests got spammed...

[Capt_Fuzzy]

I decided to give this a shot, hopefully it doesn't ban anyone that it shouldn't... 

[Brodephat]

It doesn't ban people but it does ban bad bots which is what hit your site.

[Capt_Fuzzy]

The setup was very easy, one thing that they don't tell you in the setup is that YOU must make the robots.txt file, but it didn't take me long to figure that out. 
So far, I haven't seen any spam attempts, so we will see how this goes...

[AndyDeGroo]

This has happened before. The main issue is that request.php from original demo scripts relies on HTTP headers to determine final IP address and those can be spoofed.

I just looked over the code in request.php and found that there is also a potential SQL injection. I'm not going to go into detail, because that could put many demo script users in danger.
Those hit by this spam should check if their database has not been altered. Best way to do that is by doing a backup and comparing the resulting .sql file with a recent beackup using WinMerge.

I think it's about time to rewrite the demo scripts fro scratch to make them more secure and compatible with latest PHP versions (mainly the deprecated mysql extension after PHP 5.3).

[Capt_Fuzzy]

Good idea Andy... 

[Chaos Radio!]

Thank you Andy, Brodephat and Gary for all the help. I get so few requests I think I am going to just stop allowing them, better safe than sorry....

[DJ Garybaldy]

We've tested that blackhole script and it slowed our websites down..... Removed it and sites loading faster. 

Wasn't aware of any SQL injection scripts in the demo script.... Is that the same for the Wordpress plugin? I'm still on v0.5 although i don't have my request script visible.

[Capt_Fuzzy]

We've tested that blackhole script and it slowed our websites down..... Removed it and sites loading faster. 

Wasn't aware of any SQL injection scripts in the demo script.... Is that the same for the Wordpress plugin? I'm still on v0.5 although I don't have my request script visible.

Hmm, that's interesting, I haven't noticed any "slowing" on my site, but that's not to say that it doesn't or can't happen...

[DJ Garybaldy]

It's literally amazing how many spammers hackers idiots really want to cause damage to someone's website etc.....

My blog appears to be getting hit by 1 IP trying to log into the admin area 20+ tries so far today .... Glad i don't have my request page up and running I'd be getting spammed with that.

I guess that's why secure passwords are vital in the world of Internet Radio. 

Just checked mine with this site https://howsecureismypassword.net/ and it came up with an answer of 846 billion years! to crack my current password on my blog.

It's annoying when these hack attempts happen but having your own VPS has benefits at times. Full control over which IP's we ban.

[Capt_Fuzzy]

Well, for what it's worth, blackhole seems to be working, I've had requests but no more spamming of the request list... 

[AndyDeGroo]

We've tested that blackhole script and it slowed our websites down..... Removed it and sites loading faster. 

Wasn't aware of any SQL injection scripts in the demo script.... Is that the same for the Wordpress plugin? I'm still on v0.5 although i don't have my request script visible.

The original WordPress plugin suffers from same flaw. $reqIP is used verbatim as returned from getRealIpAddr() function, which looks HTTP headers usually added by proxy servers. All variables should be escaped before using in queries, even if they seem to come from reliable source and HTTP headers are not one of those.
In short:

Code: [Select]

$reqIP = getRealIpAddr();
$reqIP = mysql_escape_string($reqIP);

Fortunately, the injection point can't be used to alter database and there is no error output in case of failure, which could allow to scrape whole database.

I suggest removing getRealIpAddr() and use the real remote address $_SERVER['REMOTE_ADDR'] unless majority of site visitors are behind a proxy or the site is using a revere proxy.

In that case, the function should be improved to validate input from headers.

Code: [Select]

<?php
/**
 * Determine and validate visitor's IP even behind proxy
 * @param bool Pass true to get comma separated list of addresses
 * @return string IP address or comma-separated list of addresses
 **/
function getRealIpAddr( $all = false ) {

$ips_arr = array_filter(array(
filter_input(INPUT_SERVER, 'HTTP_CLIENT_IP', FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER, 'HTTP_X_FORWARDED_FOR', FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER, 'HTTP_X_FORWARDED', FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER, 'HTTP_FORWARDED_FOR', FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER, 'HTTP_FORWARDED', FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE)
));
return $all ? implode(',', $ips_arr) : reset($ips_arr);
}
?>

So, there you have it. A function to validate most common headers, get (first or all) valid IP address from HTTP headers or the REMOTE_ADDR as fallback.

[Brodephat]

Another possible solution (I have seen it work but never tried it on this) is to add a hidden input field to the request page that asks for your name and message, then set the input checking so that if the hidden field is filled out, block it.

This in theory should work because a human can't see the field and thus will never fill it out leaving it blank, however a bot would fill it out because they generally fill in all the input fields.

I have used the blackhole script on several html and php sites and it works very well. In fact you may want to turn off the part that sends you emails when it blocks a bad bot. There will be plenty!

[Casper-emmen]

I've had this same issue some time ago.
What worked for me was the following:
I've created a user called "website" for the database, then configured the wordpress plugin so that it connects as user "website", and then I configured the database in Heidi so that user "website" has to come from the ip adress of the webserver.
I got rid of the spam this way.