Author Topic: Requests got spammed...  (Read 7710 times)

Capt_Fuzzy

  • Hero Member

  • Offline
  • *****
  • 1078
  • Personal Text
    "Quiet numbskulls, I'm broadcasting!" ~ Moe Howard
    • WVRR - Ridgerunners Radio
Re: Requests got spammed...
« Reply #15 on: August 31, 2015, 11:17:35 PM »
I decided to give this a shot, hopefully it doesn't ban anyone that it shouldn't...  :D
Steve 'Capt Fuzzy' Wade
Proud & Satisfied "Long-term" RadioDJ User
(Currently making the transition to v2)

WVRR - Ridgerunners Radio
The best mix of your favorites!

Brodephat

  • Sr. Member

  • Offline
  • ****
  • 455
  • Personal Text
    Pushing content to the world via an ethernet cable
    • Free RadioDJ Video Tutorials
Re: Requests got spammed...
« Reply #16 on: September 01, 2015, 12:16:20 AM »
It doesn't ban people but it does ban bad bots which is what hit your site.
"Think Outside The Box And Make Something Truly Wonderful Happen"

Youtube Channel: https://bit.ly/3fGBsKJ

My RadioDJ Stations:
NiaRadioNetwork.com
RealPeopleTalkRadio.com
TheTriadComeUp.com

Radio Imaging & Tools:
CarterScripts.com

Free RDJ Videos:
HowToUseRadioDJ.com

Capt_Fuzzy

  • Hero Member

  • Offline
  • *****
  • 1078
  • Personal Text
    "Quiet numbskulls, I'm broadcasting!" ~ Moe Howard
    • WVRR - Ridgerunners Radio
Re: Requests got spammed...
« Reply #17 on: September 01, 2015, 01:39:52 AM »
The setup was very easy, one thing that they don't tell you in the setup is that YOU must make the robots.txt file, but it didn't take me long to figure that out.  :D
So far, I haven't seen any spam attempts, so we will see how this goes...
Steve 'Capt Fuzzy' Wade
Proud & Satisfied "Long-term" RadioDJ User
(Currently making the transition to v2)

WVRR - Ridgerunners Radio
The best mix of your favorites!

AndyDeGroo

  • Guest
Re: Requests got spammed...
« Reply #18 on: September 01, 2015, 02:10:57 AM »
This has happened before. The main issue is that request.php from original demo scripts relies on HTTP headers to determine final IP address and those can be spoofed.

I just looked over the code in request.php and found that there is also a potential SQL injection. I'm not going to go into detail, because that could put many demo script users in danger.
Those hit by this spam should check if their database has not been altered. Best way to do that is by doing a backup and comparing the resulting .sql file with a recent beackup using WinMerge.

I think it's about time to rewrite the demo scripts fro scratch to make them more secure and compatible with latest PHP versions (mainly the deprecated mysql extension after PHP 5.3).

Capt_Fuzzy

  • Hero Member

  • Offline
  • *****
  • 1078
  • Personal Text
    "Quiet numbskulls, I'm broadcasting!" ~ Moe Howard
    • WVRR - Ridgerunners Radio
Re: Requests got spammed...
« Reply #19 on: September 01, 2015, 03:13:49 AM »
Good idea Andy...  :cool:
Steve 'Capt Fuzzy' Wade
Proud & Satisfied "Long-term" RadioDJ User
(Currently making the transition to v2)

WVRR - Ridgerunners Radio
The best mix of your favorites!

Chaos Radio!

  • Full Member

  • Offline
  • ***
  • 153
Re: Requests got spammed...
« Reply #20 on: September 01, 2015, 04:12:22 AM »
Thank you Andy, Brodephat and Gary for all the help. I get so few requests I think I am going to just stop allowing them, better safe than sorry.... ;D
Chaos Radio! - True Punk Radio for True Punk Rockers!
Over 100,000 songs in the music vault from all over the globe! Proud RadioDJ user since 2014.

https://chaosradio.info

DJ Garybaldy

  • Global Moderator
  • Hero Member

  • Offline
  • *****
  • 4910
  • Personal Text
    Don't Shoot! I'm only the Moderator
    • DJ Garybaldy Blog
Re: Requests got spammed...
« Reply #21 on: September 01, 2015, 01:19:29 PM »
We've tested that blackhole script and it slowed our websites down..... Removed it and sites loading faster.  :bash:

Wasn't aware of any SQL injection scripts in the demo script.... Is that the same for the Wordpress plugin? I'm still on v0.5 although i don't have my request script visible.
Proud USER of RadioDJ since 2010

RadioDJ is my most FAVOURITE piece of software EVER

https://djgarybaldy.blogspot.com

Install RadioDJ: https://djgarybaldy.blogspot.com/2020/08/how-to-install-radiodj-free-radio.html

https://www.paypal.com/paypalme/djgarybaldy

Capt_Fuzzy

  • Hero Member

  • Offline
  • *****
  • 1078
  • Personal Text
    "Quiet numbskulls, I'm broadcasting!" ~ Moe Howard
    • WVRR - Ridgerunners Radio
Re: Requests got spammed...
« Reply #22 on: September 01, 2015, 02:31:27 PM »
We've tested that blackhole script and it slowed our websites down..... Removed it and sites loading faster.  :bash:

Wasn't aware of any SQL injection scripts in the demo script.... Is that the same for the Wordpress plugin? I'm still on v0.5 although I don't have my request script visible.
Hmm, that's interesting, I haven't noticed any "slowing" on my site, but that's not to say that it doesn't or can't happen... ;D
Steve 'Capt Fuzzy' Wade
Proud & Satisfied "Long-term" RadioDJ User
(Currently making the transition to v2)

WVRR - Ridgerunners Radio
The best mix of your favorites!

DJ Garybaldy

  • Global Moderator
  • Hero Member

  • Offline
  • *****
  • 4910
  • Personal Text
    Don't Shoot! I'm only the Moderator
    • DJ Garybaldy Blog
Re: Requests got spammed...
« Reply #23 on: September 01, 2015, 10:33:37 PM »
It's literally amazing how many spammers hackers idiots really want to cause damage to someone's website etc.....

My blog appears to be getting hit by 1 IP trying to log into the admin area 20+ tries so far today .... Glad i don't have my request page up and running I'd be getting spammed with that.

I guess that's why secure passwords are vital in the world of Internet Radio. 

Just checked mine with this site https://howsecureismypassword.net/ and it came up with an answer of 846 billion years! :huh: to crack my current password on my blog.

It's annoying when these hack attempts happen but having your own VPS has benefits at times. Full control over which IP's we ban.
Proud USER of RadioDJ since 2010

RadioDJ is my most FAVOURITE piece of software EVER

https://djgarybaldy.blogspot.com

Install RadioDJ: https://djgarybaldy.blogspot.com/2020/08/how-to-install-radiodj-free-radio.html

https://www.paypal.com/paypalme/djgarybaldy

Capt_Fuzzy

  • Hero Member

  • Offline
  • *****
  • 1078
  • Personal Text
    "Quiet numbskulls, I'm broadcasting!" ~ Moe Howard
    • WVRR - Ridgerunners Radio
Re: Requests got spammed...
« Reply #24 on: September 01, 2015, 11:07:21 PM »
Well, for what it's worth, blackhole seems to be working, I've had requests but no more spamming of the request list...  :cool:
Steve 'Capt Fuzzy' Wade
Proud & Satisfied "Long-term" RadioDJ User
(Currently making the transition to v2)

WVRR - Ridgerunners Radio
The best mix of your favorites!

AndyDeGroo

  • Guest
Re: Requests got spammed...
« Reply #25 on: September 02, 2015, 11:02:19 AM »
We've tested that blackhole script and it slowed our websites down..... Removed it and sites loading faster.  :bash:

Wasn't aware of any SQL injection scripts in the demo script.... Is that the same for the Wordpress plugin? I'm still on v0.5 although i don't have my request script visible.
The original WordPress plugin suffers from same flaw. $reqIP is used verbatim as returned from getRealIpAddr() function, which looks HTTP headers usually added by proxy servers. All variables should be escaped before using in queries, even if they seem to come from reliable source and HTTP headers are not one of those.
In short:
Code: [Select]
$reqIP = getRealIpAddr();
$reqIP = mysql_escape_string($reqIP);

Fortunately, the injection point can't be used to alter database and there is no error output in case of failure, which could allow to scrape whole database.

I suggest removing getRealIpAddr() and use the real remote address $_SERVER['REMOTE_ADDR'] unless majority of site visitors are behind a proxy or the site is using a revere proxy.

In that case, the function should be improved to validate input from headers.
Code: [Select]
<?php
/**
 * Determine and validate visitor's IP even behind proxy
 * @param bool Pass true to get comma separated list of addresses
 * @return string IP address or comma-separated list of addresses
 **/
function getRealIpAddr$all false ) {

$ips_arr array_filter(array(
filter_input(INPUT_SERVER'HTTP_CLIENT_IP'FILTER_VALIDATE_IPFILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER'HTTP_X_FORWARDED_FOR'FILTER_VALIDATE_IPFILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER'HTTP_X_FORWARDED'FILTER_VALIDATE_IPFILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER'HTTP_FORWARDED_FOR'FILTER_VALIDATE_IPFILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER'HTTP_FORWARDED'FILTER_VALIDATE_IPFILTER_FLAG_NO_RES_RANGE),
filter_input(INPUT_SERVER'REMOTE_ADDR'FILTER_VALIDATE_IPFILTER_FLAG_NO_RES_RANGE)
));
return $all implode(','$ips_arr) : reset($ips_arr);
}
?>


So, there you have it. A function to validate most common headers, get (first or all) valid IP address from HTTP headers or the REMOTE_ADDR as fallback.

Brodephat

  • Sr. Member

  • Offline
  • ****
  • 455
  • Personal Text
    Pushing content to the world via an ethernet cable
    • Free RadioDJ Video Tutorials
Re: Requests got spammed...
« Reply #26 on: September 06, 2015, 09:28:52 PM »
Another possible solution (I have seen it work but never tried it on this) is to add a hidden input field to the request page that asks for your name and message, then set the input checking so that if the hidden field is filled out, block it.

This in theory should work because a human can't see the field and thus will never fill it out leaving it blank, however a bot would fill it out because they generally fill in all the input fields.

I have used the blackhole script on several html and php sites and it works very well. In fact you may want to turn off the part that sends you emails when it blocks a bad bot. There will be plenty!
"Think Outside The Box And Make Something Truly Wonderful Happen"

Youtube Channel: https://bit.ly/3fGBsKJ

My RadioDJ Stations:
NiaRadioNetwork.com
RealPeopleTalkRadio.com
TheTriadComeUp.com

Radio Imaging & Tools:
CarterScripts.com

Free RDJ Videos:
HowToUseRadioDJ.com

Casper-emmen

  • New User

  • Offline
  • *
  • 45
Re: Requests got spammed...
« Reply #27 on: September 06, 2015, 10:19:18 PM »
I've had this same issue some time ago.
What worked for me was the following:
I've created a user called "website" for the database, then configured the wordpress plugin so that it connects as user "website", and then I configured the database in Heidi so that user "website" has to come from the ip adress of the webserver.
I got rid of the spam this way.