Welcome to Geeklog, Anonymous Wednesday, April 24 2024 @ 02:58 am EDT
Geeklog Forums
spam URL in http request?
Status: offline
dmchaplin
Forum User
Newbie
Registered: 03/04/05
Posts: 2
I've been seeing some strange bots hit my sites and I don't know which direction to turn to stop it.
I'm have spam URL show up in my GUS. It's like the bot has is swapping out a story ID with a URL address. Here's a few items from the GUS log:
.../geeklog/index.php?topic=http%3A%2F%2Fwww.psikolojikyardim.org%2Fetkinlik%2Finclude%2Feto%2Fnixaz%2F&menu=ch25_
.../geeklog/index.php?topic=ch25_&menu=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fonoda%2Fiyegimi%2F
.../geeklog/staticpages/index.php?page=http%3A%2F%2Fwww.ursib-kibsu.be%2Fnts_inc%2Fduzigun%2Fuba%2F
.../geeklog/profiles.php?sid=http%3A%2F%2Fwww.nedkellypub.it%2Fconcerti%2Fdati%2Folukev%2Forawo%2F&what=emailstory
I installed bad behavior 2 thinking it may solve it, but it has not. I don't even know what type of spam to call this? referrer? Comment?
I'm the only one with access to GUS.
I thought about hacking Bad Behavior to look for URLs in the query string, but I'd like to find a better solution.
Has anyone else seen this and know how to stop it?
thanks,
Drew
cozy1200.com
I'm have spam URL show up in my GUS. It's like the bot has is swapping out a story ID with a URL address. Here's a few items from the GUS log:
Text Formatted Code
,,,/geeklog/links/portal.php?what=http%3A%2F%2Fwww.meexia.com%2Fblog%2Fwp-content%2Fthemes%2Fsquares%2Fnovofor%2Fhiviga%2F&item=AlexandreSoutoPort.../geeklog/index.php?topic=http%3A%2F%2Fwww.psikolojikyardim.org%2Fetkinlik%2Finclude%2Feto%2Fnixaz%2F&menu=ch25_
.../geeklog/index.php?topic=ch25_&menu=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fonoda%2Fiyegimi%2F
.../geeklog/staticpages/index.php?page=http%3A%2F%2Fwww.ursib-kibsu.be%2Fnts_inc%2Fduzigun%2Fuba%2F
.../geeklog/profiles.php?sid=http%3A%2F%2Fwww.nedkellypub.it%2Fconcerti%2Fdati%2Folukev%2Forawo%2F&what=emailstory
I installed bad behavior 2 thinking it may solve it, but it has not. I don't even know what type of spam to call this? referrer? Comment?
I'm the only one with access to GUS.
I thought about hacking Bad Behavior to look for URLs in the query string, but I'd like to find a better solution.
Has anyone else seen this and know how to stop it?
thanks,
Drew
cozy1200.com
11
8
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Those are just script kiddies looking for vulnerabilities - that aren't there.
We did have a problem with these attempts in the Spam-X plugin back in 1.4.0 - but only if you didn't follow the installation instructions. This has since been fixed (with 1.4.0sr4 and later).
However, the URLs you quoted never had that problem. They are just trying each and every URL they can find. Stupid kids ...
Bad Behavior will only stop some of those attempts, if the tools they're using somehow trigger some of BB's filters. You can either ignore those or block them in your .htaccess like so:
RewriteCond %{QUERY_STRING} ^.+http:
RewriteRule .* - [L,F]
bye, Dirk
We did have a problem with these attempts in the Spam-X plugin back in 1.4.0 - but only if you didn't follow the installation instructions. This has since been fixed (with 1.4.0sr4 and later).
However, the URLs you quoted never had that problem. They are just trying each and every URL they can find. Stupid kids ...
Bad Behavior will only stop some of those attempts, if the tools they're using somehow trigger some of BB's filters. You can either ignore those or block them in your .htaccess like so:
Text Formatted Code
RewriteEngine OnRewriteCond %{QUERY_STRING} ^.+http:
RewriteRule .* - [L,F]
bye, Dirk
12
13
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: mevans
Just an FYI, but this .htaccess rule will break the flash audio / video playback in Media Gallery. There are some valid requests where http will show up in the URL.
Shouldn't the URL be encoded then? Like it is when you do a search for "http://www.example.com"?
I realize the OP posted URLs that were already encoded (http%3A%2F%2F) but I assumed that was due to them being pulled from GUS. The above .htaccess rule will not block these encoded URLs.
bye, Dirk
7
9
Quote
Status: offline
dmchaplin
Forum User
Newbie
Registered: 03/04/05
Posts: 2
I realize the OP posted URLs that were already encoded (http%3A%2F%2F) but I assumed that was due to them being pulled from GUS. The above .htaccess rule will not block these encoded URLs.
Dirk, From what I can tell the are not encoded originally. I think the GUS is encoding it.
Good to know it want harm the system, but it's bloody annoying. It would be nice to block them entirely.
Unfortunately my site is running on IIS so the HTACCESS solution is out the window for me.
9
11
Quote
All times are EDT. The time is now 02:58 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content