|
| |
|
|
gilman01
Posts: 12
Joined: 5/13/2004
Status: offline
 |
Forms Exploit ??? - 7/13/2005 10:41:18
I'm pretty new to posting messages here - been lurking for ages - but I finally have a problem I am hoping someone else here might have seen. If this is the wrong forum for this I apologize and please feel free to move it.
One of our clients has complained about getting multiple forms submissions via email. The forms contain the exact same information each time with the exception of the email address in the email field (and there are so many that it seems improbable that a human wouldn't make an error - and coupled with the 'testBot' reference in the logs I am thinking this is some automated process). The forms are being submitted a few seconds apart from each other. They come in batches with each batch coming from a different IP address. Here is a small sample of the log entries...
69.37.45.102 - - [10/Jul/2005:06:38:41 -0400] "GET /WN_Corp-JoinWNOY.htm HTTP/1.1" 200 31739 "-" "www.textron.com/testBot"
69.37.45.102 - - [10/Jul/2005:06:38:44 -0400] "GET /WN_Corp-JoinWNOY.htm HTTP/1.1" 200 31739 "-" "www.textron.com/testBot"
69.37.45.102 - - [10/Jul/2005:06:38:48 -0400] "GET /WN_Contact.htm HTTP/1.1" 200 27724 "-" "www.textron.com/testBot"
69.37.45.102 - - [10/Jul/2005:06:38:54 -0400] "POST /_vti_bin/shtml.exe/WN_Contact.htm HTTP/1.1" 200 592 "-" "www.textron.com/testBot"
69.37.45.102 - - [10/Jul/2005:06:38:56 -0400] "POST /_vti_bin/shtml.exe/WN_Contact.htm HTTP/1.1" 200 360 "-" "www.textron.com/testBot"
69.37.45.102 - - [10/Jul/2005:06:38:57 -0400] "POST /_vti_bin/shtml.exe/WN_Contact.htm HTTP/1.1" 200 476 "-" "www.textron.com/testBot"
69.37.45.102 - - [10/Jul/2005:06:38:59 -0400] "POST /_vti_bin/shtml.exe/WN_Contact.htm HTTP/1.1" 200 746 "-" "www.textron.com/testBot"
69.37.45.102 - - [10/Jul/2005:06:39:01 -0400] "GET /WN_Contact.htm HTTP/1.1" 200 27724 "-" "www.textron.com/testBot"
69.37.45.102 - - [10/Jul/2005:06:39:02 -0400] "POST /_vti_bin/shtml.exe/WN_Contact.htm HTTP/1.1" 200 592 "-" "www.textron.com/testBot"
69.37.45.102 - - [10/Jul/2005:06:39:04 -0400] "POST /_vti_bin/shtml.exe/WN_Contact.htm HTTP/1.1" 200 360 "-" "www.textron.com/testBot"
69.37.45.102 - - [10/Jul/2005:06:39:05 -0400] "POST /_vti_bin/shtml.exe/WN_Contact.htm HTTP/1.1" 200 476 "-" "www.textron.com/testBot"
69.37.45.102 - - [10/Jul/2005:06:39:06 -0400] "POST /_vti_bin/shtml.exe/WN_Contact.htm HTTP/1.1" 200 746 "-" "www.textron.com/testBot"
Now I renamed the page in hopes that would confuse this testBot but it still found the new page and continued to send more submissions. It's obvious this is some form of Dos - the contnet of the form submission contains the same junk with a different email address in each batch.
I'm running the latest server extensions on a Linux box (Fedora w/cPanel/Apache). I have over 100 other FrontPage sites on this machine but this seems to be the only site having this problem.
Has anyone else come across something like this? Does anyone have any recommendations short of removing the forms?
Any help would be greatly appreciated. And a final note - while I've not posted in here this is a great resource and there are some really great people in this group.
|
|
|
|
BobbyDouglas
Posts: 5470
Joined: 5/15/2003
From: Arizona
Status: offline
|
RE: Forms Exploit ??? - 7/13/2005 14:16:10
I haven't experienced this, but there is code on your page that tells bots you are using a frontpage form, as well as sending using e-mail.
I know of a few solutions for ya.
1. The bot is uing the IP 69.37.45.102. Why not just ban that IP from your website?
2. If you cannot ban the IP, you can setup a PHP form and display different content for the IP 69.37.45.102. So when 69.37.45.102 comes to your page, it will see a different page, but when everyone else comes, they will see the right thing.
3. Use a script such as what Dan suggested. It might be a little complicated to initially get setup, but it will stop the bots from submitting your form. In order to do this, you will also need to switch over to PHP.
_____________________________
Arizona Web Design - Mr Bobs Web Design in Arizona
The Arizona Web Hosting Challenge
| |
|
|
|
caz
Posts: 3578
Joined: 10/10/2001
From: Somewhere south of Chester, UK
Status: offline
|
RE: Forms Exploit ??? - 7/13/2005 15:57:20
Alternatively you could track down the abusers ISP and report them.
Using the DNSstuff extension in FF I got this, which may or may not be accurate but is certainly the net block in question:-
Location: United States [City: Waterbury, Connecticut] Looking up 69.37.45.102 at whois.abuse.net.
At DNSstuff.com : 69.37.45.102 PTR record: 69.37.45.102.adsl.snet.net
Leads to:-
http://www.dnsstuff.com/tools/whois.ch?ip=!NET-69-37-44-0-1&server=whois.arin.net
CustName: PPPoX Pool - Rback7 MRDNCT
Address: 2701 W 15th ST PMB 236
City: Plano
StateProv: TX
PostalCode: 75075
Country: US
RegDate: 2003-09-23
Updated: 2003-09-23
NetRange: 69.37.44.0 - 69.37.45.255
CIDR: 69.37.44.0/23
NetName: SBC069037044000030923
NetHandle: NET-69-37-44-0-1
Parent: NET-69-37-0-0-1
NetType: Reassigned
Comment: For Policy Abuse issues, contact: *****@swbell.net
Comment: For Technical issues, contact: ***@swbell.net
RegDate: 2003-09-23
Updated: 2003-09-23
TechHandle: IPADM-ARIN
TechName: IPAdmin-SNET
TechPhone: +1-800-648-1626
TechEmail: ******@sbcis.sbc.com
OrgAbuseHandle: ABUSE5-ARIN
OrgAbuseName: abuse
OrgAbusePhone: +1-800-648-1626
OrgAbuseEmail: *****@sbcglobal.net
OrgNOCHandle: SUPPO-ARIN
OrgNOCName: Support - Southwestern Bell Internet Services
OrgNOCPhone: +1-800-648-1626
OrgNOCEmail: *******@swbell.net
OrgTechHandle: IPADM-ARIN
OrgTechName: IPAdmin-SNET
OrgTechPhone: +1-800-648-1626
OrgTechEmail: ******@sbcis.sbc.com
# ARIN WHOIS database, last updated 2005-07-12 19:10
_____________________________
Do not meddle in the affairs of cats, for they are subtle and will dance, or more on your keyboard.
Cheshire cat. www.doracat.co.uk
I remember when it took less than 4hrs to fly across the Atlantic.
| |
|
|
|
gilman01
Posts: 12
Joined: 5/13/2004
Status: offline
|
RE: Forms Exploit ??? - 7/13/2005 16:30:46
Thanks for all the replies. As I mentioned the IP address changes with each batch of submissions so I am sure this isn't the home IP address of the individual responsible for this. They're coming from different countries so I am assuming this is some group of Zombie systems.
I am more concerned that no one else has had this problem. I've scanned the server (we already had implemented firewall, BFD, etc) looked at all the logs, etc. and it doesn't appear that the server itself is compromised. However it makes one wonder if this isn't a weakness of FrontPage extensions.
I've always felt FrontPage forms were more secured than the various formmail programs out there but maybe I am now behind the curve. Does anyone care to offer suggestions for replacing FrontPage forms?
| |
|
|
|
dpf
Posts: 7126
Joined: 11/12/2003
From: India-napolis
Status: offline
|
RE: Forms Exploit ??? - 7/13/2005 17:16:21
quote:
However it makes one wonder if this isn't a weakness of FrontPage extensions.
I've always felt FrontPage forms were more secured than the various formmail programs out there its not a weakness- just the nature of forms - they sit there for anyonein the world to fill out, right? unless you have your form in a password protected area - its by definition "wide open" and so security isnt an issue - anyone can fill out and submit - or write a script to do it multiple times quickly
_____________________________
Dan
| |
|
|
|
BobbyDouglas
Posts: 5470
Joined: 5/15/2003
From: Arizona
Status: offline
|
RE: Forms Exploit ??? - 7/13/2005 17:51:16
What made you think your FrontPage form was more seucre than any other form? I think FP forms would be less ecure because you can easily tell when it is a form by searching for the frontpage code, also it lists your e-mail address inside the html code too. IMO FP Forms are far less secure than any other type of form.
One other way I just reailzed is having something like this:
"Please enter the number 5 in this box:"
Name the textbox check_value, and then only submit the form is check_value is equal to 5. You can do this in JavaScript, or PHP/ASP.
_____________________________
Arizona Web Design - Mr Bobs Web Design in Arizona
The Arizona Web Hosting Challenge
| |
|
|
|
gilman01
Posts: 12
Joined: 5/13/2004
Status: offline
|
RE: Forms Exploit ??? - 7/13/2005 18:02:22
Maybe that was a poor choice of words - and it wasn't an attempt to slam the product. Heck I have been using FP since FP 98 was first released and I think it is one of the best product Microsoft ever created, however there have been problems with FPSE in the past and I simply thought maybe this was one that I had not been aware of.
If it was a matter of some kid filling in the form with junk over and over I could deal with that. But this is totally different in that they are coming from at least 50 different IP addresses thus far. That's not someone playing with a form by filling it out over and over but in my opinion someone running a script attempting to either cripple my server or attempting to exploit it.
However after looking at this whole thing I agree that FP is doing what it is supposed to do - allowing a form to be completed and mailing the results as advertised.
| |
|
|
|
AMysticWeb
Posts: 855
Joined: 10/23/2002
Status: offline
|
RE: Forms Exploit ??? - 7/13/2005 22:17:24
As Dan mentioned, you might try using a gif input. Although the following isn't a changable gif, one of the experts here at OutFront offered the following solution. Won't guarantee it will foil the beast but it's worth a try.
Forms Gif Validation
Courtesy Charles W Davis
<!--
function FrontPage_Form1_Validator(theForm)
{
var chkVal = theForm.T1.value;
var prsVal = chkVal;
if (chkVal != "" && !(prsVal == "pkwayh"))
{
alert("Please enter a value equal to \"pkwayh\" in the \"T1\" field.");
theForm.T1.focus();
return (false);
}
return (true);
}
//-->
Of course you could change to letters of your choice as long as they match.
_____________________________
Hope I have been of some help,
Micheal
[URL=http://web.archive.org/web/20060101013129/http://www.frontpageforms.com/]FrontPageForms.com-Archive Version[/URL]
I am living Proof that Viral Procrastination exists!
| |
|
|
|
gilman01
Posts: 12
Joined: 5/13/2004
Status: offline
|
RE: Forms Exploit ??? - 7/14/2005 11:18:51
Thanks for all the great suggestions. I actually did a variation on several of them for a solution that so far appears to have worked (of course it might just be a matter of they stopped trying).
I added a "code" simple text field and enabled validation that required an exact match to the code (which is actually just a gif with characters). Of course all of this appears in the bot code so this might not work in which case I will then move on to the code offered by Micheal.
So far we haven't had an incident like we have had for the past five days. Once again thanks to all for your suggestions and support.
| |
|
|
|
BobbyDouglas
Posts: 5470
Joined: 5/15/2003
From: Arizona
Status: offline
|
RE: Forms Exploit ??? - 7/14/2005 13:27:09
Jeff,
It might be a good idea to post the link so others can see the exact code you used :)
Maybe Micheal would be able to add this to the FrontPageForms site (it already is pretty huge with great form resources).
_____________________________
Arizona Web Design - Mr Bobs Web Design in Arizona
The Arizona Web Hosting Challenge
| |
|
|
|
AMysticWeb
Posts: 855
Joined: 10/23/2002
Status: offline
|
RE: Forms Exploit ??? - 7/16/2005 3:48:00
Hi BobbyD,
Thanks for the pat on the back.
Unfortunately, a while back I did something to that local web and it wouldn't open for months.
It coincided with installing XP Service Pack2 and I just got the web working so I can redo it. I have gotten rid of that devil via reformatting.
But procrastination always gets the better of me. At least I'm good at that.
Plus I have to plow through dozens of Notepads where I store all these finds I run across.
Always nice to be involved in a good forum like this to find out new things.
I am self taught, and it took me a long time just to reconcile Copy & Paste. I was convinced that if I didn't see it, then it couldn't possible be there.
Alas that code was the gem of Charles, so if he doesn't mind getting credit, then I would happily post the code.
< Message edited by AMysticWeb -- 7/16/2005 3:54:36 >
_____________________________
Hope I have been of some help,
Micheal
[URL=http://web.archive.org/web/20060101013129/http://www.frontpageforms.com/]FrontPageForms.com-Archive Version[/URL]
I am living Proof that Viral Procrastination exists!
| |
|
|
|
gilman01
Posts: 12
Joined: 5/13/2004
Status: offline
|
RE: Forms Exploit ??? - 7/16/2005 10:19:29
quote:
ORIGINAL: BobbyDouglas
It might be a good idea to post the link so others can see the exact code you used :)
Sorry for the delay but I wanted to verify that this actually worked. I am still working with this. IT appears the critter returned yesterday but only played with the forms that did not contain the new field.
Bobby - I didn't actually add code. I added a new field and forced validation to a specific string that included the ! symbol. The page I am referring to actually has four different forms. I modified the first form. IT didn't get touched but the other three did. So today I'll modify the other three forms and see if that works. I'll report my findings here.
| |
|
|
|
AMysticWeb
Posts: 855
Joined: 10/23/2002
Status: offline
|
RE: Forms Exploit ??? - 7/18/2005 4:02:36
Wouldn't mind seeing the page when you're done if you don't mind sharing the URL
_____________________________
Hope I have been of some help,
Micheal
[URL=http://web.archive.org/web/20060101013129/http://www.frontpageforms.com/]FrontPageForms.com-Archive Version[/URL]
I am living Proof that Viral Procrastination exists!
| |
|
|
|
gilman01
Posts: 12
Joined: 5/13/2004
Status: offline
|
RE: Forms Exploit ??? - 7/18/2005 10:41:16
quote:
ORIGINAL: AMysticWeb
Wouldn't mind seeing the page when you're done if you don't mind sharing the URL
Always willing to share - http://www.wnyork.com/WN_Contact-1.htm
I may curse myself by saying this however, since I added this code to the form we haven't had the problem.
| |
|
|
|
dpf
Posts: 7126
Joined: 11/12/2003
From: India-napolis
Status: offline
|
RE: Forms Exploit ??? - 7/18/2005 11:02:31
I did a test - worked fine. however, I was able to enter textin the phone number and an incomplete email address. If you would like, I have some js code I wrote to test for numeric phone data. you can test for email structure but its trickier - needs regular expressions or some string functions.
_____________________________
Dan
| |
|
|
|
gilman01
Posts: 12
Joined: 5/13/2004
Status: offline
|
RE: Forms Exploit ??? - 7/31/2005 11:58:16
Just a fast followup - since I made this modification I have not had another incident with this domain.
Also wanted to thank Dan for pointing out the forms issues. I used some JBot forms scriptlets to take care of the phone and email issues.
| |
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version 
.. have you seen the sites where you have to enter a number or word that is in a graphic? The purpose is to stop "bots" - the word or number is clear to the human eye but indecipherable as it isnt in code. might be an approach you could take.
