Comments on: New block for Bulgarians

By: Eelco

Eelco — Fri, 20 Oct 2006 09:12:04 +0000

mod_security…

Ik heb al een tijdje mod_security draaien op mijn machine, tijd om eens te kijken of het echt wat doet:
zgrep “mod_security-message:” /var/log/apache2/audit_log.3.gz |awk ‘{print $9}’|sort | uniq -c| sort -r
1521 “.+$̶…

By: williaty

williaty — Sun, 15 May 2005 06:13:50 +0000

You know, that looks terrible after your scripts stripped the br tags out. Let me try that marked up a different way:

SecFilterSelective HTTP_x-aaaaaaaaaa|HTTP_X_AAAAAAAAAA .+$

SecFilterSelective HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA .+$

Delete whichever of these looks uglier

By: williaty

williaty — Sun, 15 May 2005 06:10:24 +0000

OK, for those of you running mod_security, I’ve got the block figured. It takes two rules:SecFilterSelective HTTP_x-aaaaaaaaaa|HTTP_X_AAAAAAAAAA .+$SecFilterSelective HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA .+$The .+$ matches one or more characters before end of line in the header field. Basically it’s a cheap way of saying “If this line exists, kill the request.” I hope this helps some of you

By: Administrator

Administrator — Sat, 14 May 2005 23:17:05 +0000

The most amusing with these spammers, is that they usually have a forwarded for. And it’s invariably fake! I mean, they’ll have an IP number in there that comes from some high security place, like a three letter agency or something like that. The one you’ve got there is IANA!

By: Alden Bates

Alden Bates — Sat, 14 May 2005 23:13:39 +0000

Aha, I noticed they’d been getting past my .htaccess blocks. I’ve been trying without success to block them using various permutations of RewriteCond rules, but apache doesn’t seem to be drawing the connection. I’ll try the SetEnvIfNoCase rule - thanks!

By: williaty

williaty — Sat, 14 May 2005 22:46:18 +0000

Damn, I’m dumb, please edit that to take the spammer’s link out of that!

By: williaty

williaty — Sat, 14 May 2005 22:45:29 +0000

This is the entry in mod_security’s log when it catches something from these guys based on a keyword in the referrer:======================================== Request: 148.244.150.52 - - [14/May/2005:18:15:50 -0400] “GET /weblog/docs/graytuesday.writeback HTTP/1.1″ 500 611 Handler: cgi-script —————————————- GET /weblog/docs/graytuesday.writeback HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Accept-Language: en-us Connection: Keep-Alive Host: williaty.dyndns.org Referer: h*tp://www.shivapage.com/party-poker.html User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC) x-aaaaaaaaaa: 1500000 x-aaaaaaaaaaaa: 1 x-forwarded-for: 242.36.124.78 mod_security-message: Access denied with code 500. Pattern match “blackjack|casino|gambling|holdem|hold-em|poker|roulette|slot” at HEADER. mod_security-action: 500

HTTP/1.1 500 Internal Server Error Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1Does any of that match up with what you’re getting?

By: Administrator

Administrator — Sat, 14 May 2005 20:17:19 +0000

Hopefully someone will figure it out and post it. In the meantime, this is what that header looks like:

HTTP_X_AAAAAAAAAAAA=1

By: williaty

williaty — Sat, 14 May 2005 20:00:49 +0000

I, too, noticed the incredible vanishing Via: pinappleproxy trick. I’m using mod_security and have been trying to determine how to get it to watch for x-aaaaaaaaaa. I’m _really_ new to all of this and am in a bit over my head. The best I can come up with is SecFilterSelective HTTP_x-aaaaaaaaaa|HTTP_XAAAAAAAAAA $ but that prevents the web server from working at all. Obviously that’s a great spam-prevention tactic, but hardly useful to me. Any ideas?