MadMax 1, Autosubmitters 0

MadMax · 2010-06-28, 06:31 PM

While I was away it seems the autosubmitters got exponentially more devious. While I was cleaning up the database I pulled the submit form down. Much to my shock, I was STILL getting submits added to the database, all on subdomains promoting gay porn. These submits screamed "autosubmitter" like nothing else I've ever seen.

It looks like I've locked things down completely with some clever massaging of mod_rewrite and some user authentication protocols, but I figured I'd share the ordeal with you guys in case anyone else is having similar issues. In my case I was slightly limited in my options, because my script is no longer supported by the guys who wrote it and a lot of the critical pages are Zend encoded so I can't fuck with their code. I'm going to detail the steps I took as well.

First, I needed to hide/move my submit page. The location of the submit page is hard coded into the script and the page itself is Zend encoded, so in order to password protect the entire page I had to make a new .php page (which still had to reside in the web root directory because of file pathing), add the user auth as a php include, then add the entire submit page as a php include. The user auth is SQL driven, partly because I had the code laying around and partially because I didn't want a file of usernames/passwords residing anywhere in the web directory.

I got everything working then sat back to watch. Fucking autosubmitters were STILL submitting/confirming links, almost as if they could just dump them right into the database...no change at all with a password protected submit page that had been moved to a new location. I figured at this point that they might be spoofing the entire submit page, and since my script was written by Russians I wouldn't be surprised if the same kossacks wrote the autosubmit script and hard coded workarounds into it.

So, the next step was to submit.php from being called via http at all, so anyone trying to access it by going around the user auth would get a 403 error; i.e. only the server itself can call up the page (allowing my include on the new submit page to still work). This also allows me to easily change the name of my submit page whenever I might need to again. AHA! I cheered...surely this will keep those fuckers out!

Not a chance. There were STILL submits being dumped directly into my database, and the script was still sending out confirmation emails on those submits. Looking deeper, submit.php calls a second, thankfully un-encoded file to actually check the link and process database queries.

At this point, I see no other possible method for those submits to be getting in there other than a script calling up that second php page with a POST containing all the link info, allowing the autosubmitter to bypass the submit page/form entirely. Fucking diabolical.

The query would have to be formatted just right, but considering what we've seen out of the Russians in the past I wouldn't put it past them to have bought copies of all the popular LL scripts so that they could pull off this kind of bullshit. I'm no scripting guru, either, so it may have been possible with nothing but the source code of the submit page.

The answer was to add a layer of user authentication on the secondary page as well. I couldn't just block http calls because the secondary page is used for email confirmations, so I massaged in a slightly modified version of the user auth script running on the submit page. The only difference to submitters will be that if their session times out before clicking the link in the confirmation email, they're going to have to give the username and password again to access the confirmation page.

Voila, no more autosubmits for two days now. |acid

I share all this in hopes that it might help someone else. If anyone else is running XPL, I already have all the hard work done. In any case, I thought their method for submitting would make for interesting reading, at least for the code jockeys.

Mr Spock · 2010-06-29, 04:33 PM

Almost sounds like you enjoyed the battle of wits

MadMax · 2010-06-29, 05:08 PM

Quote:

Originally Posted by Mr Spock

Almost sounds like you enjoyed the battle of wits

Only after I won. For a while there it felt like I was dueling a ghost.

2010-06-28, 06:31 PM	#1
MadMax "Without evil there can be no good, so it must be good to be evil sometimes" ~ Satan Join Date: Aug 2004 Location: Motor City, baby, where carjacking was invented! Now GIMME THOSE SHOES! Posts: 2,385	MadMax 1, Autosubmitters 0 While I was away it seems the autosubmitters got exponentially more devious. While I was cleaning up the database I pulled the submit form down. Much to my shock, I was STILL getting submits added to the database, all on subdomains promoting gay porn. These submits screamed "autosubmitter" like nothing else I've ever seen. It looks like I've locked things down completely with some clever massaging of mod_rewrite and some user authentication protocols, but I figured I'd share the ordeal with you guys in case anyone else is having similar issues. In my case I was slightly limited in my options, because my script is no longer supported by the guys who wrote it and a lot of the critical pages are Zend encoded so I can't fuck with their code. I'm going to detail the steps I took as well. First, I needed to hide/move my submit page. The location of the submit page is hard coded into the script and the page itself is Zend encoded, so in order to password protect the entire page I had to make a new .php page (which still had to reside in the web root directory because of file pathing), add the user auth as a php include, then add the entire submit page as a php include. The user auth is SQL driven, partly because I had the code laying around and partially because I didn't want a file of usernames/passwords residing anywhere in the web directory. I got everything working then sat back to watch. Fucking autosubmitters were STILL submitting/confirming links, almost as if they could just dump them right into the database...no change at all with a password protected submit page that had been moved to a new location. I figured at this point that they might be spoofing the entire submit page, and since my script was written by Russians I wouldn't be surprised if the same kossacks wrote the autosubmit script and hard coded workarounds into it. So, the next step was to submit.php from being called via http at all, so anyone trying to access it by going around the user auth would get a 403 error; i.e. only the server itself can call up the page (allowing my include on the new submit page to still work). This also allows me to easily change the name of my submit page whenever I might need to again. AHA! I cheered...surely this will keep those fuckers out! Not a chance. There were STILL submits being dumped directly into my database, and the script was still sending out confirmation emails on those submits. Looking deeper, submit.php calls a second, thankfully un-encoded file to actually check the link and process database queries. At this point, I see no other possible method for those submits to be getting in there other than a script calling up that second php page with a POST containing all the link info, allowing the autosubmitter to bypass the submit page/form entirely. Fucking diabolical. The query would have to be formatted just right, but considering what we've seen out of the Russians in the past I wouldn't put it past them to have bought copies of all the popular LL scripts so that they could pull off this kind of bullshit. I'm no scripting guru, either, so it may have been possible with nothing but the source code of the submit page. The answer was to add a layer of user authentication on the secondary page as well. I couldn't just block http calls because the secondary page is used for email confirmations, so I massaged in a slightly modified version of the user auth script running on the submit page. The only difference to submitters will be that if their session times out before clicking the link in the confirmation email, they're going to have to give the username and password again to access the confirmation page. Voila, no more autosubmits for two days now. \|acid I share all this in hopes that it might help someone else. If anyone else is running XPL, I already have all the hard work done. In any case, I thought their method for submitting would make for interesting reading, at least for the code jockeys. Last edited by MadMax; 2010-06-28 at 06:52 PM..

2010-06-29, 04:33 PM	#2
Mr Spock You can now put whatever you want in this space :) Join Date: Nov 2006 Location: Vulcan Posts: 695	Almost sounds like you enjoyed the battle of wits