Capture IP

notset4life · Post by **notset4life** » Tue Oct 18, 2005 2:08 pm

Someone is messing around with my FAQ system. I keep getting empty email messages from the contact system and ask question system. I had to actually remove those links, but the empty emails keep coming, supposedly from all different usernames at qmail.com

Since I removed the contact and ask question links, this person obvisouly understands phpMyFaq to be able to use those links.

I need to be able to capture an IP address to find out who is doing this and banning them...and have that IP emailed to me along with the FAQ question that the user has asked. I know this is possible because that
's how my own contact form (unrelated to this program) is set up.

The admin log system doesn't seem to help because I can't match an IP with this person.

Any help is appreciated.

Post by **Thorsten** » Tue Oct 18, 2005 3:45 pm

Hi,

you can use the logs in the data/ folder for the IP.

bye
Thorsten

notset4life · Post by **notset4life** » Tue Oct 18, 2005 6:13 pm

Thanks Thorsten. Unfortunately, I still could not trace the offender through the logs as I see nothing unusual.

It would be terrfic to the email to be delivered to me with $REMOTE_ADDR
so I can catch that ip immediately, but I wouldn't know where to put that in the script.

If you can assist, it would be appreciated.

Post by **Thorsten** » Tue Oct 18, 2005 7:35 pm

Hi,

The IP from REMOTE_ADDR is in the log files. I would remove the following files:

- contact.php
- save.php
- savecomment.php
- savequestion.php
- savevoting.php

bye
Thorsten

notset4life · Post by **notset4life** » Tue Dec 06, 2005 5:41 pm

I removed those files, upgraded to latest version. The files were back and the SPAM started again.

They are all questions being asked from fake users at qmail.com

Here is the email:

User: xomac, mailto:xomac@gmail.com
Categories: CYBERMIDI Related Questions
what is viagra cialis prozac levitra hgh (sometimes different but just as moronic)

Here is today's tracking file with NO references to ASK or Questions.
I am convinved there is still a vulnerability here because I cannot figure out where these are coming from.

2713;new_session;0;64.124.85.71;sid=2713&lang=en&action=xml&id=20&artlang=en;http://cybermidi.com/faq/1_20_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133868978;
2713;create_xml;20;64.124.85.71;sid=2713&lang=en&action=xml&id=20&artlang=en;http://cybermidi.com/faq/1_20_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133868978;
2713;new_session;0;64.124.85.71;sid=2713&lang=en&action=writecomment&id=20&artlang=en;http://cybermidi.com/faq/1_20_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133869180;
2713;write_comment;20;64.124.85.71;sid=2713&lang=en&action=writecomment&id=20&artlang=en;http://cybermidi.com/faq/1_20_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133869181;
2713;new_session;0;64.124.85.71;sid=2713&lang=en&action=send2friend&cat=1&id=20&artlang=en;http://cybermidi.com/faq/1_20_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133869368;
2713;send2friend;0;64.124.85.71;sid=2713&lang=en&action=send2friend&cat=1&id=20&artlang=en;http://cybermidi.com/faq/1_20_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133869368;
2713;new_session;0;64.124.85.71;sid=2713&lang=en&action=show&cat=1;http://cybermidi.com/faq/1_20_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133869550;
2713;show_category;1;64.124.85.71;sid=2713&lang=en&action=show&cat=1;http://cybermidi.com/faq/1_20_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133869550;
2740;new_session;0;80.181.142.241;action=show&cat=1;http://www.cybermidi.com/faq/index.php? ... ozilla/4.0 (compatible, MSIE 6.0, Windows NT 5.1, SV1);1133871622;
2740;show_category;1;80.181.142.241;action=show&cat=1;http://www.cybermidi.com/faq/index.php? ... ozilla/4.0 (compatible, MSIE 6.0, Windows NT 5.1, SV1);1133871622;
2741;new_session;0;64.124.85.71;action=artikel&cat=1&id=45&artlang=en;http://cybermidi.com/faq/index.php?sid= ... ozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133872337;
2741;article_view;45;64.124.85.71;action=artikel&cat=1&id=45&artlang=en;http://cybermidi.com/faq/index.php?sid= ... ozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133872337;
2741;new_session;0;64.124.85.71;sid=2741&lang=en&action=send2friend&cat=1&id=45&artlang=en;http://cybermidi.com/faq/1_45_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133873947;
2741;send2friend;0;64.124.85.71;sid=2741&lang=en&action=send2friend&cat=1&id=45&artlang=en;http://cybermidi.com/faq/1_45_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133873948;
2741;new_session;0;64.124.85.71;sid=2741&lang=en&action=show&cat=1;http://cybermidi.com/faq/1_45_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133873999;
2741;show_category;1;64.124.85.71;sid=2741&lang=en&action=show&cat=1;http://cybermidi.com/faq/1_45_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133873999;
2741;new_session;0;64.124.85.71;sid=2741&lang=en&action=xml&id=45&artlang=en;http://cybermidi.com/faq/1_45_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133874048;
2741;create_xml;45;64.124.85.71;sid=2741&lang=en&action=xml&id=45&artlang=en;http://cybermidi.com/faq/1_45_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133874048;
2710;new_session;0;64.124.85.71;sid=2710&lang=en&action=xml&id=28&artlang=en;http://cybermidi.com/faq/1_28_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133883289;
2710;create_xml;28;64.124.85.71;sid=2710&lang=en&action=xml&id=28&artlang=en;http://cybermidi.com/faq/1_28_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133883289;
2710;new_session;0;64.124.85.71;sid=2710&lang=en&action=send2friend&cat=1&id=28&artlang=en;http://cybermidi.com/faq/1_28_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133883390;
2710;send2friend;0;64.124.85.71;sid=2710&lang=en&action=send2friend&cat=1&id=28&artlang=en;http://cybermidi.com/faq/1_28_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133883390;
2710;new_session;0;64.124.85.71;sid=2710&lang=en&action=show&cat=1;http://cybermidi.com/faq/1_28_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133883493;
2710;show_category;1;64.124.85.71;sid=2710&lang=en&action=show&cat=1;http://cybermidi.com/faq/1_28_en.html;Mozilla/5.0 (compatible, BecomeBot/2.3, MSIE 6.0 compatible, +http://www.become.com/site_owners.html);1133883493;

Now in my site access logs, I just found this:

80.68.242.97 - - [06/Dec/2005:06:04:17 -0800] "POST /faq/index.php?action=savequestion HTTP/1.1" 200 9432 "-" "Mozilla/5.0 (compatible; MSIE 6.00; Windows NT 9.0)"

I found 2 references of it, which I assume would be the 2 spam emails I recieved. These lines are NOT referenced anywhere in the faq tracking file. I blocked the IP from my site to see if this helps.

Any thoughts?

Post by **Thorsten** » Tue Dec 06, 2005 6:22 pm

Hi,

I think we should add a spam protection in one of the next versions of phpMyFAQ.

bye
Thorsten

notset4life · Post by **notset4life** » Tue Dec 06, 2005 7:44 pm

Would be great.

Thanks

notset4life · Post by **notset4life** » Sun Dec 18, 2005 9:28 am

Thorsten,

I know you've already spoken about spam protection.

In the meanwhile, do you have thoughts on how the user above is accessing my FAQ ask question without any tracking logs in FAQ?

It happened again today with only one line in my site logs.

ip - - [17/Dec/2005:16:56:33 -0800] "POST /faq/index.php?action=savequestion HTTP/1.1" 200 7015 "-" "Mozilla/5.0 (compatible; MSIE 6.00; Windows NT 9.0)"

Post by **Thorsten** » Sun Dec 18, 2005 12:05 pm

Hi,

I think they use autmated scripts for that. I'm working on a protection for that, too.

bye
Thorsten

bouton · Post by **bouton** » Tue Feb 07, 2006 3:16 pm

I captured the IP by editing the file e.g. savequestion.php

change
$username = strip_tags($_REQUEST["username"]);

to
$username = strip_tags($_REQUEST["username"])." (".$_SERVER["REMOTE_ADDR"].")";

Post by **Thorsten** » Tue Feb 07, 2006 3:19 pm

Hi,

the 1.6 version of phpMyFAQ will have support for Captchas.

bye
Thorsten

bouton · Post by **bouton** » Tue Feb 07, 2006 3:39 pm

good to hear.

and thanks
K

bouton · Post by **bouton** » Tue Feb 07, 2006 3:41 pm

is the list under banned IPS a list separated by commas?

I've never got bannedIPs to work.
Any suggestions?

Post by **Thorsten** » Tue Feb 07, 2006 7:17 pm

Hi,

it is seperated by blank spaces.

bye
Thorsten