Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
2314 views

Someone is hacking...

Someone is hacking on one of my web forms.
The only thing the form does is submit some user created answers to myself,
it's not anything of any value yet this person seems to be testing it for
something. Can you think of anything it could be used for? It does sent
an autoreply that the form was submitted. It's really just an annoyance,
but wondering what perceived value this person sees in the exercise.
Labels (1)
0 Likes
30 Replies
kathcarruthers Absent Member.
Absent Member.

Re: Someone is hacking...

GofBorg wrote:

> Someone is hacking on one of my web forms.
> The only thing the form does is submit some user created answers to
> myself, it's not anything of any value yet this person seems to be
> testing it for something. Can you think of anything it could be used
> for? It does sent an autoreply that the form was submitted. It's
> really just an annoyance, but wondering what perceived value this
> person sees in the exercise.


They don't like you, and this is obviously annoying?

--


Kathryn Carruthers
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Someone is hacking...

> They don't like you, and this is obviously annoying?
Always a possibility...but it's not that annoying.
Keeping an eye on them though. The site is remotely hosted so
if they want to hack ...insert your ISP of choice here...
more power to them.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Someone is hacking...

On Fri, 20 Mar 2009 17:02:37 +0000, GofBorg wrote:

> Can you think of
> anything it could be used for?


Skewing the results from your form....

I'd block the IP address if possible.

Jim



--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell Training Services
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Someone is hacking...

GofBorg wrote:
> Someone is hacking on one of my web forms.
> The only thing the form does is submit some user created answers to
> myself, it's not anything of any value yet this person seems to be
> testing it for something. Can you think of anything it could be used
> for?


They're probably looking to see if it can be used to send spam e-mail
to recipients of their choosing (like the infamously popular formmail),
or if it causes comments to appear somewhere. The latter is/was useful
for boosting a site's Google PageRank -- if its URL appears in comments
on a thousand blogs or galleries or such then it'll look more
legitimate and move up the rankings.

We get a fair wedge of spam our "send us an enquiry" forms, which I've
presumed to be the latter type of exploit. Luckily I dealt with them
fairly easily since whatever scripts are used for this tend to fill out
the forms in a certain way that's trivial to reject.

--
Regards,
Ben A L Jemmett.
http://flatpack.microwavepizza.co.uk/
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Someone is hacking...

> Skewing the results from your form....

No not really. Can't block the IP, it's remotely hosted site.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Someone is hacking...

> They're probably looking to see if it can be used to send spam e-mail
> to recipients of their choosing (like the infamously popular formmail),


This is a possibility, it does use formmail.
How is it used to send spam? I mean they can spam me of
course, is that what you mean? To me it looks like someone is using
it to test a script they may be writing (or configuring if it's a script
kiddie)


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Someone is hacking...

GofBorg wrote:
> This is a possibility, it does use formmail.
> How is it used to send spam? I mean they can spam me of
> course, is that what you mean?


It's been a long time since I last looked at formmail, so it may have
been tightened up a bit nowadays -- I think it used to accept the
e-mail address the form data should be sent to as a parameter, so you'd
typically embed your address in the form as a hidden field. Of course,
if someone spots that they can just submit whatever address they want
and therefore send spam anywhere they want through your web server. I
suspect this is no longer the case, and that it can be configured to
only allow certain destination addresses/domains at the server level,
but that doesn't stop people probing for the vulnerability. If your
script is configured to always send to you, this might be what you're
seeing.

[In fact, just checking the logs on my shiny new web server, I see
plenty of probes for the script -- so people are definitely still
looking for it...]

> To me it looks like someone is using
> it to test a script they may be writing (or configuring if it's a
> script kiddie)


It's possible -- bit daft of them though unless they're actually
targetting you specifically, to skew results or something. How much
activity are you seeing?

--
Regards,
Ben A L Jemmett.
http://flatpack.microwavepizza.co.uk/
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Someone is hacking...

http://www.captcha.net/


"GofBorg" <GofBorg@no-mx.forums.opensuse.org> wrote in message
news:N_Pwl.6513$Ht3.3172@kovat.provo.novell.com...
> Someone is hacking on one of my web forms.
> The only thing the form does is submit some user created answers to
> myself,
> it's not anything of any value yet this person seems to be testing it for
> something. Can you think of anything it could be used for? It does sent
> an autoreply that the form was submitted. It's really just an annoyance,
> but wondering what perceived value this person sees in the exercise.



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Someone is hacking...

On Fri, 20 Mar 2009 17:26:50 +0000, GofBorg wrote:

>> Skewing the results from your form....

>
> No not really. Can't block the IP, it's remotely hosted site.


I'm sure there's a way you could do it in the form itself - aren't there
Javascript variables for the IP address?

Jim



--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell Training Services
0 Likes
adrockk Trusted Contributor.
Trusted Contributor.

Re: Someone is hacking...

GofBorg spewed:

> Someone is hacking on one of my web forms.
> The only thing the form does is submit some user created answers to myself,
> it's not anything of any value yet this person seems to be testing it for
> something. Can you think of anything it could be used for? It does sent
> an autoreply that the form was submitted. It's really just an annoyance,
> but wondering what perceived value this person sees in the exercise.


SQL injection attacks? Trying to submit things that look have a string
terminator followed by SQL instructions?

--


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Someone is hacking...

> SQL injection attacks? Trying to submit things that look have a string
> terminator followed by SQL instructions?


Fortunately not. 🙂 Again wouldn't matter in this case, information is
manually handled. It's the equivalent of sending me an email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Someone is hacking...

> http://www.captcha.net/

I can't stand that thing...and I'd never subject a customer to that.
Just my feeling on it.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Someone is hacking...

> It's possible -- bit daft of them though unless they're actually
> targetting you specifically, to skew results or something. How much
> activity are you seeing?


I'm getting about 3 to 5 emails a day right now.
Started out looking very automated, now I'm seeing shall we say,
more 'tailored' submits. I was thinking of adding a line of code to
do a little bit of form validation on a certain field and send those emails
to /dev/null. On the automated assaults it might be effective.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Someone is hacking...

> I'm sure there's a way you could do it in the form itself - aren't there
> Javascript variables for the IP address?


See my reply to Ben as to the approach I may use to deal with it.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.