Forums

Possible Exploit v4

oculusmm 24 Oct, 2011
HI,

Since Friday 21st I have experienced on 3 separate client sites forms being submitted by automated spamm bots? What is happening is that forms are being submitted in gibberish mainly with spammer links in the message body. They are managing to bypass the mootools validators and the results being posted to myself no longer contain data but a mixture of links, variables? from the templates results email and data in the format that will be approved by mootools. SEE Below. My Version is 4.0 RC1.8 on various Joomla Builds 1.6, 1.5.23 and 1.7

INSIDE & OUT WEBSITE ENQUIRY
Personal Information:
First Name: hkwivbpr
Last Name: hkwivbpr
E-Mail Address: [email]icltwo@isjtxb.com[/email]
Contact Number eAmUwHusoLFfRkVOWxx
Haymarket Salon:
Salon: {select_haymarket}
Date Requested: JlNHevVIwCTdL
Time Requested: Select a time
Airport Salon:
Salon: {select_airport}
Date Requested: dsJZLJDCd
Time Requested: Select a time
Additional Information:
Information: jwIR39 itwqigbrfmls, vxlfmlmvmnld, [link=http://wzpfssbypclp.com/]wzpfssbypclp[/link], http://gtkuuykgsope.com/
GreyHead 24 Oct, 2011
Hi oculusmm,

They are most probably spammers or spam bots with JavaScript disabled. The MooTools validation is not spam protection, it just helps make sure that the data entered by the user meets the criteria you set. If JavaScript is disabled then it does nothing.

Adding a Captcha will help protect against spam bots but not human spammers. ServerSide validation can add some extra checks.

Bob
oculusmm 24 Oct, 2011
HI,

Yes I understand the MooTools validators issue nothing can be done.
I also understand the server side issue and was looking at setting up an array to block IP's but as they change constantly just a lost cause.
Capchas are set up on all but one of the forms.

What does concern me however is the {} variables set up in the template that is sent to myself/clients as this has just stated happening with forms since Friday and at a loss as to how this is happening. ie here's a form from Friday that I received. Cannot understand why the form fields set up in the template are now being sent to me on 3 different sites instead of data especially when validators are set up on all fields. Surely either the validator would stop the form from being sent or if sent data would be present.

I take it if a field is left blank then the variable would show up anyways?

Name: {frmGeneralName} (validated for a-z input)
Contact: {frmGeneralEmail} (validated for a valid email address)
Details of the Enquiry:
{frmGeneralMessage} (no validation optional)
GreyHead 24 Oct, 2011
Hi oculusmm,

I sympathise with the spam problem we are currently getting 20-30 a day in the forums here :-( And, as you say, they use a wide range of IP addresses.

I don't have any good explanation for the missing data from the forms. If they are text inputs then you shouldn't see the {input_name} values. However, the example you posted earlier only has these entries for select boxes and there you can get a null submission if nothing is selected.

Bob
oculusmm 24 Oct, 2011
Yes baffled me as well I just thought I would highlight this issue as I have already stated this has just started happening on Friday on all my client websites.

Just found it strange that on one particular day this started happening as this always makes me suspicious?
This topic is locked and no more replies can be posted.