Calguns.net  

Home My iTrader Join the NRA Donate to CGSSA Sponsors CGN Google Search
CA Semiauto Ban(AW)ID Flowchart CA Handgun Ban ID Flowchart CA Shotgun Ban ID Flowchart
Go Back   Calguns.net > GENERAL DISCUSSION > Technology and Internet
Register FAQ Members List Calendar Mark Forums Read

Technology and Internet Emerging and current tech related issues. Internet, DRM, IP, and other technology related discussions.

Reply
 
Thread Tools Display Modes
  #1  
Old 06-02-2014, 7:45 AM
ocabj's Avatar
ocabj ocabj is offline
Calguns Addict
 
Join Date: Oct 2005
Location: Riverside
Posts: 7,877
iTrader: 47 / 100%
Default "liker.profile" spam bot

I'm not sure if any one here runs any sort of host IDS or some other log analysis on their web logs, but I noticed an uptick in apache/httpd 404 errors similar to this:

Code:
84.240.9.6 - - [02/Jun/2014:03:36:49 -0700] "GET /++liker.profile_URL++ HTTP/1.0" 404 30425 "http://www.ocabj.net/++liker.profile_URL++" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.13014 YaBrowser/13.12.1599.13014 Safari/537.36"
I keyed on the "++liker.profile_URL++" string and a google search yielded a definitive answer. But the consensus appears to be that these are triggered by spam bots trying to drop/inject URL (links) on any website via comment forms, html forms, etc.

Several weeks ago I implemented a custom OSSEC rule:

Code:
<rule id="101007" level="6">
    <if_sid>31101</if_sid>
    <regex>+liker\.profile_URL+</regex>
    <match>GET</match>
    <description>Link dropping spam bot.</description>
</rule>
The above basically strings off a 404 error match and checks for the request type and regex's for the liker.profile_URL string in the http request. I don't even have a composite rule for frequency right now. I immediately set level=6 so it blocks the IP on a single event of this type (my OSSEC active response triggers off of level >= 6). This may be a bit strict, but I figure if this 404 is caused by a spam bot, why bother with checking or multiple requests in specific time span?

Has anyone else come across this behavior in their environment?

Has anyone else mitigated these bots? What was your method?
__________________

Distinguished Rifleman #1924
NRA Certified Instructor (Rifle and Metallic Cartridge Reloading) and RSO
NRL22 Match Director at WEGC

https://www.ocabj.net
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -8. The time now is 6:18 PM.




Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
Proudly hosted by GeoVario the Premier 2A host.
Calguns.net, the 'Calguns' name and all associated variants and logos are ® Trademark and © Copyright 2002-2021, Calguns.net an Incorporated Company All Rights Reserved.
All opinions, statements and remarks made by Calguns.net on this web site and elsewhere are solely attributable to Calguns.net.



Seams2SewBySusy