On Thu, Dec 22, 2016 at 6:55 PM, Mark Sapiro mark@msapiro.net wrote:
On 12/22/2016 03:38 PM, Jim Popovitch wrote:
I'm seeing GET attempts like this:
77.247.181.165 - - [22/Dec/2016:23:30:10 +0000] "GET /subscribe/users?sub_form_token=1527449307%3A44440ca6e66379d0e6e9c45b66d93d5864da4621&email=jconno2215%40gmail.com&fullname=585c61c234d98&pw=&pw-conf=&digest=1&email-button=jconno2215%40gmail.com&language=en&?sub_form_token=1527449307%3A44440ca6e66379d0e6e9c45b66d93d5864da4621&email=jconno2215%40gmail.com&fullname=585c61c234d98&pw=&pw-conf=&digest=1&email-button=jconno2215%40gmail.com&language=en&&sub_form_token=1527449307%3A44440ca6e66379d0e6e9c45b66d93d5864da4621&email=jconno2215%40gmail.com&fullname=585c61c234d98&pw=&pw-conf=&digest=1&email-button=jconno2215%40gmail.com&language=en& HTTP/1.1" 404 162 "http://netcoolusers.org/" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
OK. I see how limiting the subscribe CGI to POST requests would stop these, but I haven't seen any attacks like this. In the ones I've seen, the bot GETs the form via listinfo and then delays and POSTs to subscribe as described in the part of my post in this thread you didn't quote.
Just to be clear, the bots are doing a GET of the listinfo page, extracting the token, and then (mis)forming the GET URL like this:
89.32.127.178 - - [22/Dec/2016:23:53:29 +0000] "GET /mailman/listinfo/users HTTP/1.1" 200 2866 "-" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1" 89.32.127.178 - - [22/Dec/2016:23:53:32 +0000] "GET /subscribe/users?sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en&?sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en&&sub_form_token=2351250719%3A8d5271a8d26c4cdd37040d7a7f37efb977e93d07&email=candice.cheng%40gmail.com&fullname=585c673c4eaac&pw=&pw-conf=&digest=1&email-button=candice.cheng%40gmail.com&language=en& HTTP/1.1" 404 162 "http://netcoolusers.org/" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
I suspect, the bot is requesting ../subscribe and that nginx is just striping the leading dots off the request (totally not sure about this though).
-Jim P.