Attacks through Messenger form fields

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
Ves
Junior Member
Posts: 5
Joined: 13 Apr 2012, 00:35

Attacks through Messenger form fields

Post by Ves »

csf: v14.17
MESSENGER config by default with MESSENGER v2 enabled

I'm receiving these mail alerts from the Messenger recaptcha:

Code: Select all

Subject: lfd on server.domain.com: recaptcha ?ôЄÿê/¶7Ô³Æ">ßv¬£þlÄ ¡ƒÃƒà¤õ-qJ7L-°¤Úwyµ#w@/V{Õ[7ÀTÀKÕˆ=RN”¯c?‘æø˝5Ô¬Œ•šñ+é>þGãïo&ŽÌÒoskäÊcìƒÙnePü[|š§AñÂDõ¯|¤ð¸£ãº7" (Unknown)

Time:     Mon Aug 21 11:50:34 2022 +0200
IP:       ?ôЄÿê/¶7Ô³Æ">ßv¬£þlÄ     ¡ƒÃƒà¤õ-qJ7L-°¤Úwyµ#w@/V{Õ[7ÀTÀKÕˆ=RN”¯c?‘æø˝5Ô¬Œ•šñ+é>þGãïo&ŽÌÒoskäÊcìƒÙnePü[|š§AñÂDõ¯|¤ð¸£ãº7" (Unknown)

Recaptcha unblock of ?ôЄÿê/¶7Ô³Æ">ßv¬£þlÄ  ¡ƒÃƒà¤õ-qJ7L-°¤Úwyµ#w@/V{Õ[7ÀTÀKÕˆ=RN”¯c?‘æø˝5Ô¬Œ•šñ+é>þGãïo&ŽÌÒoskäÊcìƒÙnePü[|š§AñÂDõ¯|¤ð¸£ãº7" (Unknown) on ÊæJåâã$á   àrCóîFɑȐ]¬xÉÈä!`ÜlS‰÷tað÷¼       «ú+Ê`8¶Æá)$™«Þx”÷}W      ,ªw†ûI–D0’£‘y5Øœ I­"ñ®zé^DÁª°~`9Ô¬·¶©fan³^è­Âê:ÿïÔµ{}*qæ·ƒwŒ½•¨R@=Š –ôÓ†A(ím¿lºs¢Û€4§°+U·îàÝñOþ¿@q_r,ìΣÇà€ƒB_•Ú j騍cbU{íöü}E0=Á«ÐŸ¨Šó)í,“"XÄÎzÿ]LS¹“n˜ÿÚR)À^Až£}¨¤“ðïv£VSɨy‰ËÇû!ˆä õ¾|V{ù4¿Î<,¶7}0…ÒøŠ¹¬1
¯‹©Ç‡U¼óΓûˆC¿ðÀ£¶W’6ðŸ`žQçphk´8(3ÀPQЧ«ùy~Žù’]až
¸dxë¹Íë”
úF wš}©%×Bi®ˆfíþ÷U'‹á€AtP¢Œ0ëËm–E‰Éás¦ì™1\mú»ÇÏJÉ1Mi•œaq

----

Subject:  lfd on server.domain.com: recaptcha ¤‘‚ÁiÃÍÃÕqø—°¥±W†¡”jèÄ9¯tÅi (Unknown)

Time:     Mon Aug 21 13:19:23 2022 +0200
IP:       ¤‘‚ÁiÃÍÃÕqø—°¥±W†¡”jèÄ9¯tÅi (Unknown)

Recaptcha unblock of ¤‘‚ÁiÃÍÃÕqø—°¥±W†¡”jèÄ9¯tÅi (Unknown) on  () requested
At first I thought the attacks comes from /home/csf/public_html, although I wrote a die(); function inside /home/csf/public_html/index.php and the attacks persisted. Until I have deleted the <form..> codes inside /etc/csf/messenger: index.html and index.php pages

Not sure if they try to write the file /home/csf/unblock.txt which later is processed inside /etc/csf/lfd.pl. Alert messages were created, I'm not sure if there is enough sanitization inside lfd.pl or the related function checkip inside /usr/local/csf/lib/ConfigServer/CheckIP.pm.

Just by caution I have created one inotify script to replace the files inside /etc/csf/messenger as soon there is an update

Any experience with this type of attacks?
Top
Post Reply

Return to “Report Bugs (csf)”