password protection [sic] bypassed;-(

They are NOT accessing the page, so there’s no point in my attempting to stop them accessing the (contact) page.

AFAIK they don’t go anywhere near it or anywhere else on my site(s). They simply slam in a POST command via this http_post thingummy. All the usual WP commenting traps and safety stuff is of no use as *the page is never accessed*. They are just slamming in a blind POST… well, that’s how I see it.

I’ve sleuthed around and the http_post thingummy is nothing specifically to do with WP, it seems it’s PHP stuff in my Apache server that is called upon to perform (possibly by something known as cURL) by http_post via the POST command.

Here are my (largely useless) .htaccess lines (which haven’t stopped my incoming POSTs…

RewriteCond %{HTTP_REFERER} !^https://.*.mysite.com/wordpress/wp-content/plugins/custom-contact/custom-contact-email.php$ [NC]
RewriteCond %{REQUEST_METHOD} ^POST$
#RewriteCond %{REQUEST_POST} .*.php
RewriteRule .* – [F,L]

they are accessing the page. theyre accessing it remotely. You are misunderstanding how it works.

simple.php contains a form that sends info — it might be a guestbook entry, it might be an email. It does NOT matter. Forms send data via an http_post.

http_posts can be sent from anywhere. I can write a simple script, that will auto-populate any fields your form requires and send an http_post from MY server to yours.

The form resides on the page, therefore I AM accessing the page.

Thats the entire idea behind writing forms that send their particular http_post of to ANOTHER page.

Ill show you exactly what I mean.

Click this link:

https://www.village-idiot.org/vi-comment.php

You CANNOT submit ANY comments to my site unless your referer matches what I want. vi-comment.php contains the form responsible for sending comments.

If it were NOT for what I have done, comment submission could be done remotely also.

I just want you to know, whooami, that I have learned more about this sort of thing from reading your posts in this thread than I did after a week of reading stuff in hundreds of places “otherwhere” online.

Thanks.

I’m not talking about comments… everything is fine with comments. Comments have to have their pages, so to speak, accessed and your suggestions work properly for comment pages.

This is all about the contact page area. Unfortunately, as the hackers have found out, their bots do NOT have to actually access the contact page or go anywhere near it. And so all the comment page protections are inappropriate. As they don’t need to go anywhere near the contact page then conventional REFERER protection is equally irrelevant.

I spent an hour or two researching what this might mean.
This might explain a thing or two to a programmer:

https://www.faqts.com/knowledge_base/view.phtml/aid/15705/fid/2

<?php

function HTTP_Post($URL,$data, $referrer=””) {

// parsing the given URL
$URL_Info=parse_url($URL);

// Building referrer
if($referrer==””) // if not given use this script as referrer
$referrer=$_SERVER[“SCRIPT_URI”];

// making string from $data
foreach($data as $key=>$value)
$values[]=”$key=”.urlencode($value);
$data_string=implode(“&”,$values);

// Find out which port is needed – if not given use standard
(=80)
if(!isset($URL_Info[“port”]))
$URL_Info[“port”]=80;

// building POST-request:
$request.=”POST “.$URL_Info[“path”].” HTTP/1.1\n”;
$request.=”Host: “.$URL_Info[“host”].”\n”;
$request.=”Referer: $referrer\n”;
$request.=”Content-type: application/x-www-form-urlencoded\n”;
$request.=”Content-length: “.strlen($data_string).”\n”;
$request.=”Connection: close\n”;
$request.=”\n”;
$request.=$data_string.”\n”;

$fp = fsockopen($URL_Info[“host”],$URL_Info[“port”]);
fputs($fp, $request);
while(!feof($fp)) {
$result .= fgets($fp, 128);
}
fclose($fp);

return $result;
}

$output1=HTTP_Post(“https://www.server1.com/script1.php&#8221;,$_POST);
$output2=HTTP_Post(“https://www.server2.com/script2.php&#8221;,$_POST);

?>

Only thing is it doesn’t tell me how I might stop it;~| It’s late g’night.

—-best wishes, Robert

I’m no PHP guru, but that looks like it builds up an HTTP POST or two when it’s all said and done. Which needs a target page.

Have you tried the PXS Mail form plugin?

https://www.phrixus.co.uk/pxsmail/

neon: yes…
https://www.ads-software.com/support/topic/61091?replies=23#post-331103
It’s been a long day&night and it’s now 2.40am here… g’night.

Sorry, churchtown, apparently I’m blind. Nite. ??

For starter, I realize what I pasted was specific to comments. BOTH use an http_post.

———-

// Building referrer
if($referrer==””) // if not given use this script as referrer
$referrer=$_SERVER[“SCRIPT_URI”];

—–

Basically that snippit does 2 things, and pay close attention when I say this: THEY ARE ACCESSING THE PAGE (once again) THEY ARE JUST DOING IT REMOTELY)

1. it allows a blank referer
2. takes a blank referer and makes the script the referer.

Therefore, the http_post appears to be coming from your site, when in fact, it might not. THEREFORE, a simple .htaccess rule prohibiting such access will be cirumvented.

To get around that what needs to be done is this:

contact php contains:

<form action post="this-actually-proccesses-data.php">

and an .htaccess rule that blocks ALL access to this-actually-proccesses-data.php unless it comes from contact.php

NOT just your domain, but the actual refering page — The ONLY PAGE that should be calling it.

Do you follow?

And Ive already suggested that these scripts are written like that above.

If you want a VERY simple contact script that uses that sort of set-up, then try out the one that podz’ uses. The name escapes me, and I am at work so I cannot hunt for it. It has a simple ban function, doamin checking AND uses a secondary page to actually parse the data within the submitted form.

sc-contact, or something like that. Im sure podz can pipe in with the name.

my apologies as Im at work so I wasnt able to look real well .. however..

referrer=$_SERVER[“SCRIPT_URI”]; is the name of the script the remote user IS using.

That is not to say that the domain referer cannot be spoofed in other ways.

churchtown, I plan on asking via email also, but in the event you read this before your email — it would help me immensely if i could see a day or 2’s worth of your raw server logs from Apache– and obviously I need them to include hits to your contact form, ie the page in question.

To that note, also, just to reinforce what I have been saying all along, look again at the script you pasted; the last 2 lines state

$output1=HTTP_Post(“https://www.server1.com/script1.php&#8221;,$_POST);

script1.php in this example is ANY insecure FORM on a page.

Surfing the web is made up of a series http_posts and http_gets, forms happen to use http_posts. Accessing the form requires accessing the page.

whooami:

I feel a little embarrassed, you did say you wanted to work on this later in the week maybe at the weekend;~/

The snippet above was just something I tripped over in my trawling of the net to derive some intelligence about what was, strike that, IS being perpetrated on my WP sites through their contact pages.

I have now tried two iterations of Ryan’s plugin (WP-ContactForm and PXS Mail Form) and am now on my third flavour of contact facility – the Custom Contact Me/Us plugin.

Have seen no difference to the incoming POSTs other than initial breach suffered under Ryan’s early v1.1 which was later plugged with v1.4.3. In case these bots are able to continue to use the other (previously installed) contact form mechanisms I have moved them out of reach of the web.

The Custom Contact Me/Us plugin contains a page access timing element (anti-flood protection?) and I had it set to 30secs. Overnight several POSTs were lodged on the same sites from the same IP that were spaced just a few seconds apart. Perhaps the page accesss timing element thing isn’t working (I’ve now set it to 180secs). Perhaps the bots just aren’t accessing the pages…

My access logs carry only these POST entries. Perhaps the bots are using a command line entry system that has a internal REFERER element to get around the .htaccess check. Nevertheless the logs are showing no other page accesses than the single POST entries.

The blog sites virtual domains’ .htaccess files carry the precise blocking REFERER check you have suggested and also those of my own. I must point out that these .htaccess clauses are not working;~/

These POSTs continue to be lodged blindly. I call them blindly because it doesn’t seem to matter what flavour of contact page my sites are carrying because they really don’t seem to look at any of my pages. You call it being remotely accessed. Fine, I will happily defer to your experience;~)

I would like to completely arrest these remote access connections to the point where these POST entries don’t even appear in my logs. Three changes of contact page plugin later, with the addition of the REFERER checking .htaccess clause you’ve suggested, I see absolutely no change in what these people and their bots are perpetrating on my WP sites.

In short I have made no progress in this thread at beating the current machinations of these criminals and their nefarious activities on my WP sites’ contact mechanisms.

—-best wishes, Robert

whooami—-
Sorry, I missed your text (I never actually looked) I thought your time zone was behind us and I haven’t had enough caffeine yet. Yes, of course, I will cobble together some raw material. Are you a PC or a MAC person?
—-best wishes, Robert

I sent off 2 emails. What you sent me via email doesnt match what I posted here ??

You missed out on the “quotes” in both lines. Ive corrected it, and explained how to handle subdomains in my emails..

Im on a pc, but I am going to sleep quite soon. I did try earlier to access the domains you sent me and all three appeared to be down at the time.

It will be, unfortunately, another 22 or so hours before I can revisit this but we can have it figured out by mid Sat hopefully. That is, if the corrections I sent you via email do not set you on the right track to a solution.

Btw, I am 7 hours behind you — I get home from work about the time youre having your morning coffee.

?? Take care!

Im also going to send you a link to a script that you can use to troubleshhoot this. It will send a http_post to one of the sites you mentioned in the emails weve swapped, but unfortunately I still cant access any of the domains to get the correct URL ( And nope, it doesnt need Curl ?? )