churchtown

pcmt—-
I’ve shoehorned that stuff in to one of my WP sites. Until I possess some sort of test procedure or script I can’t exactly stress test that area. So I just have to rely on the native live stress testers doing what they do best;~| Not noticed any live differences yet but will keep you posted.
—-best wishes, Robert

pcmt—-

I would say your link was of cogent interest;~) Though it don’t think it brings anything new to the situation its presentation of a desirable set of processing tasks that really ought to be carried out is concise.

Bits of what I have already stop these criminals’ objective (other than that of winding me up and similarly occupying a considerable segment of my time and energy) but nothing appears to kill them outright. This ought to be possible and IMHO it’s the best target for everyone else’s peace of mind.

I’m awaiting some sort of troubleshooter’s script from whooami not least for its educational value on the issue. Meanwhile I’ll have a go at incorporating some of functionality described in your link, thanks!

—-best wishes, Robert

whooami—-
Have set up a webshare on my server (usern/passw in email).
PDF (PC/MAC) of my working log sitting in the webshare.
“” noted and amended on live .htaccess files.
My sites should not be down (hardly ever)… you may be on the RBL. At the moment my RBL-adding reflexes are some trigger-happy, there’s a lot of world out there blocked! Privately let me know your working IP so I can keep it live. Look forward to the troubleshooting link, have a good sleep;~)
—-best wishes, Robert

whooami—-
Sorry, I missed your text (I never actually looked) I thought your time zone was behind us and I haven’t had enough caffeine yet. Yes, of course, I will cobble together some raw material. Are you a PC or a MAC person?
—-best wishes, Robert

whooami:

I feel a little embarrassed, you did say you wanted to work on this later in the week maybe at the weekend;~/

The snippet above was just something I tripped over in my trawling of the net to derive some intelligence about what was, strike that, IS being perpetrated on my WP sites through their contact pages.

I have now tried two iterations of Ryan’s plugin (WP-ContactForm and PXS Mail Form) and am now on my third flavour of contact facility – the Custom Contact Me/Us plugin.

Have seen no difference to the incoming POSTs other than initial breach suffered under Ryan’s early v1.1 which was later plugged with v1.4.3. In case these bots are able to continue to use the other (previously installed) contact form mechanisms I have moved them out of reach of the web.

The Custom Contact Me/Us plugin contains a page access timing element (anti-flood protection?) and I had it set to 30secs. Overnight several POSTs were lodged on the same sites from the same IP that were spaced just a few seconds apart. Perhaps the page accesss timing element thing isn’t working (I’ve now set it to 180secs). Perhaps the bots just aren’t accessing the pages…

My access logs carry only these POST entries. Perhaps the bots are using a command line entry system that has a internal REFERER element to get around the .htaccess check. Nevertheless the logs are showing no other page accesses than the single POST entries.

The blog sites virtual domains’ .htaccess files carry the precise blocking REFERER check you have suggested and also those of my own. I must point out that these .htaccess clauses are not working;~/

These POSTs continue to be lodged blindly. I call them blindly because it doesn’t seem to matter what flavour of contact page my sites are carrying because they really don’t seem to look at any of my pages. You call it being remotely accessed. Fine, I will happily defer to your experience;~)

I would like to completely arrest these remote access connections to the point where these POST entries don’t even appear in my logs. Three changes of contact page plugin later, with the addition of the REFERER checking .htaccess clause you’ve suggested, I see absolutely no change in what these people and their bots are perpetrating on my WP sites.

In short I have made no progress in this thread at beating the current machinations of these criminals and their nefarious activities on my WP sites’ contact mechanisms.

—-best wishes, Robert

neon: yes…
https://www.ads-software.com/support/topic/61091?replies=23#post-331103
It’s been a long day&night and it’s now 2.40am here… g’night.

I’m not talking about comments… everything is fine with comments. Comments have to have their pages, so to speak, accessed and your suggestions work properly for comment pages.

This is all about the contact page area. Unfortunately, as the hackers have found out, their bots do NOT have to actually access the contact page or go anywhere near it. And so all the comment page protections are inappropriate. As they don’t need to go anywhere near the contact page then conventional REFERER protection is equally irrelevant.

I spent an hour or two researching what this might mean.
This might explain a thing or two to a programmer:

https://www.faqts.com/knowledge_base/view.phtml/aid/15705/fid/2

<?php

function HTTP_Post($URL,$data, $referrer=””) {

// parsing the given URL
$URL_Info=parse_url($URL);

// Building referrer
if($referrer==””) // if not given use this script as referrer
$referrer=$_SERVER[“SCRIPT_URI”];

// making string from $data
foreach($data as $key=>$value)
$values[]=”$key=”.urlencode($value);
$data_string=implode(“&”,$values);

// Find out which port is needed – if not given use standard
(=80)
if(!isset($URL_Info[“port”]))
$URL_Info[“port”]=80;

// building POST-request:
$request.=”POST “.$URL_Info[“path”].” HTTP/1.1\n”;
$request.=”Host: “.$URL_Info[“host”].”\n”;
$request.=”Referer: $referrer\n”;
$request.=”Content-type: application/x-www-form-urlencoded\n”;
$request.=”Content-length: “.strlen($data_string).”\n”;
$request.=”Connection: close\n”;
$request.=”\n”;
$request.=$data_string.”\n”;

$fp = fsockopen($URL_Info[“host”],$URL_Info[“port”]);
fputs($fp, $request);
while(!feof($fp)) {
$result .= fgets($fp, 128);
}
fclose($fp);

return $result;
}

$output1=HTTP_Post(“https://www.server1.com/script1.php&#8221;,$_POST);
$output2=HTTP_Post(“https://www.server2.com/script2.php&#8221;,$_POST);

?>

Only thing is it doesn’t tell me how I might stop it;~| It’s late g’night.

—-best wishes, Robert

They are NOT accessing the page, so there’s no point in my attempting to stop them accessing the (contact) page.

AFAIK they don’t go anywhere near it or anywhere else on my site(s). They simply slam in a POST command via this http_post thingummy. All the usual WP commenting traps and safety stuff is of no use as *the page is never accessed*. They are just slamming in a blind POST… well, that’s how I see it.

I’ve sleuthed around and the http_post thingummy is nothing specifically to do with WP, it seems it’s PHP stuff in my Apache server that is called upon to perform (possibly by something known as cURL) by http_post via the POST command.

Here are my (largely useless) .htaccess lines (which haven’t stopped my incoming POSTs…

RewriteCond %{HTTP_REFERER} !^https://.*.mysite.com/wordpress/wp-content/plugins/custom-contact/custom-contact-email.php$ [NC]
RewriteCond %{REQUEST_METHOD} ^POST$
#RewriteCond %{REQUEST_POST} .*.php
RewriteRule .* – [F,L]

The perpetrating bots are back;~/

At the moment I have Bad Behaviour offline so I don’t specifically know if it’s the same bunch but, at a guess, it’s the same deviants. The Custom Contact Me/Us plugin is active. I’ve configured it to redirect on success to the home page blindly (OK it’s a bit tough on naive visitors but I’m feeling slightly tough at the moment). As it goes back to the home page when the plugin detects a ‘bad un’ they aren’t getting so much intelligence on each strike wave. Am experimenting with variations on the various .htaccess files.

Would somebody **PLEASE** fill me in on this http_post mechanism that they have been using so effectively these last few weeks;~| Maybe I can cobble together something to blow up in their faces.

—-best wishes, Robert

SeanM—-
Now we’re both being slightly misunderstood;~) I ‘should’ be the only user on any of my sites. I want to know if the existence of your information-divulging file is, in ANY fashion, likely to become available remotely. I already have bots at the door (right now) attempting to batter down the defenses with the current injection email exploit vulnerability of WP and/or its plugins [using the http_post process].
—-best wishes, Robert

SeanM—-
How sure are you that the information revealed by PHPinfo is available *ONLY* to admin?
—-best wishes, Robert

whooami: Appreciated;~)

The Custom Contact Me/Us plugin is still a bit twitchy, which seems to reflect its active development, but has appeared to do its stuff so far. However a bunch of remote POSTs were made overnight while this plugin was in operation. Bad Behavior trapped them as similarly it has been doing for the previous pair of plugins.

Despite my lack of programming experience/knowledge it appears to me that it all might be more to do with how easily the http_post thingummy of WP’s is used/misused rather than the effective security precautions fashioned by any plugin ie WordPress core code?

For my own part I’ve noticed that the perpetrators seem to be getting tired/bored/disinterested or are running out of IPs. Alternatively perhaps they are pretending to be so for some nefarious purpose being cooked up. I am ensuring that they at least are forced to use fresh IPs on each sortie by locking out those IPs used to attack my sites. Have been doing this for some weeks now and if they ever want to put their heads above the parapet I would like to thank them for helping me to populate my own server’s personal RBL, before blowing their heads off.

—-best wishes, Robert

coyote: whooami might be busy, she hasn’t yet got in contact. From my own fumblings I have since dropped my use of WP-ContactForm (Ryan seems content to leave blocking to the Bad Behavior plugin); adopted and later dropped my use of the PXS Mail Form which is a WP-ContactForm derivative (the author has not yet responded to either of my entries on his contact blog); and lastly has adopted a seemingly more secure form referenced in another WP thread:
https://www.ads-software.com/support/rss/topic/60629
This *may* be the more secure form to which whooami alludes. I am trying it out at the moment – with and without the Bad Behavior plugin.

whooami: intro now in your (love-mail) box;~)

whooami: Is there a private messaging (eg member to member) facility here on this forum over which I can pass you the details?