[nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION
Ken Robinson
kenrbnsn at rbnsn.com
Mon Sep 12 23:20:42 EDT 2005
At 12:15 PM 9/12/2005, Michael Southwell wrote:
>I polished this up a bit.
>
>IMPORTANT: Ken's original function did not work in my testing,
>because (1) the \ in \r and \n needed to be escaped, and (2) he had
>the letter O instead of the numeral 0 in the hex numbers. Somebody
>smarter than I am, please check carefully the modified version included below.
I'm curious as to why you think that the \ in \r and \n need to be
escaped? I am really searching for and removing "\n" and "\r"
characters in the string. In my tests this has worked and prevented
the spam tests from getting out. The spambots are still hitting the
one site I've made the modifications on. Their not hitting any of my
other sites (yet) and I have been working on getting the fix into them.
BTW, I've noticed that they putting their malicious code in any
and/or all of the posted variables including "submit".
Another attempt I've seen was where the referer was a file I don't
have. That one was easy to stop.
Ken Robinson
More information about the talk
mailing list