HostOnNet Blog

Auto Signup Attack on phpBB

Today i found server that hosts http://forums.bizhat.com is down.
 
I tried to login with SSH, server was responding, but was very slow.
 
On login in i found server load of 20 to 40 and too many apache process. The one tak take too much CPU is MySQL.
 
I tried to restart the server, but on rebooting, again the CPU usage goes high.
 
I stoped MySQL and start watching the Apache log file and found
 
 
195.225.176.87 – – [26/Jun/2006:17:29:07 +0100] “POST /profile.php?mode=register&agreed;=true&coppa;=true HTTP/1.1” 200 30382 “http://www.google.ru/search?hl=en&q;=free+porno&btnG;=Google+Search” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0;)”
 
There are too many such connections.
 
The problem is fixed by blocking the user with mod_security
 
SecFilterSelective “HTTP_REFERER” “porno”

Posted in Uncategorized. Bookmark the permalink.