Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   Message blocker for message board? (http://www.velocityreviews.com/forums/t307043-message-blocker-for-message-board.html)

Jay Cunnington 09-26-2005 03:53 AM

Message blocker for message board?
 
I'm new to the group. Just joined tonight as a matter of fact.

I'm a nascent security guy (pursuing a Bachelor's in InfoSec) and one of
my favorite web sites has a problem. It's a amateur site (hosted) that
allows readers to post questions and answers on various topics dealing
with the web site's subject (Chicago North Shore & Milwaukee Railroad).

The webmistress has been bombarded lately with a bunch of offensive
messages for phenteramine, gay sex, bestiality, etc. It's a pain for her
to go in and remove these things manually, and she really doesn't want
to invoke a registration on the site's users. If you want to see the
extent of the problem, go to www.northshoreline.com before Oct 3, 2005
(she'll be back then and probably cleaning up the mess), hit the Current
Day NSL Topics, then Message Board.

I'm not sure who her host is or what the OS of the server might be or
even how much control she has over the posting script, but I suggested a
while back using a Perl script to scan the postings before they are
added to the board and to delete those that score high on the naughty
words list.

I know Snort can detect the offensive words in the packets if we design
the rules, but can it block the packets? What I'm looking for is a kind
of hands-off system to block the offensive crap, preferably before it
hits the website; almost an IPS. I googled for open source solutions,
but got no useful hits. I'd also be interested to find out if Snort
could look past spoofed IPs to find the real one or how that could be
done in a transparent manner. I figure these are probably bored kids or
posting bots of some sort, and may be using zombied computers. I'd like
to find out if the address is spoofed so we don't get a lot of people
needlessly suspended from their ISPs.

Does anyone have any ideas? Is there a program or utility I can adapt to
suit our purposes? Does Apache come with anything like that? I want to
stop the vermin from polluting one of my favorite sites.

My background is 15 years programming in the mainframe world and
client/server. I know VB but not C. I have been a PerlScript user in the
past.

Imhotep 09-26-2005 04:13 AM

Re: Message blocker for message board?
 
Jay Cunnington wrote:

> I'm new to the group. Just joined tonight as a matter of fact.
>
> I'm a nascent security guy (pursuing a Bachelor's in InfoSec) and one of
> my favorite web sites has a problem. It's a amateur site (hosted) that
> allows readers to post questions and answers on various topics dealing
> with the web site's subject (Chicago North Shore & Milwaukee Railroad).
>
> The webmistress has been bombarded lately with a bunch of offensive
> messages for phenteramine, gay sex, bestiality, etc. It's a pain for her
> to go in and remove these things manually, and she really doesn't want
> to invoke a registration on the site's users. If you want to see the
> extent of the problem, go to www.northshoreline.com before Oct 3, 2005
> (she'll be back then and probably cleaning up the mess), hit the Current
> Day NSL Topics, then Message Board.
>
> I'm not sure who her host is or what the OS of the server might be or
> even how much control she has over the posting script, but I suggested a
> while back using a Perl script to scan the postings before they are
> added to the board and to delete those that score high on the naughty
> words list.
>
> I know Snort can detect the offensive words in the packets if we design
> the rules, but can it block the packets? What I'm looking for is a kind
> of hands-off system to block the offensive crap, preferably before it
> hits the website; almost an IPS. I googled for open source solutions,
> but got no useful hits. I'd also be interested to find out if Snort
> could look past spoofed IPs to find the real one or how that could be
> done in a transparent manner. I figure these are probably bored kids or
> posting bots of some sort, and may be using zombied computers. I'd like
> to find out if the address is spoofed so we don't get a lot of people
> needlessly suspended from their ISPs.
>
> Does anyone have any ideas? Is there a program or utility I can adapt to
> suit our purposes? Does Apache come with anything like that? I want to
> stop the vermin from polluting one of my favorite sites.
>
> My background is 15 years programming in the mainframe world and
> client/server. I know VB but not C. I have been a PerlScript user in the
> past.



Wow! Looked at the site and yup, she is being hit pretty hard...

I would suggest the following:

1) Enforce accounts to post on the system
2) Construct a filtering engine that checks each post before it actually
gets posted. Should a post have bad words, the person's account is
automatically suspended.
3) If your web site is regional (ie not foreign), I would filter out all
foreign posters.

All of these can be done easily (without Snort) by using a flexible language
like PHP (www.php.net)...

P.S. Using Snort has the following problems. Yes, you could use it to detect
bad postings but that would be after the fact. It would also require some
scripting and probably require a more flexible OS like linux/FreeBSD. That
being said, you can achieve the same result and more by use #1 and #2
above.

Good luck!
Imhotep



Jim Watt 09-26-2005 06:51 AM

Re: Message blocker for message board?
 
On Mon, 26 Sep 2005 03:53:13 GMT, Jay Cunnington
<bounkz6436@sbcglobal.net> wrote:

>The webmistress has been bombarded lately with a bunch of offensive
>messages for phenteramine, gay sex, bestiality, etc. It's a pain for her
>to go in and remove these things manually, and she really doesn't want
>to invoke a registration on the site's users. If you want to see the
>extent of the problem, go to www.northshoreline.com before Oct 3, 2005
>(she'll be back then and probably cleaning up the mess), hit the Current
>Day NSL Topics, then Message Board.
>
>I'm not sure who her host is or what the OS of the server might be or
>even how much control she has over the posting script, but I suggested a
>while back using a Perl script to scan the postings before they are
>added to the board and to delete those that score high on the naughty
>words list.


Been there done that, contact me on email for further details, I guess
someone has targeted wwwboards and written a script to spam them.

What a strange hobby.
--
Jim Watt
http://www.gibnet.com

Jay Cunnington 09-30-2005 03:52 AM

Re: Message blocker for message board?
 
Imhotep wrote:

> Wow! Looked at the site and yup, she is being hit pretty hard...
>
> I would suggest the following:
>
> 1) Enforce accounts to post on the system
> 2) Construct a filtering engine that checks each post before it actually
> gets posted. Should a post have bad words, the person's account is
> automatically suspended.
> 3) If your web site is regional (ie not foreign), I would filter out all
> foreign posters.
>
> All of these can be done easily (without Snort) by using a flexible language
> like PHP (www.php.net)...
>
> P.S. Using Snort has the following problems. Yes, you could use it to detect
> bad postings but that would be after the fact. It would also require some
> scripting and probably require a more flexible OS like linux/FreeBSD. That
> being said, you can achieve the same result and more by use #1 and #2
> above.


I talked to my prof for Hacking Methods about it. He said it's most
likely a standard script (for Apache?) that bots can hit. He suggested
changing the field names. Then at least someone will have to log on to
the screen to get the current field names, or have another bot harvest
them. Any ideas to proactively counter-attack the counter-attack or
truth to that one?

Jim Watt 09-30-2005 10:58 AM

Re: Message blocker for message board?
 
On Fri, 30 Sep 2005 03:52:26 GMT, Jay Cunnington
<bounkz6436@sbcglobal.net> wrote:

>Imhotep wrote:
>
>> Wow! Looked at the site and yup, she is being hit pretty hard...
>>
>> I would suggest the following:
>>
>> 1) Enforce accounts to post on the system
>> 2) Construct a filtering engine that checks each post before it actually
>> gets posted. Should a post have bad words, the person's account is
>> automatically suspended.
>> 3) If your web site is regional (ie not foreign), I would filter out all
>> foreign posters.
>>
>> All of these can be done easily (without Snort) by using a flexible language
>> like PHP (www.php.net)...
>>
>> P.S. Using Snort has the following problems. Yes, you could use it to detect
>> bad postings but that would be after the fact. It would also require some
>> scripting and probably require a more flexible OS like linux/FreeBSD. That
>> being said, you can achieve the same result and more by use #1 and #2
>> above.

>
>I talked to my prof for Hacking Methods about it. He said it's most
>likely a standard script (for Apache?) that bots can hit. He suggested
>changing the field names. Then at least someone will have to log on to
>the screen to get the current field names, or have another bot harvest
>them. Any ideas to proactively counter-attack the counter-attack or
>truth to that one?


I have a pretty good solution that works well for me which your
friend can have for free.

mail me at jimwatt (at) pobox (dot) com

Methinks its a widespread problem and its being used as a means
of promoting websites ands harassing BB users.
--
Jim Watt
http://www.gibnet.com


All times are GMT. The time now is 07:13 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.