Spambot attack and hits on ONLY details.php

[Tombraider]

Hi,
I had some spam comments and spamming of postcards on my web site.  So I have restricted comments and postcards to registered users.
I never looked at AWSTATS in CPANEL before this problem and now I notice that nearly every visitor just goes immediately to a details.php page without ever going through the front page or thumbnail page!  How is this possible?  What are they doing?  Is this the nature of spambots?  My bandwidth consumption is through the roof compared to 3 months ago.

I have looked at the statistics and banned some ip addresses specifically,  but is there any way to prevent these "backdoor" entries?  They don't seem to be legitimate at all.  Some go right to postcards.php also.  Usually the same pictures appear to get these hits over and over again.
This is just a family web site with lame family photos,  BTW.
Thanks in advance. 

[V@no]

did you look at the referers of these visitors (sites they came from)? or maybe what kind of client do they use?
some of them might come from search engine page, such as google...have you tryed search something and add into search field: site: yoursite.com if in the result shows a link to details page, then anyone could possible find it too...

[Tombraider]

Hi,
Thanks for the reply.
There are no referrals for these hits. 
No listings in search engines that I found other than for the main page.
I have over 3GBs of bandwidth usage last month and so far this month based 94% on hits to details.php files!  Previous to this,  I had only about 200 MBs of bandwidth per month.

Here's a typical "Last Visitors" entry in CPanel:
[qcode]Host: 204.50.2.51          /Gallery/details.php?image_id=1749&sessionid=3c1c8ac9ce660d6d9a70170c160c4ac9
    Http Code: 200    Date: Sep 24 20:16:57    Http Version: HTTP/1.0    Size in Bytes: 10779
    Referer: http://www.####.com/Gallery/details.php?image_id=1749&sessionid=3c1c8ac9ce660d6d9a70170c1
    Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
   
      
          /Gallery/details.php?image_id=1523&sessionid=35406cf866a8ce9c9e3ebebf6f3ea52c
    Http Code: 200    Date: Sep 24 23:19:05    Http Version: HTTP/1.0    Size in Bytes: 10670
    Referer: http://####.com/Gallery/details.php?image_id=1523&sessionid=35406cf866a8ce9c9e3ebebf6f3ea
    Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

   
   
             /Gallery/details.php?image_id=1713&sessionid=efedff4e42b4ff46927e7e754c61290a
    Http Code: 200    Date: Sep 24 23:21:36    Http Version: HTTP/1.0    Size in Bytes: 10599
    Referer: http://####.com/Gallery/details.php?image_id=1713&sessionid=efedff4e42b4ff46927e7e754c612
    Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

      
   
          /Gallery/details.php?image_id=1640&sessionid=984cd6975970a51049dfb86ba1a146e1
    Http Code: 200    Date: Sep 24 23:29:44    Http Version: HTTP/1.0    Size in Bytes: 10924
    Referer: http://####.com/Gallery/details.php?image_id=1640&sessionid=984cd6975970a51049dfb86ba1a14
    Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

   
   
          /Gallery/details.php?image_id=1637&sessionid=4027ab6aa36d992cd02e01135d9f3c4e
    Http Code: 200    Date: Sep 25 06:31:28    Http Version: HTTP/1.0    Size in Bytes: 10775
    Referer: http://####.com/Gallery/details.php?image_id=1637&sessionid=4027ab6aa36d992cd02e01135d9f3
    Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)

   
      
          /Gallery/details.php?image_id=1871&sessionid=b628fbe6581d19ebce94355d47f15edc
    Http Code: 200    Date: Sep 25 09:26:42    Http Version: HTTP/1.0    Size in Bytes: 10631
    Referer: http://####.com/Gallery/details.php?image_id=1871&sessionid=b628fbe6581d19ebce94355d47f15
    Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)[/qcode]

[V@no]

are they all comming from different IPs?
I'd ban this agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) updated windows xp shows a little different agent...

[Tombraider]

Yes, they are coming from many different ips.  So many that it's pretty difficult to ban them individually.

How do I ban an agent?  Can I do this in CPanel?

Many thanks for your help.

Nevermind,  I found out how to insert this into .htaccess.

Is this too draconian?  Will very many people be excluded?  I've already banned all the users in Kiev,  Russia. 

Uh,oh, spoke too soon... I put this into .htaccess and it seems to not have worked:
[qcode]RewriteCond %{HTTP_USER_AGENT} Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)[/qcode]

WAIT A MINUTE,  this bans everyone using Internet Explorer, including myself!  I had to remove it.

Is there some other way?

[V@no]

try:

Code: [Select]

RewriteCond %{HTTP_USER_AGENT} ^Mozilla\/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)$

[Tombraider]

Thanks again for your help.  But the insertion of that code into my .htaccess caused the web site to cease working entirely for even Opera (which is what I mainly use).

I discovered in my CPanel stats that I probably have 600 legitimate users and about 2700 visitors who are spammers!  The spammers continue to come in ONLY through "details.php" and go to 8-10 pictures through details.php that are not even in the same category.  They are pictures which have no labels or image names on them either so that they would not be listed in a search engine under "daylily images" or something.  And in fact these thousands of spam visitors go to the very same images most of the time but in different order.  They now are doing things like trying to register or "lost password" since I shut a lot of them out by having comments and postcards for registered users only and no new registered users.
So all their hits are still causing my bandwidth to go through the roof.
Any code I could put somewhere to have people be unable to go to details.php directly but HAVE to go through the home page FIRST? 
Of course,  I noticed one spammer has dropped out and maybe the rest will eventually drop out now that they can't post their spam comments or send spam postcards anymore.  Luckily I had post comments turned off for most of my pictures too or I guess it would be a lot worse.
Below is an abbreviated example from someone whose ip address I blocked...that's why the zero bytes but these are still taking up bandwidth through the hits even though he is getting an error page.

[qcode]Host: 216.32.84.59          /Gallery/details.php?image_id=1713&sessionid=efedff4e42b4ff46927e7e754c61290a
    Http Code: 403    Date: Sep 25 21:10:02    Http Version: HTTP/1.0    Size in Bytes: -
    Referer: http://####.com/Gallery/details.php?image_id=1713&sessionid=efedff4e42b4ff46927e7e754c612
    Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

   
   
   
          /Gallery/details.php?image_id=1598&sessionid=6df96b4c1295e5d2fdc3ff5e0a26fed9
    Http Code: 403    Date: Sep 25 22:07:30    Http Version: HTTP/1.0    Size in Bytes: -
    Referer: http://####.com/Gallery/details.php?image_id=1598&sessionid=6df96b4c1295e5d2fdc3ff5e0a26f
    Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

   
   
   
          /Gallery/details.php?image_id=1517&sessionid=7dc59abf6401cb17b8df0e5f656e09cf
    Http Code: 403    Date: Sep 25 22:32:09    Http Version: HTTP/1.0    Size in Bytes: -
    Referer: http://####.com/Gallery/details.php?image_id=1517&sessionid=7dc59abf6401cb17b8df0e5f656e0
    Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)[/qcode]

[V@no]

well..its possible to redirect to index.php if no referer and a new session created when accessed details.php...
in includes/sessions.php find:

Code: [Select]

    if (!$this->load_session_info()) {
Insert below:

Code: [Select]

      global $self_url;
      if (@strpos($_SERVER['HTTP_REFERER'], $_SERVER['SERVER_NAME']) === false && strpos($self_url, "details.php") !== false)
      {
        redirect(ROOT_PATH."index.php");
      }
asuming you are using v1.7.2 or newer otherwise replace

Code: [Select]

        redirect(ROOT_PATH."index.php");
with:

Code: [Select]

        header("location: ".ROOT_PATH."index.php");
        exit;

P.S. this is not tested, might not work...
To test it, block cookies and try access details page directly, then from home page.

[Tombraider]

I'm using 1.7.1, but found the first example you gave in the sessions.php, not the second.  When I replaced the code with the other code and disabled cookies, I got the error below.
I think I will quit for now.  It looks like I have reduced the traffic to about one third of what it was before by blocking a number of ip addresses and so I think I will leave it at that for now.  Presumably,  these people will stop hitting my site once they discover they can no longer post any comments or send any postcards.

[qcode]global $self_url;
      if (@strpos($_SERVER['HTTP_REFERER'], $_SERVER['SERVER_NAME']) === false && strpos($self_url, "details.php") !== false)
      {
        redirect(ROOT_PATH."index.php");
      }[/qcode]

I sure appreciate your taking the time to help me on this problem.  Thanks again. 

[V@no]

I didnt post two examples...what I said was if your 4images version is below 1.7.2 then you'll need do additional replacement in the new code.

[Tombraider]

Ivan,

Some of those are the same ones I have been getting.

I have 195.175.37.8  specifically blocked and he stopped coming around.  Some of the others that I have blocked don't drop out but continue to "hit" on my web site.  It's a good thing I have a hosting service that gives me like 10 GBs/month bandwidth!

Tombraider

[Tombraider]

Ivan,
I have noticed that my spambot people have changed their tactics and now are putting a fake web site as a referral.  Supposedly,  this gives those sites a boost in rankings on search engines???  So even though they are getting a 403 page because their ip address is banned they put their referral ad in there.  I blocked the hotel and insurance referrals by adding these lines to my .htaccess:

[qcode]RewriteCond %{HTTP_REFERER} (hotel) [NC,OR]
RewriteCond %{HTTP_REFERER} (insurance) [NC,OR][/qcode]

I hope that works...I just found the code on the internet...I really don't know what I'm doing.
This is a typical visit with the hotel referrals:

[qcode]Host: 84.16.251.78          /Gallery/details.php?image_id=1749&sessionid=3c1c8ac9ce660d6d9a70170c160c4ac9
     Http Code: 200    Date: Sep 28 10:01:42    Http Version: HTTP/1.0    Size in Bytes: 10779
     Referer: http://www.####.com/Gallery/details.php?image_id=1749&sessionid=3c1c8ac9ce660d6d9a70170c1
     Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
 
    
    
    
           /Gallery/details.php?image_id=1859&sessionid=b628fbe6581d19ebce94355d47f15edc
     Http Code: 200    Date: Sep 28 13:52:27    Http Version: HTTP/1.0    Size in Bytes: 10671
     Referer: http://reno-hotels.hotel-4vacation.com/
     Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1)
 
    
    
    
           /Gallery/details.php?image_id=1935&sessionid=ab5d49cc2b660411dd7fab00a1be59f1
     Http Code: 200    Date: Sep 28 14:27:43    Http Version: HTTP/1.0    Size in Bytes: 10612
     Referer: http://fort-lauderdale-hotels.hollinscollegehotels.com/
     Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)
 
    
    
    
           /Gallery/details.php?image_id=1868&sessionid=b628fbe6581d19ebce94355d47f15edc&sessionid=b628fbe6581d19ebce9435
     Http Code: 200    Date: Sep 28 14:59:31    Http Version: HTTP/1.0    Size in Bytes: 10592
     Referer: http://chicago-hotel.hotel-4us.com/
     Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; NetCaptor 6.5.0RC1)[/qcode]