[Koha] Spam in logs

Chris Cormack chris at bigballofwax.co.nz
Fri Jun 27 08:37:41 NZST 2008 

* James Weinheimer (j.weinheimer at aur.edu) wrote:
> All,
> 
> I am working with Koha 2.2.7 (trying to get 3 going!) and I have had
> problems with the computer crashing lately. (It's on a poor machine) But in
> my kohalogs, I have found some spam such as:
> 
> [Wed Jun 25 06:49:57 2008] [error] [client 91.151.224.21] Q2 : select
> distinct m1.bibid from biblio,biblioitems,marc_biblio,marc_word as
> m1,marc_subfield_table as m2,marc_subfield_table as m3,marc_subfield_table
> as m4,marc_subfield_table as m5,marc_subfield_table as
> m6,marc_subfield_table as m7,marc_subfield_table as m8,marc_subfield_table
> as m9 where biblio.biblionumber=marc_biblio.biblionumber and
> biblio.biblionumber=biblioitems.biblionumber and m1.bibid=marc_biblio.bibid
> and (m1.bibid=m2.bibid and m1.bibid=m3.bibid and m1.bibid=m4.bibid and
> m1.bibid=m5.bibid and m1.bibid=m6.bibid and m1.bibid=m7.bibid and
> m1.bibid=m8.bibid and m1.bibid=m9.bibid) and ((m1.word  like 'RESM')
> (m2.subfieldvalue  'RES') (m3.subfieldvalue
> 'http://freedeliverypillz.bravehost.com/freedeliverypillz.html free delivery
> pillz\\r\\n<a
> href=\\"http://freedeliverypillz.bravehost.com/freedeliverypillz.html\\">fre
> e delivery 
> 
> This URL is repeated lots of times in the same error message, and afterwards
> the system does a separate search for each url in my catalog, and eventually
> crashes the machine.
> 
> [Wed Jun 25 06:49:57 2008] [error] [client 91.151.224.21]
> eliverypillz.bravehost.com/freedeliverypillz.html]free delivery pillz[/url]
> http://freedeliverypillz.bravehost.com/freedeliverypillz.html free delivery
> pillz\r, referer: http://www.galileo.aur.it/cgi-bin/koha/opac-search.pl
> 
> This has happened with different urls, some much more rude that this one!
> 
> 1) how is this insinuating itself into search m3.subfieldvalue, and 

Its probably a spam bot. Any page with a form on it will try to submit url's basically its trying to do comment spam. 
Since the arrival of blogs/forums etc anything with a place you can leave comments there are thousands of programs that romp around the internet trying to submit spam into any form it can find.
Its just something using the search form and putting urls in the search box instead of a valid term.

> 2) how do I deal with it? Just through the apache server with mod_security? 
> 
Id check the access logs, and blacklist the ipnumber in my firewall.

> Do I have to worry about somebody messing up my database?
> 
Nope, since we are using DBI placeholders, its escaping any dangerous characters before we pass it to the database.

Hope this helps

Chris

More information about the Koha mailing list