[Koha] Spam in logs
James Weinheimer
j.weinheimer at aur.edu
Sat Jun 28 01:35:55 NZST 2008
Thanks a million to Chris and Ken for their remarks.
I'll just blacklist the ip numbers and keep an eye out.
And I'm relieved to know that I don't have to worry about the database!
Thanks again,
Jim
James Weinheimer j.weinheimer at aur.edu
Director of Library and Information Services
The American University of Rome
via Pietro Roselli, 4
00153 Rome, Italy
voice- 011 39 06 58330919 ext. 327
fax-011 39 06 58330992
> -----Original Message-----
> From: Chris Cormack [mailto:chris at bigballofwax.co.nz]
> Sent: Thursday, June 26, 2008 10:38 PM
> To: James Weinheimer
> Cc: koha at lists.katipo.co.nz
> Subject: Re: [Koha] Spam in logs
>
> * James Weinheimer (j.weinheimer at aur.edu) wrote:
> > All,
> >
> > I am working with Koha 2.2.7 (trying to get 3 going!) and I
> have had
> > problems with the computer crashing lately. (It's on a poor
> machine)
> > But in my kohalogs, I have found some spam such as:
> >
> > [Wed Jun 25 06:49:57 2008] [error] [client 91.151.224.21]
> Q2 : select
> > distinct m1.bibid from biblio,biblioitems,marc_biblio,marc_word as
> > m1,marc_subfield_table as m2,marc_subfield_table as
> > m3,marc_subfield_table as m4,marc_subfield_table as
> > m5,marc_subfield_table as m6,marc_subfield_table as
> > m7,marc_subfield_table as m8,marc_subfield_table as m9 where
> > biblio.biblionumber=marc_biblio.biblionumber and
> > biblio.biblionumber=biblioitems.biblionumber and
> > m1.bibid=marc_biblio.bibid and (m1.bibid=m2.bibid and
> > m1.bibid=m3.bibid and m1.bibid=m4.bibid and m1.bibid=m5.bibid and
> > m1.bibid=m6.bibid and m1.bibid=m7.bibid and m1.bibid=m8.bibid and
> > m1.bibid=m9.bibid) and ((m1.word like 'RESM') (m2.subfieldvalue
> > 'RES') (m3.subfieldvalue
> > 'http://freedeliverypillz.bravehost.com/freedeliverypillz.html free
> > delivery pillz\\r\\n<a
> >
> href=\\"http://freedeliverypillz.bravehost.com/freedeliverypillz.html\
> > \">fre
> > e delivery
> >
> > This URL is repeated lots of times in the same error message, and
> > afterwards the system does a separate search for each url in my
> > catalog, and eventually crashes the machine.
> >
> > [Wed Jun 25 06:49:57 2008] [error] [client 91.151.224.21]
> > eliverypillz.bravehost.com/freedeliverypillz.html]free delivery
> > pillz[/url]
> > http://freedeliverypillz.bravehost.com/freedeliverypillz.html free
> > delivery pillz\r, referer:
> > http://www.galileo.aur.it/cgi-bin/koha/opac-search.pl
> >
> > This has happened with different urls, some much more rude
> that this one!
> >
> > 1) how is this insinuating itself into search m3.subfieldvalue, and
>
> Its probably a spam bot. Any page with a form on it will try
> to submit url's basically its trying to do comment spam.
> Since the arrival of blogs/forums etc anything with a place
> you can leave comments there are thousands of programs that
> romp around the internet trying to submit spam into any form
> it can find.
> Its just something using the search form and putting urls in
> the search box instead of a valid term.
>
> > 2) how do I deal with it? Just through the apache server
> with mod_security?
> >
> Id check the access logs, and blacklist the ipnumber in my firewall.
>
> > Do I have to worry about somebody messing up my database?
> >
> Nope, since we are using DBI placeholders, its escaping any
> dangerous characters before we pass it to the database.
>
> Hope this helps
>
> Chris
>
More information about the Koha
mailing list