I have a Mambo website where we've set up an online ticket buying system throught PayPal.
Over the weekend I noticed various attempts from computers around the world (everywhere from Japan to Yugoslavia) attempting to spontaneously post information to our web pages and being denied with a 403 (forbidden) response froom Apache. Here's an example of the log entries:
126.96.36.199 - - [15/Apr/2006:07:25:24 -0400] "POST /tickets/step2.php HTTP/1.1" 403 445 "http://www.mywebsite.com/
188.8.131.52 - - [15/Apr/2006:07:25:25 -0400] "POST /en/index.php HTTP/1.1" 403 445 "http://www.mywebsite.com/
I'm a little worried about these attacks and have a few questions if you're familiar with this type of attack:
- Why is Apache causing a 403 (forbidden) on that page? Obviously it doesn't like something in the POST parameters but my log doesn't show me what was posted. There's nothing in my PHP code that's causes a 403. What is going on in Apache?
- If a 403 is triggered by Apache, am I safe? Or is there an exploit that actually USES a 403 message to its advantage?
- What the heck are these people trying to do anyway? What's the vulnerability they're looking for?
Any light on this would be appreciated.