• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 287
  • Last Modified:

Someone is trying a POST attack and getting 403 (forbidden) responses. What is this all about?

I have a Mambo website where we've set up an online ticket buying system throught PayPal.

Over the weekend I noticed various attempts from computers around the world (everywhere from Japan to Yugoslavia) attempting to spontaneously post information to our web pages and being denied with  a 403 (forbidden) response froom Apache.  Here's an example of the log entries:

200.118.2.218 - - [15/Apr/2006:07:25:24 -0400] "POST /tickets/step2.php HTTP/1.1" 403 445 "http://www.mywebsite.com/" "-"
200.118.2.218 - - [15/Apr/2006:07:25:25 -0400] "POST /en/index.php HTTP/1.1" 403 445 "http://www.mywebsite.com/" "-"

I'm a little worried about these attacks and have a few questions if you're familiar with this type of attack:

-  Why is Apache causing a 403 (forbidden) on that page?  Obviously it doesn't like something in the POST parameters but my log doesn't show me what was posted.  There's nothing in my PHP code that's causes a 403.  What is going on in Apache?

-  If a 403 is triggered by Apache, am I safe?  Or is there an exploit that actually USES a 403 message to its advantage?

-  What the heck are these people trying to do anyway?  What's the vulnerability they're looking for?

Any light on this would be appreciated.
0
scooter126ca
Asked:
scooter126ca
2 Solutions
 
m1tk4Commented:

1) It could be number of reasons, starting from the POST request size to Allow/Deny settings in Apache config.

2) Not necessarily, you need to find what triggered a 403. You can't really use a 403 to your advantage except in finding out what kind of application is there.

3) If these are actual files on your server I would say they may be looking for a buffer overflow if they post a very long content. If these file belong to some widely available PHP application you might want to look for specific security issues in this application that were published/patched recently.
0
 
sleep_furiouslyCommented:
There are a number of POST vulnerabilities that have been fixed, but people may still be looking for servers with outdated software.

The most likely one:

http://www.us-cert.gov/federal/archive/advisories/FA-2002-21.html






0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now