Someone is trying a POST attack and getting 403 (forbidden) responses. What is this all about?

I have a Mambo website where we've set up an online ticket buying system throught PayPal.

Over the weekend I noticed various attempts from computers around the world (everywhere from Japan to Yugoslavia) attempting to spontaneously post information to our web pages and being denied with  a 403 (forbidden) response froom Apache.  Here's an example of the log entries:

200.118.2.218 - - [15/Apr/2006:07:25:24 -0400] "POST /tickets/step2.php HTTP/1.1" 403 445 "http://www.mywebsite.com/" "-"
200.118.2.218 - - [15/Apr/2006:07:25:25 -0400] "POST /en/index.php HTTP/1.1" 403 445 "http://www.mywebsite.com/" "-"

I'm a little worried about these attacks and have a few questions if you're familiar with this type of attack:

-  Why is Apache causing a 403 (forbidden) on that page?  Obviously it doesn't like something in the POST parameters but my log doesn't show me what was posted.  There's nothing in my PHP code that's causes a 403.  What is going on in Apache?

-  If a 403 is triggered by Apache, am I safe?  Or is there an exploit that actually USES a 403 message to its advantage?

-  What the heck are these people trying to do anyway?  What's the vulnerability they're looking for?

Any light on this would be appreciated.
scooter126caAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

m1tk4Commented:

1) It could be number of reasons, starting from the POST request size to Allow/Deny settings in Apache config.

2) Not necessarily, you need to find what triggered a 403. You can't really use a 403 to your advantage except in finding out what kind of application is there.

3) If these are actual files on your server I would say they may be looking for a buffer overflow if they post a very long content. If these file belong to some widely available PHP application you might want to look for specific security issues in this application that were published/patched recently.
sleep_furiouslyCommented:
There are a number of POST vulnerabilities that have been fixed, but people may still be looking for servers with outdated software.

The most likely one:

http://www.us-cert.gov/federal/archive/advisories/FA-2002-21.html






Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.