[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Someone is trying a POST attack and getting 403 (forbidden) responses.  What is this all about?

Posted on 2006-04-18
2
Medium Priority
?
266 Views
Last Modified: 2010-03-04
I have a Mambo website where we've set up an online ticket buying system throught PayPal.

Over the weekend I noticed various attempts from computers around the world (everywhere from Japan to Yugoslavia) attempting to spontaneously post information to our web pages and being denied with  a 403 (forbidden) response froom Apache.  Here's an example of the log entries:

200.118.2.218 - - [15/Apr/2006:07:25:24 -0400] "POST /tickets/step2.php HTTP/1.1" 403 445 "http://www.mywebsite.com/" "-"
200.118.2.218 - - [15/Apr/2006:07:25:25 -0400] "POST /en/index.php HTTP/1.1" 403 445 "http://www.mywebsite.com/" "-"

I'm a little worried about these attacks and have a few questions if you're familiar with this type of attack:

-  Why is Apache causing a 403 (forbidden) on that page?  Obviously it doesn't like something in the POST parameters but my log doesn't show me what was posted.  There's nothing in my PHP code that's causes a 403.  What is going on in Apache?

-  If a 403 is triggered by Apache, am I safe?  Or is there an exploit that actually USES a 403 message to its advantage?

-  What the heck are these people trying to do anyway?  What's the vulnerability they're looking for?

Any light on this would be appreciated.
0
Comment
Question by:scooter126ca
2 Comments
 
LVL 15

Assisted Solution

by:m1tk4
m1tk4 earned 500 total points
ID: 16480049

1) It could be number of reasons, starting from the POST request size to Allow/Deny settings in Apache config.

2) Not necessarily, you need to find what triggered a 403. You can't really use a 403 to your advantage except in finding out what kind of application is there.

3) If these are actual files on your server I would say they may be looking for a buffer overflow if they post a very long content. If these file belong to some widely available PHP application you might want to look for specific security issues in this application that were published/patched recently.
0
 
LVL 10

Accepted Solution

by:
sleep_furiously earned 500 total points
ID: 16490681
There are a number of POST vulnerabilities that have been fixed, but people may still be looking for servers with outdated software.

The most likely one:

http://www.us-cert.gov/federal/archive/advisories/FA-2002-21.html






0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Screencast - Getting to Know the Pipeline
Suggested Courses
Course of the Month20 days, 7 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question