I have received three form submissions on my website with random gunk in them. The first one was in March. Shortly after, I noticed a mysterious iframe in all .htm, .html and .php files. (Needless to say, Google wasn't too happy about that.) I also noticed that all occurrences of the letters t, o and e were converted to lowercase, regardless of word placement or initial case.

After the March occurrence, I changed the .htaccess file. After the second occurrence last week, I blocked an IP block (###.###.###.all). What should the chmod be set to?

I leeched and customized the Yahoo! submission script and I'm a PHP noob. TIA.

Sounds like you experienced a XSS exploit. What are your forms used for?

Thank you very much for replying. I guess more background info would have been useful. I run a site (www.gorgewarehouse.com) that's basically a project dump that I occasionally use. My latest project is an import company. I recently added some irrelevant, unlinked add-on domains (still in alpha testing) that aren't affected, despite using similar code.

Something odd that I just noticed: when I checked the raw logs for the last two attempts, the suspect IP only loaded .htm and the one submission .php file, roughly in 1-second intervals. No .jpg, no favicon.ico, no .css. Also, the only referral page listed in the logs is for the POST entry; it doesn't even list a referral page from my site to my site except for that.

I also just noticed that the case is not fully consistant. It contains "QUANtItY" and "GeNeRAtoR", but also "checkOK" and "webbot BOT"

I tried to post the code, but it's 13k and the posting limit is 10k. However, the page can be viewed at http://www.gorgewarehouse.com/wanted1.htm for your convenience.

BTW, how can I integrate a user's IP address into the form? IIRC, Yahoo! did it automatically.

Thanks very much in advance.

If it's PHP based, you would use something like $mail_message .= "IP Address: ".$_SERVER['REMOTE_ADDR'].”\n”;

Even so, if the exploiter is using a proxy you still wouldn't receive their true IP address.

Thank you very much for replying. I guess more background info would have been useful. I run a site (www.gorgewarehouse.com) that's basically a project dump that I occasionally use. My latest project is an import company. I recently added some irrelevant, unlinked add-on domains (still in alpha testing) that aren't affected, despite using similar code.

Something odd that I just noticed: when I checked the raw logs for the last two attempts, the suspect IP only loaded .htm and the one submission .php file, roughly in 1-second intervals. No .jpg, no favicon.ico, no .css. Also, the only referral page listed in the logs is for the POST entry; it doesn't even list a referral page from my site to my site except for that.

I also just noticed that the case is not fully consistant. It contains "QUANtItY" and "GeNeRAtoR", but also "checkOK" and "webbot BOT"

I tried to post the code, but it's 13k and the posting limit is 10k. However, the page can be viewed at http://www.gorgewarehouse.com/wanted1.htm for your convenience.

BTW, how can I integrate a user's IP address into the form? IIRC, Yahoo! did it automatically.

Thanks very much in advance.

Make sure and validate each line in your form processor. It's very easy to inject code into a PHP-based form processor and force the account to do unwanted things (such as modify and delete your files).

You'll need to cross-reference the submitted data and ensure it does not contain any chunks of code. If it does, the script should either reject the form submission or modify the output so that the code is harmless.

If you're unfamiliar with XSS, here are a few places to start learning:

http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

http://www.cgisecurity.com/xss-faq.html