Rule 420013: block "Good Site!" vandalism

Purpose

Blocks ticket comments saying "Hello! Good Site! Thanks you!" which hit some Trac installations. They have no URLs inside, just the mentioned text and some gibberish words, thus get classified as vandalism.

Looks for POSTs without trac_auth cookie and checks that the comment form parameter does not contain "hello! good site! thanks you!".

Example

--e29b8774-A--
[07/Oct/2007:10:23:32 +0200] 2fGs1KwQKoYAAE59AZ4AAABB XX.XX.XX.XX 1210 217.24.1.134 80
--e29b8774-B--
POST /ticket/201 HTTP/1.1
Host: madwifi.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://madwifi.org/ticket/201
Cookie: trac_session=e6e547b5fc24e274b5d75517; trac_form_token=ffb21e3c631c54ed5bce09a0
Content-Type: application/x-www-form-urlencoded
Content-Length: 172

--e29b8774-C--
__FORM_TOKEN=ffb21e3c631c54ed5bce09a0&author=anonymous&comment=Hello%21+Good+Site%21+Thanks+you%21+vyiazjjzchwcm&action=leave&ts=1191742284&replyto=&cnum=43&preview=Preview
--e29b8774-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=512
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

--e29b8774-H--
Message: Access denied with code 403 (phase 2). Pattern match "hello! good site! thanks you!" at ARGS:comment. [id "420013"] [rev "1"] [msg "Good Site vandalism"]
Action: Intercepted (phase 2)
Stopwatch: 1191745411984596 34388 (19781* 20149 -)
Producer: ModSecurity v2.1.1 (Apache 2.x)
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.3.1 Python/2.4.4
WebApp-Info: "scallywhack.trac.madwifi" "-" "-"

--e29b8774-Z--

Protected handlers

• ticket

See also

n/a

History

rev:1

Initial version.