Web Hosting Talk






PDA

View Full Version : Php or server security problem - any clue?

webdesign jr
05-17-2007, 03:10 PM
Hello.

I host my sites on a shared server. Recently, two of them were attacked to send email spam messages. I do not understand the nature of the attack.

Basic facts:

1. Email is send by the PHPMailer class
2. No files were modified at the server - seems intact.
3. THERE ARE NO FORMS OR FIELDS TO FILL - the email addresses are read from database.
4. The database tables are not compromised.

-------------------------------------
The script sending emails:

$rows=$Database->fetch_assoc($myquery);
require_once(tecka."./classes/email.php");
$Email=new Email();

$Email->IsHTML(true);
foreach($rows as $radka) {
$Email->AddAddress($radka["email"]);

$Email->sablona(tecka."./sablony/email_aktivita_ucitele.html");
$Email->subject("Please confirm / Prosíme potvrďte");
$odkaz ="<a href='http://www.xxxxx.eu/user/aktivita.php?id=".$radka["id"]."'>there</a>";
$link ="<a href='http://www.xxxx.eu/user/aktivita.php?id=".$radka["id"]."'>sem</a>";
$keys=array("sem", "there");
$vals=array($link, $odkaz);
$Email->zprava_ze_sablony($keys, $vals);
if($Email->Send())
echo "OK";
$Email->ClearAddresses();
}
-----------------------------------------------------

The Email class is subclassed from PHPmailer class. It includes the (apparently intact) html file named email_aktivita_ucitele.html, uses it to create the message. The email is send by its parent method.

The message is send not only the given address selected form the database, but also to many other addresses not present in database (see below). I feel very perplexed.

--------------------
Hi. This is the qmail-send program at xx.xxxxx.cz.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<will@inthehollow.com>:
64.202.166.12 does not like recipient.
Remote host said: 553 Attack detected from pool 81.0.235.239. <http://unblock.secureserver.net/?ip=81.0.235.*>
Giving up on 64.202.166.12.

<datadisk101@yahoo.com>:
216.39.53.1 failed after I sent the message.
Remote host said: 554 delivery error: dd Sorry your message to datadisk101@yahoo.com cannot be delivered. This account has been disabled or discontinued [#102]. - mta107.mail.re4.yahoo.com

<krabourn@sbcglobant.net>:
Sorry, I couldn't find any host named sbcglobant.net. (#5.1.2)

<jonik.michal@onet.pl>:
213.180.130.206 does not like recipient.
Remote host said: 501 5.1.3 User: jonik.michal@onet.pl not found
Giving up on 213.180.130.206.

<mars337@lycos.com>:
209.202.208.20 does not like recipient.
Remote host said: 550 5.1.1 81.0.235.28: No such user: <mars337@lycos.com>
Giving up on 209.202.208.20.
Engelmacher
05-17-2007, 03:28 PM
Is register_globals on?
webdesign jr
05-17-2007, 04:19 PM
NO register globals is off.

Besides scrip is called from crone without any GET or POST parameter.
ak7861
05-17-2007, 04:24 PM
Someone could have posted a form from his website to your handler. A solution to this would be to add an image verification before sending out the email.
Engelmacher
05-17-2007, 04:40 PM
Or better yet take it out of the document root altogether.
sasha
05-17-2007, 04:54 PM
Could it be that there is something wrong with the actual email list you read from the database ?

after this line:
foreach($rows as $radka) {

add
print_r ($radka)
webdesign jr
05-17-2007, 05:20 PM
To ak7861 and Engelmacher: I do not understand how an external form could interfere, since the script doesnt accept any external variables - it just read the database

To Sasha: I checked that the table does not contain any of the emails spammed. Besides, I have been logging the email addresses for a while - the emails spammed are not there. Thus it seems that the spammed emails are somehow externally added to the bcc or cc of the PHPmailer class, but HOW??

This is very frustrating.
Engelmacher
05-17-2007, 05:49 PM
And I don't understand why a script which is only invoked by a cron job running locally needs to be publicly accessible in the first place. If you want a quick and simple solution, move it.
webdesign jr
05-17-2007, 06:02 PM
As I mentioned, there are two scripts at different domains atacked in the same manner. THe second one is more complex and therefore not detailed there. But it cannot be moved - must be accessible.
Burhan
05-17-2007, 06:18 PM
Are you sure this was not an attack on the server; not your sites per-se? Can you post some server logs (preferrably raw logs). That would help.
ak7861
05-17-2007, 06:25 PM
To ak7861 and Engelmacher: I do not understand how an external form could interfere, since the script doesnt accept any external variables - it just read the database
Then its either a server attack or a MySQL injection.
webdesign jr
05-18-2007, 12:06 PM
Thanks to all for suggestions.
- mysql injection is ruled out since the table is intact. The user table has only 100 records so far and the autoincrement id matches the number of actula users - so I am sure nothing was inserted and deleted later
- I cannot exclude the server attack, but this is a shared server, properly maintained and secured. It belongs to other company, so I do not have the logs and so far no definite answer from them
- I am still thinking of some kind of cross-side scripting but cannot understand how it could be done
Vinayak_Sharma
05-18-2007, 01:01 PM
Ask your host if they have mod_security configured properly on that server.

Meanwhile code your form so that it rejects cc & bcc, then see if its still happening.