mailform hacking
This is a discussion on mailform hacking within the Linux Security forums, part of the System Security and Security Related category; Hi all I'm not sure if this is the place to post but I don't know where to ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-16-2005
|
|||
|
|||
mailform hacking
Hi all
I'm not sure if this is the place to post but I don't know where to start! One of my customers who hosts on my RAQ has been getting strange e-mails. It looks to me like someone trying to send a form2mail script parameters (Bcc) to send spam. I've just changed the script to something different and it's still happening. The new script logs the IP address of the sender so I looked through the access log for that IP and got the following (I added line breaks to separate the wrapped entries): www.XXXXXXX.co.uk 192.146.134.129 - - [16/Nov/2005:12:47:01 +0000] "GET /manual/mod/core.html#documentroot HTTP/1.0" 404 645 "-" "-" www.XXXXXXX.co.uk 192.146.134.129 - - [16/Nov/2005:12:47:05 +0000] "POST /cgi-bin/FormMail.pl HTTP/1.0" 200 1123 "http://www.XXXXXXX.co.uk/" "-" www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:30:21 +0000] "POST /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-" www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:30:49 +0000] "GET /?cat_id=3 HTTP/1.0" 200 4191 "-" "-" www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:31:03 +0000] "POST /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-" www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:32:07 +0000] "POST /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-" XXXXXXX is one domain on the server YYYYYYY is another domain on the server and the one where the customer has complained about the weird e-mails. Can anyone throw any light on this please? I'm guessing that the IP address is probably fake. Regards Andy Jacobs -- Andy Jacobs www.redcatmedia.net Intelligent Websites For Intelligent Business People 
|
|
11-16-2005
|
|||
|
|||
|
Re: mailform hacking
Andy Jacobs wrote:
> Hi all > > I'm not sure if this is the place to post but I don't know where to > start! One of my customers who hosts on my RAQ has been getting strange > e-mails. It looks to me like someone trying to send a form2mail script > parameters (Bcc) to send spam. I've just changed the script to > something different and it's still happening. The new script logs the > IP address of the sender so I looked through the access log for that IP > and got the following (I added line breaks to separate the wrapped > entries): > > www.XXXXXXX.co.uk 192.146.134.129 - - [16/Nov/2005:12:47:01 +0000] "GET > /manual/mod/core.html#documentroot HTTP/1.0" 404 645 "-" "-" > > www.XXXXXXX.co.uk 192.146.134.129 - - [16/Nov/2005:12:47:05 +0000] "POST > /cgi-bin/FormMail.pl HTTP/1.0" 200 1123 "http://www.XXXXXXX.co.uk/" "-" > > www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:30:21 +0000] "POST > /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-" > > www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:30:49 +0000] "GET > /?cat_id=3 HTTP/1.0" 200 4191 "-" "-" > > www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:31:03 +0000] "POST > /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-" > > www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:32:07 +0000] "POST > /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-" > > XXXXXXX is one domain on the server > YYYYYYY is another domain on the server and the one where the customer > has complained about the weird e-mails. > > Can anyone throw any light on this please? I'm guessing that the IP > address is probably fake. The IP address is very probably real. It is not possible to run a TCP connection with a totally fake IP. Another story is if the real user sits behind that IP or is just using a cracked host as a cloaking proxy. It seems to be a host in a Hungarian university: (extra information stripped) inetnum: 192.146.134.0 - 192.146.134.255 remarks: netname: ABC-HU1 descr: Agricultural Biotechnology Center descr: Szent-Gyorgyi A.u.4, H-2101 Godollo, Hungary remarks: country: HU admin-c: PF1936-RIPE tech-c: PF1936-RIPE netname: ABC-HU1 descr: Agricultural Biotechnology Center country: HU admin-c: JR487 tech-c: JR487 status: ASSIGNED PI remarks: hrcode=3a1720c43 mnt-by: AS3346-MNT person: Jozsef Remenyi address: Szent Istvan University address: Pater Karoly u. 1. address: H-2103 Godollo address: Hungary phone: +36 28 522000 phone: +36 20 3293369 fax-no: +36 28 410804 e-mail: remenyi@abc.hu nic-hdl: JR487 person: Peter Fabian address: Agricultural Biotechnology CenterSzent-Gyorgyi u 4. Hungary address: GodolloH-2101 address: HU phone: +36 28 430 600 fax-no: +36 28 420 096 e-mail: fabian@abc.hu nic-hdl: PF1936-RIPE mnt-by: RIPE-ERX-MNT -- Tauno Voipio tauno voipio (at) iki fi
|
|
11-16-2005
|
|||
|
|||
|
Re: mailform hacking
In article <HDKef.345$dW1.15@read3.inet.fi>,
Tauno Voipio <tauno.voipio@INVALIDiki.fi> wrote: > Andy Jacobs wrote: > > Hi all > > > > I'm not sure if this is the place to post but I don't know where to > > start! One of my customers who hosts on my RAQ has been getting strange > > e-mails. It looks to me like someone trying to send a form2mail script > > parameters (Bcc) to send spam. I've just changed the script to > > something different and it's still happening. The new script logs the > > IP address of the sender so I looked through the access log for that IP > > and got the following (I added line breaks to separate the wrapped > > entries): > > > > www.XXXXXXX.co.uk 192.146.134.129 - - [16/Nov/2005:12:47:01 +0000] "GET > > /manual/mod/core.html#documentroot HTTP/1.0" 404 645 "-" "-" > > > > www.XXXXXXX.co.uk 192.146.134.129 - - [16/Nov/2005:12:47:05 +0000] "POST > > /cgi-bin/FormMail.pl HTTP/1.0" 200 1123 "http://www.XXXXXXX.co.uk/" "-" > > > > www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:30:21 +0000] "POST > > /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-" > > > > www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:30:49 +0000] "GET > > /?cat_id=3 HTTP/1.0" 200 4191 "-" "-" > > > > www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:31:03 +0000] "POST > > /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-" > > > > www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:32:07 +0000] "POST > > /form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-" > > > > XXXXXXX is one domain on the server > > YYYYYYY is another domain on the server and the one where the customer > > has complained about the weird e-mails. > > > > Can anyone throw any light on this please? I'm guessing that the IP > > address is probably fake. > > > The IP address is very probably real. It is not possible to run > a TCP connection with a totally fake IP. > > Another story is if the real user sits behind that IP or is > just using a cracked host as a cloaking proxy. > > It seems to be a host in a Hungarian university: I found this too. I've sent an e-mail to the person listed but I'm doubtful of it achieving anything. the other one that intrigues me is from the same address and that's the first one as it appears to be accessing a file that's outside of anything web accessible. I'm still interested in knowing if these are people trying to use the form from outside - i.e. through the browser, or whether the server has been compromised. The form2mail.php file was installed yesterday, went live with a new site on the domain this afternoon and was being used within a couple of hours. How could anyone find this file? Andy -- Andy Jacobs www.redcatmedia.net Intelligent Websites For Intelligent Business People
|
|
11-16-2005
|
|||
|
|||
|
Re: mailform hacking
Andy Jacobs wrote:
> > the other one that intrigues me is from the same address and that's the > first one as it appears to be accessing a file that's outside of > anything web accessible. > > I'm still interested in knowing if these are people trying to use the > form from outside - i.e. through the browser, or whether the server has > been compromised. The form2mail.php file was installed yesterday, went > live with a new site on the domain this afternoon and was being used > within a couple of hours. How could anyone find this file? Does any of the publicly accessible pages have links to the form? The crackers are using Web crawler scripts which just collect links to other pages referred to in the accessible ones. It seems that your server has been catalogued with a cracker and he's just looking how far he's able to crawl inside your Apache. I moved my Apache to a non-standard high port when I got tired of the IIS buffer overflow crack attempts in my log. It was nearly a megabyte a day, an attempt used little over a kilobyte each. --- I guess that there is a poor student at the university hosting unknowingly a zombie. The admin may close him down, but I doubt that the real culprit is there. -- Tauno Voipio tauno voipio (at) iki fi
|
|
11-16-2005
|
|||
|
|||
|
Re: mailform hacking
In article <KSMef.434$dW1.301@read3.inet.fi>,
Tauno Voipio <tauno.voipio@INVALIDiki.fi> wrote: > Andy Jacobs wrote: > > > > the other one that intrigues me is from the same address and that's the > > first one as it appears to be accessing a file that's outside of > > anything web accessible. > > > > I'm still interested in knowing if these are people trying to use the > > form from outside - i.e. through the browser, or whether the server has > > been compromised. The form2mail.php file was installed yesterday, went > > live with a new site on the domain this afternoon and was being used > > within a couple of hours. How could anyone find this file? > > Does any of the publicly accessible pages have links to > the form? Not links, but it is called from a contact page as the action on a form. That's got me thinking though. If I rename the form to something obscure, they'll still find it as it will still have to be called. But what if I call it using - for want of a better phrase - the numerical values? So form2mail.php becomes: form2mail.p 8;&#x 70; Could this work? Andy -- Andy Jacobs www.redcatmedia.net Intelligent Websites For Intelligent Business People
|
|
11-17-2005
|
|||
|
|||
|
Re: mailform hacking
Andy Jacobs wrote:
> In article <KSMef.434$dW1.301@read3.inet.fi>, > Tauno Voipio <tauno.voipio@INVALIDiki.fi> wrote: >> >>Does any of the publicly accessible pages have links to >>the form? > > > Not links, but it is called from a contact page as the action on a form. > That's got me thinking though. If I rename the form to something > obscure, they'll still find it as it will still have to be called. But > what if I call it using - for want of a better phrase - the numerical > values? So form2mail.php becomes: > > form2mail.p 8;&#x > 70; > > Could this work? The bots are probably running a de-obfuscator, so they understand all valid URL/URI forms. -- Tauno Voipio tauno voipio (at) iki fi
|
|
11-17-2005
|
|||
|
|||
|
Re: mailform hacking
Tauno Voipio <tauno.voipio@INVALIDiki.fi> wrote:
> > I moved my Apache to a non-standard high port when I > got tired of the IIS buffer overflow crack attempts > in my log. It was nearly a megabyte a day, an attempt > used little over a kilobyte each. Please don't do that if your site is intended for use by the general public. Moving services to arbitrary ports breaks that service for anyone behind a firewall that uses the IANA designated port numbers to allow or disallow traffic. That's why those ports are both well known and reserved. If you object to wading through the log files trying to pick out the few relevant lines in the mass of IIS attempts, there are better solutions. Since you are apparently running apache on linux (from the fact that you mention apache and this is COLS), the IIS attempts don't do you any harm, aside from the nuicance of looking at them. The best solution is to use one of the many log analysis programs, and tell it to ignore the IIS lines. Swatch, logcheck, logwatch, and logsurfer/logsurfer+ are all pretty well known tools for the job. Mike -- Michael Zawrotny Institute of Molecular Biophysics Florida State University | email: zawrotny@sb.fsu.edu Tallahassee, FL 32306-4380 | phone: (850) 644-0069
|
|
11-17-2005
|
|||
|
|||
|
Re: mailform hacking
Michael Zawrotny wrote:
> Tauno Voipio <tauno.voipio@INVALIDiki.fi> wrote: > >> I moved my Apache to a non-standard high port when I >> got tired of the IIS buffer overflow crack attempts >> in my log. It was nearly a megabyte a day, an attempt >> used little over a kilobyte each. > > > Please don't do that if your site is intended for use by the general > public. Moving services to arbitrary ports breaks that service for > anyone behind a firewall that uses the IANA designated port numbers > to allow or disallow traffic. That's why those ports are both well > known and reserved. Yes - here too well known. The website is not for public consumption, its primary use is to provide a platform for my Squirrelmail. > If you object to wading through the log files trying to pick out > the few relevant lines in the mass of IIS attempts, there are better > solutions. Since you are apparently running apache on linux (from > the fact that you mention apache and this is COLS), the IIS attempts > don't do you any harm, aside from the nuicance of looking at them. > The best solution is to use one of the many log analysis programs, > and tell it to ignore the IIS lines. Swatch, logcheck, logwatch, and > logsurfer/logsurfer+ are all pretty well known tools for the job. That's not the reason, but the disk consumption: 1000 attempts a day eats more than a megabyte a day. -- Tauno Voipio tauno voipio (at) iki fi
|
|
11-17-2005
|
|||
|
|||
|
Re: mailform hacking
Tauno Voipio <tauno.voipio@iki.fi.NOSPAM.invalid> wrote:
> Michael Zawrotny wrote: > > Tauno Voipio <tauno.voipio@INVALIDiki.fi> wrote: > > > >> I moved my Apache to a non-standard high port when I > >> got tired of the IIS buffer overflow crack attempts > >> in my log. It was nearly a megabyte a day, an attempt > >> used little over a kilobyte each. [ snip ] > The website is not for public consumption, its primary > use is to provide a platform for my Squirrelmail. [ snip ] > > If you object to wading through the log files trying to pick out > > the few relevant lines in the mass of IIS attempts > > That's not the reason, but the disk consumption: 1000 attempts > a day eats more than a megabyte a day. I wouldn't worry too much about that, logrotate will keep that down to a pretty small amount of space, especially when compared to Apache and Squirrelmail. Mike -- Michael Zawrotny Institute of Molecular Biophysics Florida State University | email: zawrotny@sb.fsu.edu Tallahassee, FL 32306-4380 | phone: (850) 644-0069
|
|
11-17-2005
|
|||
|
|||
|
Re: mailform hacking
Michael Zawrotny wrote:
> Tauno Voipio <tauno.voipio@iki.fi.NOSPAM.invalid> wrote: > > I wouldn't worry too much about that, logrotate will keep that down to > a pretty small amount of space, especially when compared to Apache and > Squirrelmail. The log mess is in Apache's log. It's kinda easier to keep Squirrelmail under control, Spamassassin is doing a decent job. -- Tauno Voipio tauno voipio (at) iki fi
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 09:15 AM.
