 |
 |
Is my web site being attacked?
|
|
|
|
|
Professional Poster
Join Date: May 2001
Location: North Dakota, USA
Status:
Offline
|
|
I have a very simple php script on a website, www.moofunk.com , to allow people to sign up for an email newsletter. Recently I looked at the address data (a plain .txt file, return delimited for each address), and some of it looks like this:
Code:
by
Content-Type: multipart/alternative; boundary=b9dcc605dc3de9c4a1cdb95913995ad9
MIME-Version: 1.0
Subject: th case
bcc: [email protected]
This is a multi-part message in MIME format.
--b9dcc605dc3de9c4a1cdb95913995ad9
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
on ivry side. lawyer has charge iv the city horse shoein , another wan
--b9dcc605dc3de9c4a1cdb95913995ad9--
.
homepage
[email protected] homepage
[email protected] homepage
by
Content-Type: multipart/alternative; boundary=b9dcc605dc3de9c4a1cdb95913995ad9
MIME-Version: 1.0
Subject: th case
bcc: [email protected]
This is a multi-part message in MIME format.
--b9dcc605dc3de9c4a1cdb95913995ad
...
The email address [email protected] comes up a few times, and overall it looks like some kind of spam text. It looks like it was somehow trying to send an email using my script, though I do not send out any emails from this php code.
Googling " [email protected]" produced other web sites that looked like they were victim to the same thing.
Does anyone have any familiarity with what this is? Is this web server subject to some weird php vulnerability?
|
|
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Jan 1999
Location: Marietta, GA, USA
Status:
Offline
|
|
Yes, it does appear to be an attempt to send spam from your site. I don't think they were trying to exploit any particular vulnerability, but just hoping the message would get sent to your email list. You could try parsing the entries in your form field before adding them to your txt file (make sure it's only one line, and is a valid email format, etc.)
|
Scott Genevish
scott AT genevish DOT org
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
The bad news is that this is definitely an attack. The good news is that the attack seems to have failed.
genevish's advice is right. Even if you have JavaScript in place to validate the data the user enters, always validate it again when it reaches the server. Many tools exist that can emulate browser behavior well enough that there's no way for the server to distinguish between the browser and the real thing, and these will neatly bypass any JavaScript-based validation scheme you put into place. These tools are supposed to be used for testing sites, but spammers also use them to devastating effect.
|
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
| |
|
|
|
|
|
|
|
Registered User
Join Date: Jul 2006
Status:
Offline
|
|
Originally Posted by funkboy
I have a very simple php script on a website, www.moofunk.com , to allow people to sign up for an email newsletter. Recently I looked at the address data (a plain .txt file, return delimited for each address), and some of it looks like this:
Does anyone have any familiarity with what this is? Is this web server subject to some weird php vulnerability?
Yes, but it doesn't just target php, it targets plain HTML sites too!
I've been gathering evidence on these people for a few months now. I suspcted it was a "robot" script from the start. I reported it to my hosting company and they didn't believe me. They made modifications to their servers but it didn't stop the onslaught. They eventually gave up and blamed my script. So I contacted the guy who built my site. He didn't believe me either!
I removed the response form from my site, but the "robot" still had all the server detals and HTML embedded so it is still sending emails.
The original few batches used the following email addresses regularly ...
[email protected]
[email protected]
[email protected]
... So I reported them to AOL and they changed to new addresses like the one you have listed.
I finally got the evidence I needed to confirm that it is a robot script, when, after I had removed my original response form from that site and added a guestbook script to another site, I started getting a new onslaught to the new guestbook. This guestbook was resident on my host's server and the spam crashed the script within a month, causing my host to have to close the server for modifications. So I changed it to a CGI script which writes the details to a text file, and only uses only "textbox" fields instead of "mailto" or "sendmail" fields - Lo & behold! It attacked this too!
It seems to go for short response forms such as guestbooks. So far my longer forms have been untouched.
So far I have hit a brick wall  Some of the email addresses they use have led me to a site called punkass.com. I wrote to them but received no reply.
Unfortunately, I haven't been collecting all the IP addresses that the mail is being sent from, but so far I have 3 All are unlisted by spamcop. I am currently writing to the ISP's involved to see if they can shed any light on the matter.
It is becoming likely that they are using a virus to send the attacks from infected private machines. If that is so, we may never trace them.
It seems that nothing is safe from these people! The only way around it is to add a "pictoral code" field into every response form, such as the one you saw when you registered to use this forum. 
Lynn
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Mar 2001
Location: CO
Status:
Offline
|
|
Whew! Those are a couple of nasty stories.
They help me better understand all the forums that go to the trouble to use the "pictoral code" (I forget technical name for it).
Slimeballs!
Sorry to both of you about your pains. It's a great service to describe your experiences in a Web Dev forum.
|
|
TOMBSTONE: "He's trashed his last preferences"
|
| |
|
|
|
|
|
|
|
Registered User
Join Date: Jul 2006
Status:
Offline
|
|
Today I have received a further 20 or so emails from this "response-form spammer", together with the 20 "Undelivered Mail" responses from the address that they are BCC'd to! This is despite removing the form from my site several weeks ago!
I have checked the IP addresses of all these and they are all different. This proves that they must be sent by a virus infecting private machines, rather than from the spammers themselves. 
For those of you who have so far escaped these attacks, here is a good article to read before you add any response forms to your sites
http://www.jellyandcustard.com/2006/...ection-in-php/
Regards,
Lynn
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Mar 2001
Location: CO
Status:
Offline
|
|
Again: thanks, Lynn for letting us benefit (hopefully) from hearing about your trauma.
Also: the Jelly and Custard site looks like a great resource for keeping up on a lot of PHP and PEAR developments and issues. I'll definitely keep that bookmarked.
Now: back to planning cruel and unusual punishments in case we can ever lay our hands on the spammer-scum.
|
|
TOMBSTONE: "He's trashed his last preferences"
|
| |
|
|
|
|
|
|
|
Registered User
Join Date: Jul 2006
Status:
Offline
|
|
I had another attack from the same "response-form spammer" yesterday, but this time it was aimed at my CGI script. This script is merely a database that resides on my server and has no "sendmail" or "mailto" script.
Upon studying these responses, it is obvious that the robot doesn't look for sendmail sequences. I have 4 fields in this form ... "Name" "Email" "Location" and "Comments", the first 3 are short text boxes and the last one is a multi-line textbox.
The spammer fills the first 3 boxes with their "from" field, which is an email address using "your domain" plus a randomly generated identity in front of the @ sign. All the BCC email sending scripts and HTML, go into the multi-line text box. Therefore it doesn't matter what form or script you are using. If you have a multi-line text box, you are vulnerable!
Regards,
Lynn
http://www.wobblymusic.net
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Mar 2001
Location: CO
Status:
Offline
|
|
"More madness for a May morning," to bastardize Shakespeare.
Hmm... I wonder if the bots are programmed so that once they find ANY indication of vulnerability they go back to that server with various other "goodies"?
|
|
TOMBSTONE: "He's trashed his last preferences"
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Jul 2004
Status:
Offline
|
|
wow glad I came around to see this.
I went through all my scripts that send out email and implanted this through out them... Glad I now know about this little exploit.
|
|
You shouldn't make fun of nerds... you'll be working for one some day.
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: May 2001
Location: North Dakota, USA
Status:
Offline
|
|
The reg expressions mentioned in the linked website don't seem to work for me... must a special package be installed to get preg expression matching to work?
Also, I am just now getting spammed on another contact form I have... here's what the example emails, that as far as I can tell are only being delivered to me, are looking like:
Code:
Great work!
<a href="http://nvhijuxi.com/cqak/wtvh.html">My homepage</a> | <a href="http://ccezgcwd.com/ciky/pozs.html">Please visit</a>
From [email protected]
I am not visiting that website, of course. I have the IP of who's doing this, and the IPs are looking very... different. Each one looks vastly different, in fact, different top-level domains.
But a quick whois search reveals all three belong to this group:
Asia Pacific Network Information Centre
In fact... I see the attack here now... it uses three different kinds of submissions, the three different kings would each work if the form belonged to a different location, either a bulletin board, html submission, or just plain text. Check out these other two emails:
Code:
Thank you!
http://nvhijuxi.com/cqak/wtvh.html | http://zfiriqwe.com/fjwj/cxgz.html
From [email protected]
(Below I have added extra spaces so the links do not actually show up as links on here.)
Code:
Thank you!
[ u r l = http://nvhijuxi.com/cqak/wtvh.html ]My homepage[ / u r l ] | [ u r l = http://jbgsgyvc.com/zcqt/bxgk.html ]Cool site[ / u r l ]
From [ e m a il ][email protected][ / email ]
I hate posting these because this is just reposting the spam though... 
Ideas, anyone?
(
Last edited by funkboy; May 22, 2006 at 04:00 PM.
)
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top