Re: [Mimedefang] OT: Don't let this happen to you

2006-02-22 Thread Atanas 

Richard Laager said the following on 02/20/06 23:46:

On Thu, 2006-02-16 at 11:50 -0800, Atanas wrote:
a sendmail log monitoring script that shuts down web sites 
immediately (notifying both parties - the web site owner and the shared 
server administrator) in case a web site starts sending suspicious 
amounts of outgoing emails for a given period of time.

[ snipped ]
I'm running 
it through a modified version of mod_fastcgi that forks dynamic 
PHP-fastcgi workers on demand and runs them with the privileges of the 
script owner.


Are either of these available online -- especially the modified
mod_fastcgi?

None of these were available online. These are just custom hacks for 
custom configurations.


The sendmail log monitoring script in particular (if you have the proper 
CGI/PHP/firewall hooks in place of course) is a pretty trivial thing to 
implement. Mine works, but is not perfect. I don't like the way it 
parses the logs resulting in some spam passing through, so now it sits 
in my TODO list waiting for a major rewrite.


The mod_fastcgi mods however seem pretty stable (running in production 
for about 2 years already), so now I feel more confident in sharing 
them. I just made a simple page with the patches and a short description 
here: http://apache.asd.aplus.net


Regards,
Atanas
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-21 Thread Richard Laager 
On Thu, 2006-02-16 at 11:50 -0800, Atanas wrote:
> a sendmail log monitoring script that shuts down web sites 
> immediately (notifying both parties - the web site owner and the shared 
> server administrator) in case a web site starts sending suspicious 
> amounts of outgoing emails for a given period of time.
[ snipped ]
> I'm running 
> it through a modified version of mod_fastcgi that forks dynamic 
> PHP-fastcgi workers on demand and runs them with the privileges of the 
> script owner.

Are either of these available online -- especially the modified
mod_fastcgi?

Thanks,
Richard

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] OT: Don't let this happen to you

2006-02-19 Thread Atanas 
In a large scale environment with lots of websites with untrusted 
content, trying to identify what exactly spammers can abuse and block it 
via mod_rewrite or mod_security rules seems to be just a waste of time.


The best workaround I have found and already use for the past few years 
is a sendmail log monitoring script that shuts down web sites 
immediately (notifying both parties - the web site owner and the shared 
server administrator) in case a web site starts sending suspicious 
amounts of outgoing emails for a given period of time.


In order to properly identify the real sender in the sendmail logs, I 
explicitly forbid users (via kernel firewall rules) to speak SMTP, so 
the only way left for PHP and other CGI scripts is to pipe emails 
through the sendmail binary, which gets run with the privileges of the 
invoking script (in my case with user privileges) and the user gets 
appropriately logged by sendmail.


Such a technique however requires running all untrusted scripts with 
untrusted (i.e. user) privileges, e.g. via suexec or other wrappers.


Running PHP as CGI on busy web servers is kind of slow, so I'm running 
it through a modified version of mod_fastcgi that forks dynamic 
PHP-fastcgi workers on demand and runs them with the privileges of the 
script owner. The PHP-fastcgi approach has some really nice advantages 
when compared to mod_php:
- apache children could be left alone to serve mostly static content, no 
mod_php messing around, eating resources and core dumping children;
- the number of fastcgi workers can be limited per user/website, so a 
single website can no longer bring a shared server to its knees when 
abused (e.g. with tons of runaway (mod_)PHP instances)
- it runs as fast as mod_php, allows using PHP optimizers, accelerators, 
etc.; it's kind of self-balanced configuration - the fastcgi process 
manager kills the least used PHP workers, so less intensive websites get 
a CGI like performance, while the really loaded ones work at full speed 
as their workers are left in memory most of the time;
- allows having different PHP configurations (php.ini) per user, and 
even running different PHP versions (like PHP4 or PHP5) depending on the 
user's choice.


Regards,
Atanas
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-16 Thread WBrown 
[EMAIL PROTECTED] wrote on 02/15/2006 06:59:34 
PM:

> I don't run PGP on this box... (laffin)
> 
> It's fun to watch though..

Right up there with watching attempts to hack an IIS box when it's not 
even running Windows!  Damn crap can fill up a log though.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread Ben Kamen 

Ben Kamen wrote:


I don't run PGP on this box... (laffin)



Er, that's PHP... (hey, I was one letter off... you all knew what I meant! :) )

 -Ben

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread Ben Kamen 

G. Roderick Singleton wrote:

On Wed, 2006-02-15 at 17:13 -0600, Ben Kamen wrote:

Speaking of which, I saw these in my logs today...

"POST /xmlrpc.php HTTP/1.1" 500 256
"POST /blog/xmlrpc.php HTTP/1.1" 500 256
"POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 500 256
"POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 500 256
"POST /drupal/xmlrpc.php HTTP/1.1" 500 256
"POST /phpgroupware/xmlrpc.php HTTP/1.1" 500 256
"POST /wordpress/xmlrpc.php HTTP/1.1" 500 256
"POST /xmlrpc.php HTTP/1.1" 500 256
"POST /xmlrpc/xmlrpc.php HTTP/1.1" 500 256
"POST /xmlsrv/xmlrpc.php HTTP/1.1" 500 256



I don't run PGP on this box... (laffin)

It's fun to watch though..

 -Ben

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread Jan Pieter Cornet 
On Wed, Feb 15, 2006 at 05:13:27PM -0600, Ben Kamen wrote:
> Speaking of which, I saw these in my logs today...
> 
> "POST /xmlrpc.php HTTP/1.1" 500 256

Likely looking for versions not patched against this:
http://b2evolution.net/news/2005/08/31/fix_for_xml_rpc_vulnerability_again_1

I'll have to agree with David on PHP: Horrible Programming.
It's the Public Hackers Paradise.

Next to mail(), my favorite gripe about it is: require($url)

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread G. Roderick Singleton 
On Wed, 2006-02-15 at 17:13 -0600, Ben Kamen wrote:
> Speaking of which, I saw these in my logs today...
> 
> "POST /xmlrpc.php HTTP/1.1" 500 256
> "POST /blog/xmlrpc.php HTTP/1.1" 500 256
> "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 500 256
> "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 500 256
> "POST /drupal/xmlrpc.php HTTP/1.1" 500 256
> "POST /phpgroupware/xmlrpc.php HTTP/1.1" 500 256
> "POST /wordpress/xmlrpc.php HTTP/1.1" 500 256
> "POST /xmlrpc.php HTTP/1.1" 500 256
> "POST /xmlrpc/xmlrpc.php HTTP/1.1" 500 256
> "POST /xmlsrv/xmlrpc.php HTTP/1.1" 500 256
> 
> Interesting. ;)

Please check out mod_security and daemonshield as tools for protecting
your system. 
-- 
G. Roderick Singleton <[EMAIL PROTECTED]>
PATH tech


smime.p7s
Description: S/MIME cryptographic signature
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread Ben Kamen 

Speaking of which, I saw these in my logs today...

"POST /xmlrpc.php HTTP/1.1" 500 256
"POST /blog/xmlrpc.php HTTP/1.1" 500 256
"POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 500 256
"POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 500 256
"POST /drupal/xmlrpc.php HTTP/1.1" 500 256
"POST /phpgroupware/xmlrpc.php HTTP/1.1" 500 256
"POST /wordpress/xmlrpc.php HTTP/1.1" 500 256
"POST /xmlrpc.php HTTP/1.1" 500 256
"POST /xmlrpc/xmlrpc.php HTTP/1.1" 500 256
"POST /xmlsrv/xmlrpc.php HTTP/1.1" 500 256

Interesting. ;)
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread Jan Pieter Cornet 
On Wed, Feb 15, 2006 at 10:05:03AM -0800, Kelson wrote:
> One way you can test your own scripts for this is to create a copy of 
> your form and replace all your  and  elements with 
>  (even checkboxes and radio buttons).  That way you can try 

Or install the TamperData firefox plugin, and you can change any form
value of any form you ever submit, anywhere, including hidden fields,
referrers, and you can even include new fields.

I wouldn't want to try to integrity checking and reproducing security
problems without it.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread Oliver Schulze L. 

Maybe this can help:
http://pear.php.net/manual/en/package.networking.net-smtp.php

HTH
Oliver
--
Oliver Schulze L.
<[EMAIL PROTECTED]>

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread Kelson 

Steffen Kaiser wrote:

You've wrote that you've disabled CGI --
Dunno, but I wouldn't weight PHP more secure than "general" CGI ??


With header injection attacks, it doesn't really matter whether the 
target is PHP or CGI.  It's a matter of how the message actually gets 
sent.  With PHP's mail function, you build up the headers in a single 
string and the whole thing is passed to sendmail.  Any To:, Cc:, or Bcc: 
fields found in that list are added to the recipients.  A CGI script 
that called sendmail with the -t option would have the same problem:


If the script takes user input for any header, it's possible for an 
attacker to pass in something like

"I have a question\nBcc: [EMAIL PROTECTED]"
and insert extra headers into the outgoing message.  If they add "\n\n" 
they can even insert their own message body.


This could probably be avoided if PHP's mail function used some sort of 
structure for the headers where each header was a separate string, but 
as things are you need to sanitize any user-supplied data that you use 
in any header.


One way you can test your own scripts for this is to create a copy of 
your form and replace all your  and  elements with 
 (even checkboxes and radio buttons).  That way you can try 
passing the script multi-line fields and see whether it accepts the 
extra lines, strips them out, or converts the newlines to spaces and 
wraps the extra-long headers.


--
Kelson Vibber
SpeedGate Communications 
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread Kris Deugau 

David F. Skoll wrote:

PHP's mail() function is completely broken.  It is insecure, and it is
*impossible* to make it secure unless you aggressively sanitize all your
input.

PHP is a truly horrible language (hey, I use it every day, so I should
know...) and mail() stands out as one of the worst things about it.


All I remember about it is it's one of the functions I disabled on the 
hosting server I set up.For those few customers that really 
wanted to use a PHP function to send mail, I provided a utility library 
with a much more restrictive email function (among other things, it 
stuck in a number of headers to make itself *very* easily identified), 
along with a few other functions for common SSI operations usually 
handled by Apache or standalone CGI scripts.


For most other customers, I provided a form-mail script that used the 
utility library's email sender.  To the best of my knowledge, neither 
has ever (in ~5 years since I wrote it) been abused for spamming.


-kgd
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread David F. Skoll 
PHP's mail() function is completely broken.  It is insecure, and it is
*impossible* to make it secure unless you aggressively sanitize all your
input.

PHP is a truly horrible language (hey, I use it every day, so I should
know...) and mail() stands out as one of the worst things about it.

I wrote a C program called "sendmail-wrapper.c" that makes it possible
to send mail safely from PHP.  It is invoked with no arguments, and reads
lines on stdin specifying envelope sender and recipient(s).  It then executes
Sendmail directly (using execve) so no shell is involved.

Regards,

David.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread Jan Pieter Cornet 
On Wed, Feb 15, 2006 at 08:54:59AM -0600, Jim McCullars wrote:
> > It's an old and well-known exploit. You can find a secure replacement
> for
> > the old Formmail here:
> 
>I may not have been as clear about this as I should have been.  This
> was not an exploit against the FormMail script from Matt's Script Archive.
> It was something called PHP FormMail Generator (which in spite of its name

This attack uses (some of) the same bugs as exploited in the FormMail.pl
script from Matt's Script Archive, but this is a completely new variety
because spammers are actively searching for exploitable formmail scripts
in any language, by automatically trying each script and inserting fake
headers in each successive form field, and seeing which ones are
susceptible to the attack, and in which way.

I've seen it happening since about september last year.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread Steffen Kaiser 

On Wed, 15 Feb 2006, Jim McCullars wrote:

You've wrote that you've disabled CGI --
Dunno, but I wouldn't weight PHP more secure than "general" CGI ??

Bye,

--
Steffen Kaiser
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread Jim McCullars 


On Wed, 15 Feb 2006, Kenneth Porter wrote:

> It's an old and well-known exploit. You can find a secure replacement
for
> the old Formmail here:

   I may not have been as clear about this as I should have been.  This
was not an exploit against the FormMail script from Matt's Script Archive.
It was something called PHP FormMail Generator (which in spite of its name
has nothing to do with formmail.pl).  The script in question came from
here:

http://phpfmg.sourceforge.net/home.php

Jim McCullars
University of Alabama in Huntsville


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-15 Thread Kenneth Porter 
--On Tuesday, February 14, 2006 1:26 PM -0600 Jim McCullars 
<[EMAIL PROTECTED]> wrote:



I believe this exploit may be fairly new, in that I could find very
little on the web about it.




It's an old and well-known exploit. You can find a secure replacement for 
the old Formmail here:




___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] OT: Don't let this happen to you

2006-02-14 Thread Jim McCullars 
Maybe this is only semi-OT since we do sometimes discuss spam issues not
strictly within the confines of MD/SA, but I wanted to share with the list
what happened to me yesterday.

I'm the administrator for, among other things, our campus web server.  I
thought I had taken all the right precautions:  Keep the machine patched,
run the latest Apache server release, don't let users install their own
CGI scripts, etc.  In spite of all that, I discovered to my horror
yesterday that the web server had been used to send thousands of spam
emails.  It may have even been in the tens of thousands.

How did they do it?  Via PHP.  Or rather, a user-installed PHP script that
was insecure.  The user didn't actually write it, it was created by
something called PHP FormMail Generator.  The resulting script is subject
to SMTP header injection, where by sending form variables (which are not
sanity-checked) with newlines, they can create a message within a message,
and deliver their spam courtesy of me.  I believe the spammers found this
script by Google searching for some comments that the script generator
puts in the resulting script.

Unfortunately, turning off PHP was not an option.  Neither is my
personally checking all PHP scripts.  The solution had to be at the server
side.  That's when I found an Apache module called mod_security.  It is
conceptually similar to MD in that you can apply filters against the HTTP
requests and return an error status if a filter is triggered.  When I came
in this morning, I found that it had blocked hundreds of attempts to
exploit this script (which had been disabled anyway) and only three false
positives (and I have tweaked the filter so that won't happen again).

I won't go into more details here, but if anyone wants to discuss this
further, feel free to contact me off-list.  But I will *strongly* urge
anyone who hosts web sites for users and runs PHP to look into this.  I
believe this exploit may be fairly new, in that I could find very little
on the web about it.  Don't let this happen to you.

Jim McCullars
University of Alabama in Huntsville


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang