[vchkpw] OT, but abuse related
I know this is way off topic, but there are a lot of really smart people on this list so I'm hoping to get some ideas here. I've got a web server that has some kind of formmail-esque script that is being horribly abused but I can't find it. The server (shut down qmail-send on it for now) is spewing out messages by the hundreds, if not thousands, and I can't seem to center down on which site has the offending script. Again, it's pretty off topic but I'm just looking for some help here... please. Thanks, Clayton
Re: [vchkpw] OT, but abuse related
Sent from the wrong address so it didnt make it to the list..
On Tue, 27 Sep 2005, Mike Garrison wrote:
Hi Clayton,
I can tell you what's going on. It's a fairly new exploit that spammers are
starting to highly utilize. There are a few ways this occurs:
1) the form does not check for \n or \r, so when they input data they are
able to hard-insert a return and create their own mail headers
2) the form does not check for MIMe, so they are able to exploit it that way
too.
Check for forms that use the php mail() function. it's a pain, but it's the
way I had to do it.
Example of a form I had to fix:
if (eregi(\r,$email) || eregi(\n,$email) ||
eregi(Content-Type:,$email) ) {
mail([EMAIL PROTECTED], Warning, spam attempt onX,
gethostbyaddr($_SERVER['REMOTE_ADDR']), From: [EMAIL PROTECTED]
[EMAIL PROTECTED]);
die(Thanks for attempting to spam. We've notified the
admin.);
}
else {
mail( [EMAIL PROTECTED], Feedback Form Results,
Email: $email\n Message: $message, From: $email );
header( Location: http://www.blah.com/thanks.php; );
}
If you need more help, feel free to contact me off the list.
--
Mike Garrison
On Tue, 27 Sep 2005, Clayton Weise wrote:
I know this is way off topic, but there are a lot of really smart people
on this list so I'm hoping to get some ideas here. I've got a web
server that has some kind of formmail-esque script that is being
horribly abused but I can't find it. The server (shut down qmail-send
on it for now) is spewing out messages by the hundreds, if not
thousands, and I can't seem to center down on which site has the
offending script. Again, it's pretty off topic but I'm just looking for
some help here... please.
Thanks,
Clayton
Re: [vchkpw] OT, but abuse related
On Sep 27, 2005, at 9:52 AM, Clayton Weise wrote: I know this is way off topic, but there are a lot of really smart people on this list so I'm hoping to get some ideas here. I've got a web server that has some kind of formmail-esque script that is being horribly abused but I can't find it. The server (shut down qmail-send on it for now) is spewing out messages by the hundreds, if not thousands, and I can't seem to center down on which site has the offending script. Again, it's pretty off topic but I'm just looking for some help here... please. Assuming you're running VirtualHosts with apache, here's what I've done in a similar situation. If your directory structure works for this, you can look at all of the access logs for your virtual hosts: ls -l */*/logs/access_log Run it once, and dump to a file. Run it again a few minutes later and dump to a file. Do a diff -u on the file and you'll only see sites getting hits. Look for the ones with fast-growing log files, and then manually examine those logs. Note that you might need to look at the error_log as well, as there might be a script that generates an error yet still sends the email. If your directory structure isn't organized well enough to find all the access_log files, you'll have to write a script that goes through your apache configuration files looking for the TransferLog (or ErrorLog) setting, and check the size of the log. Another quick idea is to run `locate formmail` and `locate FormMail` to spot some quick possibilities. Good luck. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
RE: [vchkpw] OT, but abuse related
Run it once, and dump to a file. Run it again a few minutes later and dump to a file. Do a diff -u on the file and you'll only see sites getting hits. Tried something similar but the interesting thing is that it isn't getting a lot of hits but the messages that go out have a TON of recipients. One message might have 500 RCPT TO's in it, but it only gets tagged as one hit to the page. -Original Message- From: Tom Collins [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 10:15 AM To: vchkpw@inter7.com Subject: Re: [vchkpw] OT, but abuse related Assuming you're running VirtualHosts with apache, here's what I've done in a similar situation. If your directory structure works for this, you can look at all of the access logs for your virtual hosts: ls -l */*/logs/access_log Run it once, and dump to a file. Run it again a few minutes later and dump to a file. Do a diff -u on the file and you'll only see sites getting hits. Look for the ones with fast-growing log files, and then manually examine those logs. Note that you might need to look at the error_log as well, as there might be a script that generates an error yet still sends the email. If your directory structure isn't organized well enough to find all the access_log files, you'll have to write a script that goes through your apache configuration files looking for the TransferLog (or ErrorLog) setting, and check the size of the log. Another quick idea is to run `locate formmail` and `locate FormMail` to spot some quick possibilities. Good luck. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
Re: [vchkpw] OT, but abuse related
On Tue, 27 Sep 2005 09:52:39 -0700 Clayton Weise [EMAIL PROTECTED] wrote: I know this is way off topic, but there are a lot of really smart people on this list so I'm hoping to get some ideas here. I've got a web server that has some kind of formmail-esque script that is being horribly abused but I can't find it. The server (shut down qmail-send on it for now) is spewing out messages by the hundreds, if not thousands, and I can't seem to center down on which site has the offending script. Again, it's pretty off topic but I'm just looking for some help here... please. To get the path of the script whose sending mail you could do this: Write a wrapper for qmail-inject. From within the wrapper you'll find the path of the caller script in the environment variable $PWD (assuming bourne[again]shell) here is a wrapper example: ,-[ qmail-inject.wrapper ] | #! /bin/bash | | ORIG_INJECT=/var/qmail/bin/qmail-inject.djb_original | RETURN_PATH=[EMAIL PROTECTED] | TMPFILE=`tempfile` | DATETIME=`date +%d.%m.%Y %H:%M:%S` | | # send desired information to myself | # first the mail header | echo From: [EMAIL PROTECTED] $TMPFILE | echo To: [EMAIL PROTECTED] $TMPFILE | echo -ne Subject: [$DATETIME] something meaningful\n\n $TMPFILE | | # now the message body | echo -e PWD: $PWD\n $TMPFILE | echo -e \n- original e-mail below -\n $TMPFILE | | # save the original message for our mail and pass ist on to the real qmail-inject | tee -a $TMPFILE | $ORIG-INJECT -f$RETURN_PATH | | # send the log mail | $ORIG-INJECT $TMPFILE | rm -f $TMPFILE | | # local logging | /usr/bin/logger -p mail.info -t qmail-wrapper command line parameters: $* `- Don't forget to change the symbolic link /usr/sbin/sendmail (normally linked to $QMAILDIR/bin/sendmail) to $QMAILDIR/bin/qmail-inject. If the link stays unchanged and the script uses /usr/bin/sendmail »qmail-inject« is invoked by $QMAILDIR/bin/sendmail and therefore $PWD will be equal to $QMAILDIR/bin. HTH Lars
RE: [vchkpw] OT, but abuse related
Clayton Weise wrote: Run it once, and dump to a file. Run it again a few minutes later and dump to a file. Do a diff -u on the file and you'll only see sites getting hits. Tried something similar but the interesting thing is that it isn't getting a lot of hits but the messages that go out have a TON of recipients. One message might have 500 RCPT TO's in it, but it only gets tagged as one hit to the page. Grep the apache logs for POST. The referrer will often be left blank and makes them easy to spot. -Original Message- From: Tom Collins [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 10:15 AM To: vchkpw@inter7.com Subject: Re: [vchkpw] OT, but abuse related Assuming you're running VirtualHosts with apache, here's what I've done in a similar situation. If your directory structure works for this, you can look at all of the access logs for your virtual hosts: ls -l */*/logs/access_log Run it once, and dump to a file. Run it again a few minutes later and dump to a file. Do a diff -u on the file and you'll only see sites getting hits. Look for the ones with fast-growing log files, and then manually examine those logs. Note that you might need to look at the error_log as well, as there might be a script that generates an error yet still sends the email. If your directory structure isn't organized well enough to find all the access_log files, you'll have to write a script that goes through your apache configuration files looking for the TransferLog (or ErrorLog) setting, and check the size of the log. Another quick idea is to run `locate formmail` and `locate FormMail` to spot some quick possibilities. Good luck.
RE: [vchkpw] OT, but abuse related
Bingo, that one did the trick. I didn't realize that qmail's sendmail binary was calling on qmail-inject. After putting that wrapper in place I was able to find some old cgi script that was being exploited and have now disabled it. Again, thanks so much. This actually allowed me to fix another nasty problem I was having on a different mail server where customers would occasionally bulk mail a bunch of users and tracing them down was typically very difficult. Now I'll be able to track this much easier, thanks so much! -Clayton -Original Message- From: Lars Uhlmann [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 12:00 PM To: vchkpw@inter7.com Subject: Re: [vchkpw] OT, but abuse related On Tue, 27 Sep 2005 09:52:39 -0700 Clayton Weise [EMAIL PROTECTED] wrote: I know this is way off topic, but there are a lot of really smart people on this list so I'm hoping to get some ideas here. I've got a web server that has some kind of formmail-esque script that is being horribly abused but I can't find it. The server (shut down qmail-send on it for now) is spewing out messages by the hundreds, if not thousands, and I can't seem to center down on which site has the offending script. Again, it's pretty off topic but I'm just looking for some help here... please. To get the path of the script whose sending mail you could do this: Write a wrapper for qmail-inject. From within the wrapper you'll find the path of the caller script in the environment variable $PWD (assuming bourne[again]shell) here is a wrapper example: ,-[ qmail-inject.wrapper ] | #! /bin/bash | | ORIG_INJECT=/var/qmail/bin/qmail-inject.djb_original | RETURN_PATH=[EMAIL PROTECTED] | TMPFILE=`tempfile` | DATETIME=`date +%d.%m.%Y %H:%M:%S` | | # send desired information to myself | # first the mail header | echo From: [EMAIL PROTECTED] $TMPFILE | echo To: [EMAIL PROTECTED] $TMPFILE | echo -ne Subject: [$DATETIME] something meaningful\n\n $TMPFILE | | # now the message body | echo -e PWD: $PWD\n $TMPFILE | echo -e \n- original e-mail below -\n $TMPFILE | | # save the original message for our mail and pass ist on to the real qmail-inject | tee -a $TMPFILE | $ORIG-INJECT -f$RETURN_PATH | | # send the log mail | $ORIG-INJECT $TMPFILE | rm -f $TMPFILE | | # local logging | /usr/bin/logger -p mail.info -t qmail-wrapper command line parameters: $* `- Don't forget to change the symbolic link /usr/sbin/sendmail (normally linked to $QMAILDIR/bin/sendmail) to $QMAILDIR/bin/qmail-inject. If the link stays unchanged and the script uses /usr/bin/sendmail qmail-inject is invoked by $QMAILDIR/bin/sendmail and therefore $PWD will be equal to $QMAILDIR/bin. HTH Lars
