recurring php/exim exploit

[bkusnir]

It appears that someone is exploiting a php script on one of my domains from multiple geographical locations (mostly from asis - according to the raw access log). They are using some sort of buffer underrun to inject code into the script to send email bombs using smtp via the localhost mail user. Each message has many email addresses in to the to: field, although the messages are not large but it will degrade the performance of the server once several dozen of them have accumulated since exim trys to process them. This causes the CPU to spike and eventually it is difficult to get into WHM or open a SSH shell. Twice now I have had to rapid reboot, login, kill the spawning exim processes, stop the exim service and clear the mail queue. I have corrected the flaw in the offending script, but how can I write an ACL in exim to prevent a message from being sent that has over a certain number addresses listed in the to: field to prevent the messages from entering the queue? Can this be done with mod_security?

[ramprage]

You should be able to setup some mod-security rules to limit the amount of receipients in the POST header of a message, eg if it reaches more than X log action and deny. You're going to need to read the mod_security howto and setup a regex.

[HostMerit]

Post / PM me any logs that show them accessing / exploiting. This can help, so I can possibly setup a mod_security rule specific to your server.

[bkusnir]

You should be able to setup some mod-security rules to limit the amount of receipients in the POST header of a message, eg if it reaches more than X log action and deny. You're going to need to read the mod_security howto and setup a regex.

where is the mod_security howto located? I don't believe I have that module installed.

--Thanks

[jeroman8]

in whm under cpanel addons modules - mark mod_security and it will be installed.
Serach for Hostmerit here in forum after mod_security rules, they have good rules.

[bkusnir]

in whm under cpanel addons modules - mark mod_security and it will be installed.
Serach for Hostmerit here in forum after mod_security rules, they have good rules.

Is this OK to install even though it is BETA?

[webignition]

Is this OK to install even though it is BETA?

Yes, perfectly fine.

[bkusnir]

OK all installed, that was easy. Now how do I get started writing rules? Is there a good howto somewhere? I sent MeritHosting my access logs.

[ramprage]

Check out http://www.modsecurity.org/documentation/index.html

[HostMerit]

Unfortunately you sent me everything but the day you were exploited.

[neonix]

Hostmerit,

My server was email bombed today; thankfully I was could suspend the account and control the load which had shot to over 800.

16:49:46 up 136 days, 18:54, 2 users, load average: 64.64, 418.19, 311.23
2920 processes: 2496 sleeping, 2 running, 421 zombie, 1 stopped
CPU states: cpu user nice system irq softirq iowait idle
total 27.2% 0.0% 8.9% 0.0% 0.4% 39.7% 23.5%
cpu00 24.4% 0.0% 8.6% 0.3% 1.3% 26.5% 38.6%
cpu01 32.0% 0.0% 7.9% 0.0% 0.0% 20.0% 40.0%
cpu02 25.0% 0.0% 12.6% 0.0% 0.1% 55.3% 6.7%
cpu03 27.4% 0.0% 6.5% 0.0% 0.1% 57.0% 8.6%

This is a sample of the email that I retrived from mail queue manager...


1FMk7y-0005hR-ET-H
root 0 0
<root@resmail1.linuxgal.com>
1143198406 0
-helo_name resmail1.linuxgal.com
-host_address 206.123.73.247.61308
-interface_address xx.xx.xxx.xxx.25 (This is my server I.P.)
-received_protocol smtp
-body_linecount 20
XX
1
clientname@clientdomain.tld

196P Received: from [206.123.73.247] (helo=resmail1.linuxgal.com)
by hostname.tld with smtp (Exim 4.52)
id 1FMk7y-0005hR-ET
for clientname@clientdomain.tld; Fri, 24 Mar 2006 16:36:24 +0530
071P Received: (qmail 86332 invoked by uid 398); 24 Mar 2006 11:07:17 -0000
033 Date: 24 Mar 2006 11:07:17 -0000
063I Message-ID: <xxxxyyyyzzzz17.86329.qmail@resmail1.linuxgal.com>
033F From: root@resmail1.linuxgal.com
037T To: clientname@clientdomain.tld
026 Subject: Bulk-Push Failed
081 X-PHP-Script: clientname -admin.mktgarchitects.us/remote_connector.php for yy.y.yy.yy
081 X-PHP-Script: clientname-admin.mktgarchitects.us/remote_connector.php for yy.yy.yy.yy (yy.yy.yy.yy is the client's I.P. address from where he accesses the server )


1FMk7y-0005hR-ET-D
Client Id : 222
Dialog Id : 621
Connector Id : 88
Starting row : 0
Record count : 200


Query :
SELECT l.id FROM results as r, dialog_visitors as v, dialog_leads as l WHERE r.surveyID =621 AND r.status > 0 AND r.visitorID=v.id AND v.id=l.id AND concat_ws(',',l.fname,l.lname,l.name,l.email,l.phone)!='' AND l.active=1 GROUP BY v.id ORDER BY l.id ASC LIMIT 0,50

Count of visitor pulled from db : 50

Could not push visitor : 176966

Could not push visitor : 176966

Could not push visitor : 176966

Could not push visitor : 176966



Any modsecurity rule that will prevent email bombs from crippling the server.

Thanks,
Neonix.

[cyrus]

Neonix:

What you have hear is failure to communicate i.e. this looks like a vBulletin / IPB error message being sent to the respective site admin upon mysql failure. This usually happens when such a forum goes down and their board starts sending notices to the site's admin.
The reason this is problematic is that for every click to the forum - there will be a mail sent... so a high traffic site would easily bombard the server with tonnes of mails...
I would suggest you temporarily disable this account and resolve the issue with your customer.