Spammer is using your cgiemail ?!!

**jameshsi** · 09-19-2006 11:53 PM

Hi!
One of my servers shows high loading a few days ago, I didn't have time dealing with it at that time, I just notice that server is under high loading, I shutdown some of sites I thought might cause problems, and check this and that in the server, finally, I notice there are some mail queues in the mailQ, and each mail sents a lot of BCC to aol.com address, now I begain to realize that my server has been hijacking.

check this page:
http://ask-leo.com/a_spammer_is_usin...t_do_i_do.html

I think it explain more detail.

After I change the httpd.conf setting , remove the cgi-sys aliases and move cgiemail to another file name (maybe I should just delete it) , my server loading is quickly down to normal.

I don't know if anyone like me has problem like this, or maybe have a better way to solve this cgiemail problem, I hope someone can share more informations to us, thanks.

James

**jameshsi** · 11-13-2006 10:16 PM

Anyone got a better idea to replace the usage of cgiemal ?

Is there a good php script can substitute cgiemail ?

**kernow** · 11-14-2006 02:19 AM

Nope, but you could try ticking the box in WHM>>>> tweak settings " Silently Discard all FormMail-clone requests with a bcc: header in the subject line"

**z268** · 11-15-2006 08:58 PM

I use PHPFormMail at http://www.boaddrink.com/projects/ph...l/download.php

**jameshsi** · 02-03-2007 05:03 AM

Originally Posted by kernow

Nope, but you could try ticking the box in WHM>>>> tweak settings " Silently Discard all FormMail-clone requests with a bcc: header in the subject line"

Really appreciated.

**verdon** · 02-03-2007 07:25 AM

mod_security rules for catching cc and bcc header injections in other scripts can help to

**brianoz** · 02-03-2007 04:46 PM

A lot of form mail scripts allow you to specify who the email is to with a form field. Don't use one of those as they're really easy to hijack.

As someone said above, use mod_security rules to make it harder to hijack form scripts on the server.

If you run phpsuexec, you can limit the number of emails sent per account per hour, which allows you to limit damage from spammers when they hijack scripts. Not a permanent solution, but it helps.

Also, install CSF - http://www.configserver.com/cp/csf.html - it will detect large numbers of emails going out and alert you via email.

**jameshsi** · 02-08-2007 11:23 PM

Originally Posted by verdon

mod_security rules for catching cc and bcc header injections in other scripts can help to

Can you show me the URL for this mod_security rules ?
Appreciated!

**verdon** · 02-09-2007 06:21 AM

Originally Posted by jameshsi

Can you show me the URL for this mod_security rules ?
Appreciated!

Assuming you have mod_security installed... there are a lot of rules out there. Doing a search here will bring you lots of results. Personally, these rules have been working for me and don't add too much overhead
http://hostmerit.com/modsec.user.conf

**jameshsi** · 02-09-2007 09:19 AM

Originally Posted by verdon

...., these rules have been working for me and don't add too much overhead
http://hostmerit.com/modsec.user.conf

What do u mean overhead ?
You mean if I add too many rules, might cause server loading ?

**verdon** · 02-09-2007 09:26 AM

Originally Posted by jameshsi

What do u mean overhead ?
You mean if I add too many rules, might cause server loading ?

Yes, especially if you are using Apache 1.3.x. That's the trouble with the very thorough rules at gotroot.com. Rules of that volume and complexity are apparantly much better with Apache 2, but I think you're better to keep it simple with Apache 1.3

**jameshsi** · 02-09-2007 09:31 AM

Really appreciated! I did use gotroot.com rules before you post this reply, and the loading is quite high!

**jameshsi** · 02-09-2007 09:40 AM

I still got a question, if I should not copy all the content of your conf file, what part should I use ?

**ujr** · 02-09-2007 09:49 AM

gotroot has a set of rules that should work fine on apache 1.3. Just make sure you don't run the apache 2-compatible-only rules, that would reek havoc.

All in all, the rules provided at gotroot do their job quite efficiently, and although you may see a slightly higher load, you can also customize, or omit the rules that you know you will never use/need, since many of the rules are application specific. Just think of the server-based rules for Jsp Servlet, for instance... when you may not run tomcat, modresin, etc.

Anyway, in my opinion, while it's nice to have mod-sec built into cpanel, it's not the most efficient way of running it either ... and you'll get way better performance building the install yourself. Don't use the cpanel mod_sec (IMHO).

Also, don't forget, any reasonably 'savvy' user can disable the mod_sec with .htaccess, if you haven't prevented that in your system's config. All they'd need is:

SecFilterEngine Off
SecFilterCheckURLEncoding Off

**Solokron** · 03-06-2007 01:02 AM

If running Apache 1.x you may disable .htaccess disable of mod_sec via the following:

cd /usr/src/modsecurity-apache-1.9.1/apache1
/usr/local/apache/bin/apxs -ci -D DISABLE_HTACCESS_CONFIG mod_security.c
/scripts/restartsrv_httpd

LinkBack

Thread Tools

Spammer is using your cgiemail ?!!

cgiemail

cgiemail not available?

Help setting up cgiemail

Problems with cgiemail

cgiemail