It appears that someone is exploiting a php script on one of my domains from multiple geographical locations (mostly from asis - according to the raw access log). They are using some sort of buffer underrun to inject code into the script to send email bombs using smtp via the localhost mail user. Each message has many email addresses in to the to: field, although the messages are not large but it will degrade the performance of the server once several dozen of them have accumulated since exim trys to process them. This causes the CPU to spike and eventually it is difficult to get into WHM or open a SSH shell. Twice now I have had to rapid reboot, login, kill the spawning exim processes, stop the exim service and clear the mail queue. I have corrected the flaw in the offending script, but how can I write an ACL in exim to prevent a message from being sent that has over a certain number addresses listed in the to: field to prevent the messages from entering the queue? Can this be done with mod_security?
You should be able to setup some mod-security rules to limit the amount of receipients in the POST header of a message, eg if it reaches more than X log action and deny. You're going to need to read the mod_security howto and setup a regex.
Post / PM me any logs that show them accessing / exploiting. This can help, so I can possibly setup a mod_security rule specific to your server.
Email Bomb attack
Hostmerit,
My server was email bombed today; thankfully I was could suspend the account and control the load which had shot to over 800.
16:49:46 up 136 days, 18:54, 2 users, load average: 64.64, 418.19, 311.23
2920 processes: 2496 sleeping, 2 running, 421 zombie, 1 stopped
CPU states: cpu user nice system irq softirq iowait idle
total 27.2% 0.0% 8.9% 0.0% 0.4% 39.7% 23.5%
cpu00 24.4% 0.0% 8.6% 0.3% 1.3% 26.5% 38.6%
cpu01 32.0% 0.0% 7.9% 0.0% 0.0% 20.0% 40.0%
cpu02 25.0% 0.0% 12.6% 0.0% 0.1% 55.3% 6.7%
cpu03 27.4% 0.0% 6.5% 0.0% 0.1% 57.0% 8.6%
This is a sample of the email that I retrived from mail queue manager...
1FMk7y-0005hR-ET-H
root 0 0
<[email protected]>
1143198406 0
-helo_name resmail1.linuxgal.com
-host_address 206.123.73.247.61308
-interface_address xx.xx.xxx.xxx.25 (This is my server I.P.)
-received_protocol smtp
-body_linecount 20
XX
1
[email protected]
196P Received: from [206.123.73.247] (helo=resmail1.linuxgal.com)
by hostname.tld with smtp (Exim 4.52)
id 1FMk7y-0005hR-ET
for [email protected]; Fri, 24 Mar 2006 16:36:24 +0530
071P Received: (qmail 86332 invoked by uid 398); 24 Mar 2006 11:07:17 -0000
033 Date: 24 Mar 2006 11:07:17 -0000
063I Message-ID: <[email protected]>
033F From: [email protected]
037T To: [email protected]
026 Subject: Bulk-Push Failed
081 X-PHP-Script: clientname -admin.mktgarchitects.us/remote_connector.php for yy.y.yy.yy
081 X-PHP-Script: clientname-admin.mktgarchitects.us/remote_connector.php for yy.yy.yy.yy (yy.yy.yy.yy is the client's I.P. address from where he accesses the server )
1FMk7y-0005hR-ET-D
Client Id : 222
Dialog Id : 621
Connector Id : 88
Starting row : 0
Record count : 200
Query :
SELECT l.id FROM results as r, dialog_visitors as v, dialog_leads as l WHERE r.surveyID =621 AND r.status > 0 AND r.visitorID=v.id AND v.id=l.id AND concat_ws(',',l.fname,l.lname,l.name,l.email,l.phone)!='' AND l.active=1 GROUP BY v.id ORDER BY l.id ASC LIMIT 0,50
Count of visitor pulled from db : 50
Could not push visitor : 176966
Could not push visitor : 176966
Could not push visitor : 176966
Could not push visitor : 176966
Any modsecurity rule that will prevent email bombs from crippling the server.
Thanks,
Neonix.
Hostmerit,
My server was email bombed today; thankfully I was could suspend the account and control the load which had shot to over 800.
16:49:46 up 136 days, 18:54, 2 users, load average: 64.64, 418.19, 311.23
2920 processes: 2496 sleeping, 2 running, 421 zombie, 1 stopped
CPU states: cpu user nice system irq softirq iowait idle
total 27.2% 0.0% 8.9% 0.0% 0.4% 39.7% 23.5%
cpu00 24.4% 0.0% 8.6% 0.3% 1.3% 26.5% 38.6%
cpu01 32.0% 0.0% 7.9% 0.0% 0.0% 20.0% 40.0%
cpu02 25.0% 0.0% 12.6% 0.0% 0.1% 55.3% 6.7%
cpu03 27.4% 0.0% 6.5% 0.0% 0.1% 57.0% 8.6%
This is a sample of the email that I retrived from mail queue manager...
1FMk7y-0005hR-ET-H
root 0 0
<[email protected]>
1143198406 0
-helo_name resmail1.linuxgal.com
-host_address 206.123.73.247.61308
-interface_address xx.xx.xxx.xxx.25 (This is my server I.P.)
-received_protocol smtp
-body_linecount 20
XX
1
[email protected]
196P Received: from [206.123.73.247] (helo=resmail1.linuxgal.com)
by hostname.tld with smtp (Exim 4.52)
id 1FMk7y-0005hR-ET
for [email protected]; Fri, 24 Mar 2006 16:36:24 +0530
071P Received: (qmail 86332 invoked by uid 398); 24 Mar 2006 11:07:17 -0000
033 Date: 24 Mar 2006 11:07:17 -0000
063I Message-ID: <[email protected]>
033F From: [email protected]
037T To: [email protected]
026 Subject: Bulk-Push Failed
081 X-PHP-Script: clientname -admin.mktgarchitects.us/remote_connector.php for yy.y.yy.yy
081 X-PHP-Script: clientname-admin.mktgarchitects.us/remote_connector.php for yy.yy.yy.yy (yy.yy.yy.yy is the client's I.P. address from where he accesses the server )
1FMk7y-0005hR-ET-D
Client Id : 222
Dialog Id : 621
Connector Id : 88
Starting row : 0
Record count : 200
Query :
SELECT l.id FROM results as r, dialog_visitors as v, dialog_leads as l WHERE r.surveyID =621 AND r.status > 0 AND r.visitorID=v.id AND v.id=l.id AND concat_ws(',',l.fname,l.lname,l.name,l.email,l.phone)!='' AND l.active=1 GROUP BY v.id ORDER BY l.id ASC LIMIT 0,50
Count of visitor pulled from db : 50
Could not push visitor : 176966
Could not push visitor : 176966
Could not push visitor : 176966
Could not push visitor : 176966
Any modsecurity rule that will prevent email bombs from crippling the server.
Thanks,
Neonix.
Neonix:
What you have hear is failure to communicate :D i.e. this looks like a vBulletin / IPB error message being sent to the respective site admin upon mysql failure. This usually happens when such a forum goes down and their board starts sending notices to the site's admin.
The reason this is problematic is that for every click to the forum - there will be a mail sent... so a high traffic site would easily bombard the server with tonnes of mails...
I would suggest you temporarily disable this account and resolve the issue with your customer.
What you have hear is failure to communicate :D i.e. this looks like a vBulletin / IPB error message being sent to the respective site admin upon mysql failure. This usually happens when such a forum goes down and their board starts sending notices to the site's admin.
The reason this is problematic is that for every click to the forum - there will be a mail sent... so a high traffic site would easily bombard the server with tonnes of mails...
I would suggest you temporarily disable this account and resolve the issue with your customer.
