The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

recurring php/exim exploit

Discussion in 'General Discussion' started by bkusnir, Mar 13, 2006.

  1. bkusnir

    bkusnir Member

    Joined:
    Aug 8, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    It appears that someone is exploiting a php script on one of my domains from multiple geographical locations (mostly from asis - according to the raw access log). They are using some sort of buffer underrun to inject code into the script to send email bombs using smtp via the localhost mail user. Each message has many email addresses in to the to: field, although the messages are not large but it will degrade the performance of the server once several dozen of them have accumulated since exim trys to process them. This causes the CPU to spike and eventually it is difficult to get into WHM or open a SSH shell. Twice now I have had to rapid reboot, login, kill the spawning exim processes, stop the exim service and clear the mail queue. I have corrected the flaw in the offending script, but how can I write an ACL in exim to prevent a message from being sent that has over a certain number addresses listed in the to: field to prevent the messages from entering the queue? Can this be done with mod_security?
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    You should be able to setup some mod-security rules to limit the amount of receipients in the POST header of a message, eg if it reaches more than X log action and deny. You're going to need to read the mod_security howto and setup a regex.
     
  3. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Post / PM me any logs that show them accessing / exploiting. This can help, so I can possibly setup a mod_security rule specific to your server.
     
  4. bkusnir

    bkusnir Member

    Joined:
    Aug 8, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    where is the mod_security howto located? I don't believe I have that module installed.

    --Thanks
     
  5. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    in whm under cpanel addons modules - mark mod_security and it will be installed.
    Serach for Hostmerit here in forum after mod_security rules, they have good rules.
     
  6. bkusnir

    bkusnir Member

    Joined:
    Aug 8, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Is this OK to install even though it is BETA?
     
  7. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Yes, perfectly fine.
     
  8. bkusnir

    bkusnir Member

    Joined:
    Aug 8, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    OK all installed, that was easy. Now how do I get started writing rules? Is there a good howto somewhere? I sent MeritHosting my access logs.
     
  9. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
  10. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Unfortunately you sent me everything but the day you were exploited. :D
     
  11. neonix

    neonix Well-Known Member

    Joined:
    Oct 21, 2004
    Messages:
    124
    Likes Received:
    2
    Trophy Points:
    0
    Email Bomb attack

    Hostmerit,

    My server was email bombed today; thankfully I was could suspend the account and control the load which had shot to over 800.

    16:49:46 up 136 days, 18:54, 2 users, load average: 64.64, 418.19, 311.23
    2920 processes: 2496 sleeping, 2 running, 421 zombie, 1 stopped
    CPU states: cpu user nice system irq softirq iowait idle
    total 27.2% 0.0% 8.9% 0.0% 0.4% 39.7% 23.5%
    cpu00 24.4% 0.0% 8.6% 0.3% 1.3% 26.5% 38.6%
    cpu01 32.0% 0.0% 7.9% 0.0% 0.0% 20.0% 40.0%
    cpu02 25.0% 0.0% 12.6% 0.0% 0.1% 55.3% 6.7%
    cpu03 27.4% 0.0% 6.5% 0.0% 0.1% 57.0% 8.6%

    This is a sample of the email that I retrived from mail queue manager...


    1FMk7y-0005hR-ET-H
    root 0 0
    <root@resmail1.linuxgal.com>
    1143198406 0
    -helo_name resmail1.linuxgal.com
    -host_address 206.123.73.247.61308
    -interface_address xx.xx.xxx.xxx.25 (This is my server I.P.)
    -received_protocol smtp
    -body_linecount 20
    XX
    1
    clientname@clientdomain.tld

    196P Received: from [206.123.73.247] (helo=resmail1.linuxgal.com)
    by hostname.tld with smtp (Exim 4.52)
    id 1FMk7y-0005hR-ET
    for clientname@clientdomain.tld; Fri, 24 Mar 2006 16:36:24 +0530
    071P Received: (qmail 86332 invoked by uid 398); 24 Mar 2006 11:07:17 -0000
    033 Date: 24 Mar 2006 11:07:17 -0000
    063I Message-ID: <xxxxyyyyzzzz17.86329.qmail@resmail1.linuxgal.com>
    033F From: root@resmail1.linuxgal.com
    037T To: clientname@clientdomain.tld
    026 Subject: Bulk-Push Failed
    081 X-PHP-Script: clientname -admin.mktgarchitects.us/remote_connector.php for yy.y.yy.yy
    081 X-PHP-Script: clientname-admin.mktgarchitects.us/remote_connector.php for yy.yy.yy.yy (yy.yy.yy.yy is the client's I.P. address from where he accesses the server )


    1FMk7y-0005hR-ET-D
    Client Id : 222
    Dialog Id : 621
    Connector Id : 88
    Starting row : 0
    Record count : 200


    Query :
    SELECT l.id FROM results as r, dialog_visitors as v, dialog_leads as l WHERE r.surveyID =621 AND r.status > 0 AND r.visitorID=v.id AND v.id=l.id AND concat_ws(',',l.fname,l.lname,l.name,l.email,l.phone)!='' AND l.active=1 GROUP BY v.id ORDER BY l.id ASC LIMIT 0,50

    Count of visitor pulled from db : 50

    Could not push visitor : 176966

    Could not push visitor : 176966

    Could not push visitor : 176966

    Could not push visitor : 176966



    Any modsecurity rule that will prevent email bombs from crippling the server.

    Thanks,
    Neonix.
     
  12. cyrus

    cyrus Member

    Joined:
    Mar 1, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Neonix:

    What you have hear is failure to communicate :D i.e. this looks like a vBulletin / IPB error message being sent to the respective site admin upon mysql failure. This usually happens when such a forum goes down and their board starts sending notices to the site's admin.
    The reason this is problematic is that for every click to the forum - there will be a mail sent... so a high traffic site would easily bombard the server with tonnes of mails...
    I would suggest you temporarily disable this account and resolve the issue with your customer.
     
Loading...

Share This Page