The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Relaying via PHP

Discussion in 'General Discussion' started by jman1764, Mar 14, 2006.

  1. jman1764

    jman1764 Registered

    Joined:
    May 9, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I am experiencing a customer's form being exploited where it has been used to relay spam. It obtained my attention when i saw an influx of bounce backs to nobody. Is there a way to lock this down? I've already made sure not to allow nobody to send email but it still is occuring.
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    You might want to look into installing mod security. With the right rules, this can be used to block certain types of malicious requests.

    Forms are commonly exploited by including carriage returns and line feeds within a field followed by data such that the data is interpretted as being the cc and bcc fields for an email.

    Rather than relying soley on mod security to block malicious http requests, I find it's always better to fix exploitable scripts, or at least fix them to the extent that a given exploit won't work.

    If I find an exploited PHP script, I add the following code to help me investigate:

    PHP:
    while (list($key$val) = each($_POST)) {
      
    $sPostContents .= $key." = ".$value."\n";
    }
    mail("example@example.com""Post values for ".$_SERVER['http_host'], $sPostContents);
    reset($_POST);
    If you place this as near to the top of the script as possible you can get the entire form contents, field names and values, emailed to you.

    You can then study what values are being used in what fields. Once you've spotted a pattern you can then add conditions to the script to check for the patterns and stop such requests.

    One of the obvious things to spot is that the value of exploited fields will often contain "Content-Type: multipart/" so that a multipart message (commonly HTML and plain text parts) will be sent. The HTML part will contain the spam, the plain text part will contain some random prose so as to confuse spam checkers.

    Here is a piece of code I recently added to a user's script to deal with something along these lines:

    PHP:
    $sNneedle "Content-Type: multipart/";
      while (list(
    $key$val) = each($_POST)) {
        if (
    $key != "message") {
          if (
    substr_count($_POST[$key], $sNneedle)) {
            
    mail("example@example.com""Form exploit killed : ".$_SERVER['HTTP_REFERER'], $sPostContents);
            exit();
          }            
        }
      }
    reset($_POST);
    You don't necessarily need to have it email you, but I find it helps keep track on who is doing what.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I would also recommend added extended exim logging which you can use to track back from bounces to the directory where the offending script(s) are so that you can remove/fix them.
     
Loading...

Share This Page