The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spammer is using your cgiemail ?!!

Discussion in 'E-mail Discussions' started by jameshsi, Sep 19, 2006.

  1. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Hi!
    One of my servers shows high loading a few days ago, I didn't have time dealing with it at that time, I just notice that server is under high loading, I shutdown some of sites I thought might cause problems, and check this and that in the server, finally, I notice there are some mail queues in the mailQ, and each mail sents a lot of BCC to aol.com address, now I begain to realize that my server has been hijacking.

    check this page:
    http://ask-leo.com/a_spammer_is_using_my_cgiemail_what_do_i_do.html

    I think it explain more detail.

    After I change the httpd.conf setting , remove the cgi-sys aliases and move cgiemail to another file name (maybe I should just delete it) , my server loading is quickly down to normal.

    I don't know if anyone like me has problem like this, or maybe have a better way to solve this cgiemail problem, I hope someone can share more informations to us, thanks.


    James
     
  2. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Anyone got a better idea to replace the usage of cgiemal ?

    Is there a good php script can substitute cgiemail ?
     
    #2 jameshsi, Nov 13, 2006
    Last edited: Nov 13, 2006
  3. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Nope, but you could try ticking the box in WHM>>>> tweak settings " Silently Discard all FormMail-clone requests with a bcc: header in the subject line"
     
  4. z268

    z268 Member

    Joined:
    Nov 15, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
  5. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Really appreciated.
     
  6. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    mod_security rules for catching cc and bcc header injections in other scripts can help to
     
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    A lot of form mail scripts allow you to specify who the email is to with a form field. Don't use one of those as they're really easy to hijack.

    As someone said above, use mod_security rules to make it harder to hijack form scripts on the server.

    If you run phpsuexec, you can limit the number of emails sent per account per hour, which allows you to limit damage from spammers when they hijack scripts. Not a permanent solution, but it helps.

    Also, install CSF - http://www.configserver.com/cp/csf.html - it will detect large numbers of emails going out and alert you via email.
     
  8. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Can you show me the URL for this mod_security rules ?
    Appreciated!
     
  9. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Assuming you have mod_security installed... there are a lot of rules out there. Doing a search here will bring you lots of results. Personally, these rules have been working for me and don't add too much overhead
    http://hostmerit.com/modsec.user.conf
     
  10. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    What do u mean overhead ?
    You mean if I add too many rules, might cause server loading ?
     
  11. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Yes, especially if you are using Apache 1.3.x. That's the trouble with the very thorough rules at gotroot.com. Rules of that volume and complexity are apparantly much better with Apache 2, but I think you're better to keep it simple with Apache 1.3
     
  12. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Really appreciated! I did use gotroot.com rules before you post this reply, and the loading is quite high!
     
  13. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    I still got a question, if I should not copy all the content of your conf file, what part should I use ?
     
  14. ujr

    ujr Well-Known Member

    Joined:
    Mar 19, 2004
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    gotroot has a set of rules that should work fine on apache 1.3. Just make sure you don't run the apache 2-compatible-only rules, that would reek havoc.

    All in all, the rules provided at gotroot do their job quite efficiently, and although you may see a slightly higher load, you can also customize, or omit the rules that you know you will never use/need, since many of the rules are application specific. Just think of the server-based rules for Jsp Servlet, for instance... when you may not run tomcat, modresin, etc.

    Anyway, in my opinion, while it's nice to have mod-sec built into cpanel, it's not the most efficient way of running it either ... and you'll get way better performance building the install yourself. Don't use the cpanel mod_sec (IMHO).

    Also, don't forget, any reasonably 'savvy' user can disable the mod_sec with .htaccess, if you haven't prevented that in your system's config. All they'd need is:

    SecFilterEngine Off
    SecFilterCheckURLEncoding Off
     
  15. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    If running Apache 1.x you may disable .htaccess disable of mod_sec via the following:

    cd /usr/src/modsecurity-apache-1.9.1/apache1
    /usr/local/apache/bin/apxs -ci -D DISABLE_HTACCESS_CONFIG mod_security.c
    /scripts/restartsrv_httpd
     
Loading...

Share This Page