Spammer is using your cgiemail ?!!

[jameshsi]

Hi!
One of my servers shows high loading a few days ago, I didn't have time dealing with it at that time, I just notice that server is under high loading, I shutdown some of sites I thought might cause problems, and check this and that in the server, finally, I notice there are some mail queues in the mailQ, and each mail sents a lot of BCC to aol.com address, now I begain to realize that my server has been hijacking.

check this page:
http://ask-leo.com/a_spammer_is_using_my_cgiemail_what_do_i_do.html

I think it explain more detail.

After I change the httpd.conf setting , remove the cgi-sys aliases and move cgiemail to another file name (maybe I should just delete it) , my server loading is quickly down to normal.

I don't know if anyone like me has problem like this, or maybe have a better way to solve this cgiemail problem, I hope someone can share more informations to us, thanks.


James

 

[jameshsi]

Anyone got a better idea to replace the usage of cgiemal ?

Is there a good php script can substitute cgiemail ?

 

[kernow]

Nope, but you could try ticking the box in WHM>>>> tweak settings " Silently Discard all FormMail-clone requests with a bcc: header in the subject line"

 

[z268]

I use PHPFormMail at http://www.boaddrink.com/projects/phpformmail/download.php

 

[jameshsi]

Nope, but you could try ticking the box in WHM>>>> tweak settings " Silently Discard all FormMail-clone requests with a bcc: header in the subject line"

Really appreciated.

 

[verdon]

mod_security rules for catching cc and bcc header injections in other scripts can help to

 

[brianoz]

A lot of form mail scripts allow you to specify who the email is to with a form field. Don't use one of those as they're really easy to hijack.

As someone said above, use mod_security rules to make it harder to hijack form scripts on the server.

If you run phpsuexec, you can limit the number of emails sent per account per hour, which allows you to limit damage from spammers when they hijack scripts. Not a permanent solution, but it helps.

Also, install CSF - http://www.configserver.com/cp/csf.html - it will detect large numbers of emails going out and alert you via email.

 

[jameshsi]

mod_security rules for catching cc and bcc header injections in other scripts can help to

Can you show me the URL for this mod_security rules ?
Appreciated!

 

[verdon]

Can you show me the URL for this mod_security rules ?
Appreciated!

Assuming you have mod_security installed... there are a lot of rules out there. Doing a search here will bring you lots of results. Personally, these rules have been working for me and don't add too much overhead
http://hostmerit.com/modsec.user.conf

 

[jameshsi]

...., these rules have been working for me and don't add too much overhead
http://hostmerit.com/modsec.user.conf

What do u mean overhead ?
You mean if I add too many rules, might cause server loading ?

 

[verdon]

What do u mean overhead ?
You mean if I add too many rules, might cause server loading ?

Yes, especially if you are using Apache 1.3.x. That's the trouble with the very thorough rules at gotroot.com. Rules of that volume and complexity are apparantly much better with Apache 2, but I think you're better to keep it simple with Apache 1.3

 

[jameshsi]

Really appreciated! I did use gotroot.com rules before you post this reply, and the loading is quite high!

 

[jameshsi]

I still got a question, if I should not copy all the content of your conf file, what part should I use ?

 

[ujr]

gotroot has a set of rules that should work fine on apache 1.3. Just make sure you don't run the apache 2-compatible-only rules, that would reek havoc.

All in all, the rules provided at gotroot do their job quite efficiently, and although you may see a slightly higher load, you can also customize, or omit the rules that you know you will never use/need, since many of the rules are application specific. Just think of the server-based rules for Jsp Servlet, for instance... when you may not run tomcat, modresin, etc.

Anyway, in my opinion, while it's nice to have mod-sec built into cpanel, it's not the most efficient way of running it either ... and you'll get way better performance building the install yourself. Don't use the cpanel mod_sec (IMHO).

Also, don't forget, any reasonably 'savvy' user can disable the mod_sec with .htaccess, if you haven't prevented that in your system's config. All they'd need is:

SecFilterEngine Off
SecFilterCheckURLEncoding Off

 

[Solokron]

If running Apache 1.x you may disable .htaccess disable of mod_sec via the following:

cd /usr/src/modsecurity-apache-1.9.1/apache1
/usr/local/apache/bin/apxs -ci -D DISABLE_HTACCESS_CONFIG mod_security.c
/scripts/restartsrv_httpd