Spammer is using your cgiemail ?!!

jameshsi

Well-Known Member
Oct 22, 2001
347
0
316
Hi!
One of my servers shows high loading a few days ago, I didn't have time dealing with it at that time, I just notice that server is under high loading, I shutdown some of sites I thought might cause problems, and check this and that in the server, finally, I notice there are some mail queues in the mailQ, and each mail sents a lot of BCC to aol.com address, now I begain to realize that my server has been hijacking.

check this page:
http://ask-leo.com/a_spammer_is_using_my_cgiemail_what_do_i_do.html

I think it explain more detail.

After I change the httpd.conf setting , remove the cgi-sys aliases and move cgiemail to another file name (maybe I should just delete it) , my server loading is quickly down to normal.

I don't know if anyone like me has problem like this, or maybe have a better way to solve this cgiemail problem, I hope someone can share more informations to us, thanks.


James
 

jameshsi

Well-Known Member
Oct 22, 2001
347
0
316
Anyone got a better idea to replace the usage of cgiemal ?

Is there a good php script can substitute cgiemail ?
 
Last edited:

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
A lot of form mail scripts allow you to specify who the email is to with a form field. Don't use one of those as they're really easy to hijack.

As someone said above, use mod_security rules to make it harder to hijack form scripts on the server.

If you run phpsuexec, you can limit the number of emails sent per account per hour, which allows you to limit damage from spammers when they hijack scripts. Not a permanent solution, but it helps.

Also, install CSF - http://www.configserver.com/cp/csf.html - it will detect large numbers of emails going out and alert you via email.
 

verdon

Well-Known Member
Nov 1, 2003
917
10
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
What do u mean overhead ?
You mean if I add too many rules, might cause server loading ?
Yes, especially if you are using Apache 1.3.x. That's the trouble with the very thorough rules at gotroot.com. Rules of that volume and complexity are apparantly much better with Apache 2, but I think you're better to keep it simple with Apache 1.3
 

jameshsi

Well-Known Member
Oct 22, 2001
347
0
316
Really appreciated! I did use gotroot.com rules before you post this reply, and the loading is quite high!
 

jameshsi

Well-Known Member
Oct 22, 2001
347
0
316
I still got a question, if I should not copy all the content of your conf file, what part should I use ?
 

ujr

Well-Known Member
Mar 19, 2004
290
0
166
gotroot has a set of rules that should work fine on apache 1.3. Just make sure you don't run the apache 2-compatible-only rules, that would reek havoc.

All in all, the rules provided at gotroot do their job quite efficiently, and although you may see a slightly higher load, you can also customize, or omit the rules that you know you will never use/need, since many of the rules are application specific. Just think of the server-based rules for Jsp Servlet, for instance... when you may not run tomcat, modresin, etc.

Anyway, in my opinion, while it's nice to have mod-sec built into cpanel, it's not the most efficient way of running it either ... and you'll get way better performance building the install yourself. Don't use the cpanel mod_sec (IMHO).

Also, don't forget, any reasonably 'savvy' user can disable the mod_sec with .htaccess, if you haven't prevented that in your system's config. All they'd need is:

SecFilterEngine Off
SecFilterCheckURLEncoding Off
 

Solokron

Well-Known Member
Aug 8, 2003
851
1
168
Seattle
cPanel Access Level
DataCenter Provider
If running Apache 1.x you may disable .htaccess disable of mod_sec via the following:

cd /usr/src/modsecurity-apache-1.9.1/apache1
/usr/local/apache/bin/apxs -ci -D DISABLE_HTACCESS_CONFIG mod_security.c
/scripts/restartsrv_httpd