Super SPAM Flooding coming from one of my servers

[xisn]

Ok all I need some help... For years I have followed the information on these as well as other forums. For some reason I am not able to locate nor figure this one out.

I have an ARSE LOAD of spam just flooding through the server, I think it is http based however I am looking through all of the domlogs and not seeing much.

I do have the BFD, APF, SpamAssassin, Etc.. Etc.. loaded on the server to try and stop this stuff but it seems like it is bypassing everything and sending 1000's of emails out. I can narrow it down to the user "nobody" thus the reason I think it is a hack someplace on the server that is just hiding from me.


HELP Please!

 

[Monkeypd]

Spam

Hi,

We have had this problem aswell. I located the problem to insure php mailer scripts. Basically spammers are using 'Contact Us' type forms to send bcc'ed messages. Yo uwill get one or two to start with where they have scripts to test the site, then within a few weeks we had thousands at a time. With php, if no email addressess is specified in the from field it will go out as the user nobody. I dont have the code i used to secure our scripts but there are many tutorials on the net if you search.

Hope this helps you.

Regards,
Darryl

 

[AndyReed]

I have an ARSE LOAD of spam just flooding through the server, I think it is http based however I am looking through all of the domlogs and not seeing much.

I do have the BFD, APF, SpamAssassin, Etc.. Etc.. loaded on the server to try and stop this stuff but it seems like it is bypassing everything and sending 1000's of emails out. I can narrow it down to the user "nobody" thus the reason I think it is a hack someplace on the server that is just hiding from me.

You need to find what script used by the spammers to deliver SPAM through your server. PhpBB spam can be blocked using a good set of rules for Mod Security. Overall, upgrade Php scripts and apply any security patches released by their authors.

 

[xisn]

Thanks

Thanks for your responce guys, I have looked for the php script causing the spam but I am still at a loss...

It looks like a dictionary attack as they are placing <random names>@domain.com. I do have the latest APF Filters from getroot (the HUGE one) and I am also using Chirpy's ACL Dictionary attack script following the tutorials for them but still getting hit.

 

[xisn]

odd...

Funny thing is.. I have the exim setting:
log_selector = +subject +arguments -host_lookup_failed -lost_incoming_connection

And here is the header:

1Fg4QH-0000LC-P4-H
nobody 99 504
<[email protected]>
1147804653 0
-ident nobody
-received_protocol local
-body_linecount 10
-auth_id nobody
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
XX
1
[email protected]

141P Received: from nobody by SERVER.DOMAIN.com with local (Exim 4.52)
	id 1Fg4QH-0000LC-P4
	for [email protected]; Tue, 16 May 2006 13:37:34 -0500
020T To: [email protected]
036  Subject: FW: you've got to see this
030F From: Jacob <[email protected]>
028R Reply-To: [email protected]
018  MIME-Version: 1.0
025  Content-Type: text/plain
032  Content-Transfer-Encoding: 8bit
050I Message-Id: <[email protected]>
038  Date: Tue, 16 May 2006 13:37:33 -0500

 
1Fg4QH-0000LC-P4-D
So cool video clip

Britney Boobs:
http://www.9xgames.com/game/3265/Britney_s-Boobs.html

Enjoy!
jacob

 

[xisn]

Found it!

ok, I found the script that was running after I disabled "the user nobody" from sending emails in the "Tweak Settings" area.

It seems the files "mail.php, head.php, and foot.php" were uploaded to several accounts and the spammer was sending the email using these scripts. Now I just need to find out how they uploaded the scripts as I know of the the accounts and he does not know how to perform these tasks and has not logged into his account in months.

 

[ramprage]

How many messages were in your mail queue?

I have a great combination of mod_security, antivirus.exim and exim.conf to pretty much track anything down.

 

[xisn]

Several times...

There were more that 10k Emails in the queue. I made some setting changes and dropped that number down to less than 2000 the second time they ran the script.

I have added the following IP's to the APF list because of it though:

May 17 05:29:17 SERVER apf(28804): (insert) deny all to/from 222.122.194.84
May 17 05:23:10 SERVER apf(27743): (insert) deny all to/from 203.162.3.153
May 17 05:10:09 SERVER apf(25609): (insert) deny all to/from 222.253.2.180
May 17 05:09:58 SERVER apf(25321): (insert) deny all to/from 58.186.55.248

I have looked at every log I can find on the server and it seems I am hitting nothing but a brick wall, I cannot find how they are getting the files on the server...

I have setup a CRON to ident files uploaded to the server that contain the mail.php strings and send me an email. I will be watching, but it still seems they are able to upload the files without logging on as any specific user.

 

[brianoz]

... but it still seems they are able to upload the files without logging on as any specific user.

Well ... from that it sounds likely that they're uploading files with a POST to a compromised script somewhere.

Install mod_security with a good filter set, it should nip this in the bud nicely!

 

[ramprage]

Contact me and I'll be happy to look into this for you.

 

[xisn]

Message sent on your site. Thanks Ramprage!

Contact me and I'll be happy to look into this for you.

I do have the latest version and the most current updates for modsec...

Well ... from that it sounds likely that they're uploading files with a POST to a compromised script somewhere.

Install mod_security with a good filter set, it should nip this in the bud nicely!

 

[brianoz]

Let us know what was happening, could be useful to know ...

Ramprage: If it's a new (or newish) trick, a ruleset to block it for mod_security would be great...

 

[ramprage]

Well if you suspect a spammer then you can temporarily add a few rules to your mod_security ruleset for additional logging so you can later investigate.

EG:

# Find the source of scripts ending email
SecFilterSelective POST_PAYLOAD "@" "pass,log"

If the above generates to much regular data you can narrow it down to certain domains.

SecFilterSelective POST_PAYLOAD "@(hotmail.com|aol.com|gmail.com|yahoo.com)" "pass,log"

This should only log users filling out forms, etc. It will not deny them. Then go check your audit_log to see what scripts are posting using email accounts in them submitted by user input.

Very handy for finding spammers, written by me, enjoy :D

 

[xisn]

Thanks

I am not sure how it was happening but the GET command seems to have been their way in... I chmod'd the command and added a modsec rule to deny it as well and all spam seems to have stopped.

Good thing is, it has stopped... Bad news is, I have been listed on a few servers (Thankfully not the major SBL lists) so I need to go fix that...

Here is the modsec rules I used to fix it for now, I am not sure if it is a permanet fix or not but it seems to be blocking them. I am typing them off the top of my head as I remember them but will fix this post later if I miss typed.

SecFilterSelective ARG_p|ARG_page "^(http|https|ftp):/"
SecFilterSelective THE_REQUEST "GET ^(DFind)"
SecFilter "GET\x20"
SecFilterSelective THE_REQUEST "GET "
SecFilter "^(GET|POST).*:.*^(GET|POST)"

 

[Swampfox]

thanks ya'll this post help fix my spam problem

 

[Monkeypd]

Morning

Hi people,

I have found the code i use on all my forms, i was getting loads and loads of speam through on of my boxes and this solved it. You have to paste the code onto every php form which is a bit of a pain but once done it is easy to get into good habits. Paste the following in at the first line of your php form mailers.

//  Darryl's Anti-Spam Code - Ask for assistance.

// Make sure the form was indeed POST'ed:
//  (requires your html form to use: action="post")
if(!$_SERVER['REQUEST_METHOD'] == "POST"){
   die("Forbidden - You are not authorized to view this page");
   exit;
}

// Attempt to defend against header injections:
$badStrings = array("Content-Type:",
                     "MIME-Version:",
                     "Content-Transfer-Encoding:",
                     "bcc:",
                     "cc:");

// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
   foreach($badStrings as $v2){
       if(strpos($v, $v2) !== false){
           header("HTTP/1.0 403 Forbidden");
               exit;
       }
   }
}

// Made it past spammer test, free up some memory
// and continue rest of script:
unset($k, $v, $v2, $badStrings);

Stops all the scripts that are sent out to send spam.

Hope this helps someone.

Darryl

 

[brianoz]

I have found the code i use on all my forms, i was getting loads and loads of speam through on of my boxes and this solved it. You have to paste the code onto every php form which is a bit of a pain but once done it is easy to get into good habits. Paste the following in at the first line of your php form mailers.

Sensational idea Darryl! I think I'll borrow it, with one refinement.

Change the code you put in each script to this one line:

<?php include 'antispam.php'; ?>

and setup a file /usr/local/lib/php/antispam.php containing Darryl's code.

This works because /usr/local/lib/php is in everyone's path - check your phpinfo() output for the 'include_path' line - on my servers it's ".:/usr/lib/php:/usr/local/lib/php".

The advantage of this is that we now have only one master file included by everything on the server, so if it needs changing or updating you have only one place to change. Of course. the downside is you need to be careful how you edit that file - you'll break many sites if you stuff it up.

There are some other nice things you could probably add. For instance, a referrer check that checks that the referrer is a page on the same site would probably catch some spammers. It would also be nice to log the IP addresses of caught attacks as IP addresses could then be blocked if they ran more than a certain number of attacks. Adding and refining what this script does becomes really easy once we have it in a central spot.

 

[fred123123]

Monkey... this is a great php script!!

 

[christi1]

little tweak...

I'd like to post a few tweaks to Darryl's script if I may.

- Changed the strpos() function call to eregi(). PHP's strpos() function is case sensitive, which can cause false negatives finding matches to items in the $badStrings array.

- Added routine to check common fields used in mail headers for line feed and carriage return characters so the header hijack can be stopped even if the form was originally coded to send plain text email and our $badStrings routine doesn't find a mime email hijack.

- Added routine to check fields for large numbers of links, a common tactic used for spamming forums and guestbooks.

- Changed the header() function calls to die(). If/when PHP has already sent header info, this will cause the script to return a PHP error, not the 403 error. Novice PHP programmers may run into issues with this.

Here is the refined code:

<?php
//  Darryl's Anti-Spam Code - Ask for assistance. 

// maximum number of links allowed in any form field
// common method of spamming forums and guestbooks
// leave blank if you don't want to use
$max_allowed_links = "5";

// common header injection patterns
$badStrings = array("content-type:","mime-version:","content-transfer-encoding:","bcc:","cc:");

// fields to be checked for line feed and carriage return characters
$check_email_fields = array('to','from','name','from_name','admin_email','subject','email'); 

// Make sure the form was indeed POST'ed: 
//  (requires your html form to use: action="post") 
if(!$_SERVER['REQUEST_METHOD'] == "POST"){ 
die("Forbidden - You are not authorized to view this page"); 
exit; 
} 
foreach($_POST as $k => $v){ 
   // check all fields for header injection patterns
   if(is_array($badStrings)) {
       foreach($badStrings as $v2){ 
          if(eregi($v2, $v) !== false){ 
          die("Forbidden - You are not authorized to view this page"); 
          exit; 
          } 
       } 
    }
    // check common email fields line feed and carriage return characters
    $k = strtolower($k);
    if(is_array($check_email_fields)) {
       foreach($check_email_fields as $v2){
       $v2 = strtolower($v2); 
       $v = strtolower($v); 
          if($k == $v2 && preg_match("/(%0A|%0D|\\n+|\\r+)/i", $v)) {
          die("Forbidden - You are not authorized to view this page"); 
          exit;  
          } 
       }
    }
    // check all fields for more than $max_allowed_links
    if($max_allowed_links != "") {
    $count_link_instances = substr_count($field,"http://");
       if($count_link_instances >= $max_allowed_links) {
       die("Forbidden - You are not authorized to view this page"); 
       exit; 
       }
    }
}

// Made it past spammer test, free up some memory 
// and continue rest of script: 
unset($k, $v, $v2, $max_allowed_links, $spam_email_fields, $badStrings, $count_link_instances); 
?>

Hope this helps.

 

[heavypredator]

Strange problem with spam

For some time now i have problem with spam. My datacenter is getting complains (from aol)
about my additional ip sending spam.

The problem is this ip has only one site with no mailboxes, mail port is blocked by firewall, there is no trace of spam sent like in sample provided by aol (im logging every email sent with /usr/sbin/sendmail, there is nothing in exim_mainlog and exim_rejectlog about this spam):

Received: from  my.hostname.com (ev1s-69-57-*-*.ev1servers.net [69.57.*.*]) by rly-yd06.mx.aol.com (v109.13) with ESMTP id MAILRELAYINYD64-77a4493af431d7; Sat, 17 Jun 2006 03:29:08 -0400 
Received: (qmail 50802 invoked by uid 10001); Sun, 18 Jun 2006 01:29:01 +0200 (CEST) 
Message-Id: <[email protected]> 
From: "Marey Yang" <[email protected]> 
To: <Undisclosed Recipients> 
Date: Sun, 18 Jun 2006 01:29:01 +0200 (CEST) 
Subject: Try out striking in <censored> 
Mime-Version: 1.0 
Content-Type: text/plain 
X-AOL-IP: 69.57.*.* 
X-Mailer: Unknown (No Version) 
 
MIME element (text/plain) 
Currently <censored> wills to catch blasts 
on http://asatewaro.com/<censored> from 
<censored>

I have no idea how can it be sent dc techs checked server 3 times now - anyone seen something like this?

ups wanted to make new topic