The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Super SPAM Flooding coming from one of my servers

Discussion in 'General Discussion' started by xisn, May 16, 2006.

  1. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Ok all I need some help... For years I have followed the information on these as well as other forums. For some reason I am not able to locate nor figure this one out.

    I have an ARSE LOAD of spam just flooding through the server, I think it is http based however I am looking through all of the domlogs and not seeing much.

    I do have the BFD, APF, SpamAssassin, Etc.. Etc.. loaded on the server to try and stop this stuff but it seems like it is bypassing everything and sending 1000's of emails out. I can narrow it down to the user "nobody" thus the reason I think it is a hack someplace on the server that is just hiding from me.


    HELP Please!
     
  2. Monkeypd

    Monkeypd Registered

    Joined:
    Sep 20, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Spam

    Hi,

    We have had this problem aswell. I located the problem to insure php mailer scripts. Basically spammers are using 'Contact Us' type forms to send bcc'ed messages. Yo uwill get one or two to start with where they have scripts to test the site, then within a few weeks we had thousands at a time. With php, if no email addressess is specified in the from field it will go out as the user nobody. I dont have the code i used to secure our scripts but there are many tutorials on the net if you search.

    Hope this helps you.

    Regards,
    Darryl
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You need to find what script used by the spammers to deliver SPAM through your server. PhpBB spam can be blocked using a good set of rules for Mod Security. Overall, upgrade Php scripts and apply any security patches released by their authors.
     
  4. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Thanks

    Thanks for your responce guys, I have looked for the php script causing the spam but I am still at a loss... :confused:

    It looks like a dictionary attack as they are placing <random names>@domain.com. I do have the latest APF Filters from getroot (the HUGE one) and I am also using Chirpy's ACL Dictionary attack script following the tutorials for them but still getting hit. :(
     
  5. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    odd...

    Funny thing is.. I have the exim setting:
    log_selector = +subject +arguments -host_lookup_failed -lost_incoming_connection

    And here is the header:


    Code:
    1Fg4QH-0000LC-P4-H
    nobody 99 504
    <nobody@SERVER.DOMAIN.com>
    1147804653 0
    -ident nobody
    -received_protocol local
    -body_linecount 10
    -auth_id nobody
    -auth_sender nobody@SERVER.DOMAIN.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -deliver_firsttime
    -local
    XX
    1
    bigd2@gmail.com
    
    141P Received: from nobody by SERVER.DOMAIN.com with local (Exim 4.52)
    	id 1Fg4QH-0000LC-P4
    	for bigd2@gmail.com; Tue, 16 May 2006 13:37:34 -0500
    020T To: bigd2@gmail.com
    036  Subject: FW: you've got to see this
    030F From: Jacob <Jacob@gmail.com>
    028R Reply-To: Jacob85@gmail.com
    018  MIME-Version: 1.0
    025  Content-Type: text/plain
    032  Content-Transfer-Encoding: 8bit
    050I Message-Id: <E1Fg4QH-0000LC-P4@SERVER.DOMAIN.com>
    038  Date: Tue, 16 May 2006 13:37:33 -0500
    
     
    1Fg4QH-0000LC-P4-D
    So cool video clip
    
    Britney Boobs:
    http://www.9xgames.com/game/3265/Britney_s-Boobs.html
    
    Enjoy!
    jacob 
    
     
  6. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Found it!

    ok, I found the script that was running after I disabled "the user nobody" from sending emails in the "Tweak Settings" area.

    It seems the files "mail.php, head.php, and foot.php" were uploaded to several accounts and the spammer was sending the email using these scripts. Now I just need to find out how they uploaded the scripts as I know of the the accounts and he does not know how to perform these tasks and has not logged into his account in months.
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    How many messages were in your mail queue?

    I have a great combination of mod_security, antivirus.exim and exim.conf to pretty much track anything down.
     
  8. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Several times...

    There were more that 10k Emails in the queue. I made some setting changes and dropped that number down to less than 2000 the second time they ran the script.

    I have added the following IP's to the APF list because of it though:

    Code:
    May 17 05:29:17 SERVER apf(28804): (insert) deny all to/from 222.122.194.84
    May 17 05:23:10 SERVER apf(27743): (insert) deny all to/from 203.162.3.153
    May 17 05:10:09 SERVER apf(25609): (insert) deny all to/from 222.253.2.180
    May 17 05:09:58 SERVER apf(25321): (insert) deny all to/from 58.186.55.248
    
    I have looked at every log I can find on the server and it seems I am hitting nothing but a brick wall, I cannot find how they are getting the files on the server...

    I have setup a CRON to ident files uploaded to the server that contain the mail.php strings and send me an email. I will be watching, but it still seems they are able to upload the files without logging on as any specific user.
     
  9. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Well ... from that it sounds likely that they're uploading files with a POST to a compromised script somewhere.

    Install mod_security with a good filter set, it should nip this in the bud nicely!
     
  10. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Contact me and I'll be happy to look into this for you.
     
  11. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Message sent on your site. Thanks Ramprage!


    I do have the latest version and the most current updates for modsec...
     
  12. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Let us know what was happening, could be useful to know ...

    Ramprage: If it's a new (or newish) trick, a ruleset to block it for mod_security would be great...
     
  13. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Well if you suspect a spammer then you can temporarily add a few rules to your mod_security ruleset for additional logging so you can later investigate.

    EG:

    HTML:
    # Find the source of scripts ending email
    SecFilterSelective POST_PAYLOAD "@" "pass,log"
    If the above generates to much regular data you can narrow it down to certain domains.


    HTML:
    SecFilterSelective POST_PAYLOAD "@(hotmail.com|aol.com|gmail.com|yahoo.com)" "pass,log"
    This should only log users filling out forms, etc. It will not deny them. Then go check your audit_log to see what scripts are posting using email accounts in them submitted by user input.

    Very handy for finding spammers, written by me, enjoy :D
     
  14. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Thanks

    I am not sure how it was happening but the GET command seems to have been their way in... I chmod'd the command and added a modsec rule to deny it as well and all spam seems to have stopped.

    Good thing is, it has stopped... Bad news is, I have been listed on a few servers (Thankfully not the major SBL lists) so I need to go fix that...

    Here is the modsec rules I used to fix it for now, I am not sure if it is a permanet fix or not but it seems to be blocking them. I am typing them off the top of my head as I remember them but will fix this post later if I miss typed.

    Code:
    SecFilterSelective ARG_p|ARG_page "^(http|https|ftp):/"
    SecFilterSelective THE_REQUEST "GET ^(DFind)"
    SecFilter "GET\x20"
    SecFilterSelective THE_REQUEST "GET "
    SecFilter "^(GET|POST).*:.*^(GET|POST)"
    
    
     
  15. Swampfox

    Swampfox Member

    Joined:
    Aug 9, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    thanks ya'll this post help fix my spam problem
     
  16. Monkeypd

    Monkeypd Registered

    Joined:
    Sep 20, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Morning

    Hi people,

    I have found the code i use on all my forms, i was getting loads and loads of speam through on of my boxes and this solved it. You have to paste the code onto every php form which is a bit of a pain but once done it is easy to get into good habits. Paste the following in at the first line of your php form mailers.

    PHP:
    //  Darryl's Anti-Spam Code - Ask for assistance.

    // Make sure the form was indeed POST'ed:
    //  (requires your html form to use: action="post")
    if(!$_SERVER['REQUEST_METHOD'] == "POST"){
       die(
    "Forbidden - You are not authorized to view this page");
       exit;
    }

    // Attempt to defend against header injections:
    $badStrings = array("Content-Type:",
                         
    "MIME-Version:",
                         
    "Content-Transfer-Encoding:",
                         
    "bcc:",
                         
    "cc:");

    // Loop through each POST'ed value and test if it contains
    // one of the $badStrings:
    foreach($_POST as $k => $v){
       foreach(
    $badStrings as $v2){
           if(
    strpos($v$v2) !== false){
               
    header("HTTP/1.0 403 Forbidden");
                   exit;
           }
       }
    }

    // Made it past spammer test, free up some memory
    // and continue rest of script:
    unset($k$v$v2$badStrings);
    Stops all the scripts that are sent out to send spam.

    Hope this helps someone.

    Darryl
     
  17. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Sensational idea Darryl! I think I'll borrow it, with one refinement.

    Change the code you put in each script to this one line:

    PHP:
    <?php include 'antispam.php'?>
    and setup a file /usr/local/lib/php/antispam.php containing Darryl's code.

    This works because /usr/local/lib/php is in everyone's path - check your phpinfo() output for the 'include_path' line - on my servers it's ".:/usr/lib/php:/usr/local/lib/php".

    The advantage of this is that we now have only one master file included by everything on the server, so if it needs changing or updating you have only one place to change. Of course. the downside is you need to be careful how you edit that file - you'll break many sites if you stuff it up.

    There are some other nice things you could probably add. For instance, a referrer check that checks that the referrer is a page on the same site would probably catch some spammers. It would also be nice to log the IP addresses of caught attacks as IP addresses could then be blocked if they ran more than a certain number of attacks. Adding and refining what this script does becomes really easy once we have it in a central spot.
     
  18. fred123123

    fred123123 Well-Known Member

    Joined:
    Jul 23, 2005
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    Monkey... this is a great php script!!
     
  19. christi1

    christi1 Well-Known Member

    Joined:
    Oct 20, 2003
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Texas, USA
    little tweak...

    I'd like to post a few tweaks to Darryl's script if I may.

    - Changed the strpos() function call to eregi(). PHP's strpos() function is case sensitive, which can cause false negatives finding matches to items in the $badStrings array.

    - Added routine to check common fields used in mail headers for line feed and carriage return characters so the header hijack can be stopped even if the form was originally coded to send plain text email and our $badStrings routine doesn't find a mime email hijack.

    - Added routine to check fields for large numbers of links, a common tactic used for spamming forums and guestbooks.

    - Changed the header() function calls to die(). If/when PHP has already sent header info, this will cause the script to return a PHP error, not the 403 error. Novice PHP programmers may run into issues with this.

    Here is the refined code:

    Code:
    <?php
    //  Darryl's Anti-Spam Code - Ask for assistance. 
    
    // maximum number of links allowed in any form field
    // common method of spamming forums and guestbooks
    // leave blank if you don't want to use
    $max_allowed_links = "5";
    
    // common header injection patterns
    $badStrings = array("content-type:","mime-version:","content-transfer-encoding:","bcc:","cc:");
    
    // fields to be checked for line feed and carriage return characters
    $check_email_fields = array('to','from','name','from_name','admin_email','subject','email'); 
    
    // Make sure the form was indeed POST'ed: 
    //  (requires your html form to use: action="post") 
    if(!$_SERVER['REQUEST_METHOD'] == "POST"){ 
    die("Forbidden - You are not authorized to view this page"); 
    exit; 
    } 
    foreach($_POST as $k => $v){ 
       // check all fields for header injection patterns
       if(is_array($badStrings)) {
           foreach($badStrings as $v2){ 
              if(eregi($v2, $v) !== false){ 
              die("Forbidden - You are not authorized to view this page"); 
              exit; 
              } 
           } 
        }
        // check common email fields line feed and carriage return characters
        $k = strtolower($k);
        if(is_array($check_email_fields)) {
           foreach($check_email_fields as $v2){
           $v2 = strtolower($v2); 
           $v = strtolower($v); 
              if($k == $v2 && preg_match("/(%0A|%0D|\\n+|\\r+)/i", $v)) {
              die("Forbidden - You are not authorized to view this page"); 
              exit;  
              } 
           }
        }
        // check all fields for more than $max_allowed_links
        if($max_allowed_links != "") {
        $count_link_instances = substr_count($field,"http://");
           if($count_link_instances >= $max_allowed_links) {
           die("Forbidden - You are not authorized to view this page"); 
           exit; 
           }
        }
    }
    
    // Made it past spammer test, free up some memory 
    // and continue rest of script: 
    unset($k, $v, $v2, $max_allowed_links, $spam_email_fields, $badStrings, $count_link_instances); 
    ?>
    Hope this helps.
     
  20. heavypredator

    heavypredator Well-Known Member

    Joined:
    May 2, 2003
    Messages:
    93
    Likes Received:
    1
    Trophy Points:
    8
    Strange problem with spam

    For some time now i have problem with spam. My datacenter is getting complains (from aol)
    about my additional ip sending spam.

    The problem is this ip has only one site with no mailboxes, mail port is blocked by firewall, there is no trace of spam sent like in sample provided by aol (im logging every email sent with /usr/sbin/sendmail, there is nothing in exim_mainlog and exim_rejectlog about this spam):

    PHP:
    Receivedfrom  my.hostname.com (ev1s-69-57-*-*.ev1servers.net [69.57.*.*]) by rly-yd06.mx.aol.com (v109.13with ESMTP id MAILRELAYINYD64-77a4493af431d7Sat17 Jun 2006 03:29:08 -0400 
    Received
    : (qmail 50802 invoked by uid 10001); Sun18 Jun 2006 01:29:01 +0200 (CEST
    Message-Id: <20060618012901.50802.qmail@mxub.my.hostname.com
    From"Marey Yang" <venusamaral2@camunicongusto.com
    To: <Undisclosed Recipients
    DateSun18 Jun 2006 01:29:01 +0200 (CEST
    Subject: Try out striking in <censored
    Mime-Version1.0 
    Content
    -Typetext/plain 
    X
    -AOL-IP69.57.*.* 
    X-MailerUnknown (No Version
     
    MIME element (text/plain
    Currently <censoredwills to catch blasts 
    on http
    ://asatewaro.com/<censored> from 
    <censored>
    I have no idea how can it be sent dc techs checked server 3 times now - anyone seen something like this?

    ups wanted to make new topic
     
    #20 heavypredator, Jun 18, 2006
    Last edited: Jun 18, 2006
Loading...

Share This Page