Hacking /Spam Attempts?!?!

Solutions for other phpList version 2 users
Forum rules
Please do not ask questions here, this is for Solutions you have discovered or come across.

Hacking /Spam Attempts?!?!

Postby jade » 2:32am, Tue 23 Aug, 2005

Hi everyone,

I've experienced some disturbing events in the past few weeks and I'm hoping that someone here knows whether I should be concerned enough to do something about it.

In the past 3 weeks there have been 3 separate incidents where someone subscribed to our list using fictitious email addresses from our own domain (i.e. sdjfll@ourdomain.com).

Each time consisted of 5 bogus signups. Four of these fake signups appear harmless and only seem to generate a subscription notice into my email. However, one of these signups includes extra information in the "email" & "name" fields which appears to be an attempt to spoof or hack the program.

Here's what our usual signup notices look like:

email@address.com has subscribed

Subscribe page: 2
name = John Doe


Now, here's the info from one of those "spoofing" or "hacking" signups:

fisozfejcg@mychildhasdiabetes.com has subscribed

Subscribe page: 2
name = fisozfejcg@mychildhasdiabetes.com
Content-Type: multipart/mixed; boundary="===============0284744904=="
MIME-Version: 1.0
Subject: c1be279f
To: fisozfejcg@mychildhasdiabetes.com
bcc: bergkoch8@aol.com
From: fisozfejcg@mychildhasdiabetes.com

This is a multi-par


You'll also notice that there's a bcc line, which may be a monitored email account so they can check their success. I have forwarded these messages to abuse@aol.com so at least they're aware. But I'm wondering if I should be concerned enough to do something else?

Has anybody else ever experienced something like this? Does anyone have any suggestions about how to handle it?

I'd really appreciate any advice or feedback. Thanks.
jade
PL Nut
 
Posts: 15
Joined: 2:00am, Tue 23 Aug, 2005

Postby michiel » 12:35pm, Tue 23 Aug, 2005

Yes, that does look like a spam attempt. It would be interesting to dig deeper and check out your website logfiles, to analyse their activity. Particularly whether it was "automated" ie some script running requests to your site or manual.

Let us know your findings. If anything, to update phplist in the future to make these kind of things more difficult.
michiel
Admin
 
Posts: 1022
Joined: 10:18pm, Fri 11 Apr, 2003
Location: Buenos Aires, Argentina

Further attempts

Postby jade » 7:29pm, Thu 25 Aug, 2005

We've received another batch of 5 spam/hacking attempts. Everything is the same as before, 4 of the 5 contain bogus email addresses and the 5th one contains extended information in the name field.

And again we've got the same AOL email address in the bcc field they've tried to insert.
zcxjgzz@mychildhasdiabetes.com has subscribed

Subscribe page: 2
name = zcxjgzz@mychildhasdiabetes.com
Content-Type: multipart/mixed; boundary="===============0030245682=="
MIME-Version: 1.0
Subject: a13b42d3
To: zcxjgzz@mychildhasdiabetes.com
bcc: bergkoch8@aol.com
From: zcxjgzz@mychildhasdiabetes.com

This is a multi-part m

I'd sure like to get to the bottom of this. Looking forward to any advice from anyone.
jade
PL Nut
 
Posts: 15
Joined: 2:00am, Tue 23 Aug, 2005

Postby jade » 7:34pm, Thu 25 Aug, 2005

Hi Michiel, I appreciate your interest, unfortunately I wouldn't know where to begin in order to try to track this down. If you want to contact me privately I'd be happy to discuss giving you access to the server if you wanted to take a look.

Thanks again,
Jade

michiel wrote:Yes, that does look like a spam attempt. It would be interesting to dig deeper and check out your website logfiles, to analyse their activity. Particularly whether it was "automated" ie some script running requests to your site or manual.

Let us know your findings. If anything, to update phplist in the future to make these kind of things more difficult.
jade
PL Nut
 
Posts: 15
Joined: 2:00am, Tue 23 Aug, 2005

Update

Postby jade » 2:29pm, Sat 03 Sep, 2005

We're continuing to experience these hacking attempts. Two more in the past week. We've got the server administrator involved and he hasn't been able to figure it out yet, but at least it doesn't appear that they've been able to compromise the system.

However, one thought he had (but he's not really familiar with PHP List) is to have some control over the number of characters that will be accepted by the system in a text field.

I know that it's possible to limit that on individual signup pages, but it doesn't appear that the hacker/spammer is using signup pages. Instead they seem to be making a direct submission/request to the server. Therefore, the only way to limit the length of text fields would be within the PHP list system itself.

Does anyone know if that's possible? If so, I'd really appreciate any tips.

Thanks again in advance.
jade
PL Nut
 
Posts: 15
Joined: 2:00am, Tue 23 Aug, 2005

Postby vbdocman » 3:39pm, Sat 03 Sep, 2005

You are not alone. We are experiencing the same problems. We receive batch of 4 attempts with bogus emails with our domain. We don't receive the fifth with extended info in the name field (we don't use name field).

I don't know what's the purpose. It seems it is automated script. We use version 2.8.12 and I hope we won't get hacked.

Peter
vbdocman
phpList newbie
 
Posts: 1
Joined: 3:33pm, Sat 03 Sep, 2005

Glad to know we're not alone

Postby jade » 3:50pm, Sat 03 Sep, 2005

Hi Peter,

Thanks for letting me know about your situation. Perhaps we may ultimately have to eliminate the name field too, since it seems that this is what makes our experiences different. I do agree with you that it appears to be automated.

FYI, we're using the same version (2.8.12) which was installed automatically through Fantastico. It makes me wonder if this may be a version specific vulnerability.

Anyway, now that we're starting to talk about this we may be able to get more info from other people with the same problem and hopefully even a solution.

Thanks again.
jade
PL Nut
 
Posts: 15
Joined: 2:00am, Tue 23 Aug, 2005

same spoof attempts on our site

Postby cabinone » 8:43pm, Sat 03 Sep, 2005

michiel wrote:Let us know your findings. If anything, to update phplist in the future to make these kind of things more difficult.


We have been "spoofed" twice now, both times in clusters of 5 or 6. The IP address they have come from is: 213.25.156.26

Emails and IP from the "history" link

qili@TheAmericanView.com
12161
213.25.156.26
2005-09-03 15:41:29

nlqoqyuuzf@TheAmericanView.com
12163
213.25.156.26
2005-09-03 15:41:37

bigctu@TheAmericanView.com
12162
213.25.156.26
2005-09-03 15:41:36

hatltxrdg@TheAmericanView.com
12164
213.25.156.26
2005-09-03 15:41:40

igbqwdhjv@TheAmericanView.com
12165
213.25.156.26
2005-09-03 15:41:42

unqokt@TheAmericanView.com
12166
213.25.156.26
2005-09-03 15:41:44

A traceroute: from me to them seems to go through London and into Europe. Unless some crackerhead is doing this manually to many lists at a time, it appears to be automated. We are now running 2.9.5 (and can't get my cron working!).

4 sl-gw22-rly-7-4-ts9.sprintlink.net (144.223.42.185) 29.735 ms 30.020 ms 26.467 ms
5 sl-bb24-rly-3-1.sprintlink.net (144.232.14.57) 37.767 ms 19.425 ms 17.507 ms
6 sl-st22-ash-6-0.sprintlink.net (144.232.20.189) 18.749 ms 18.934 ms 19.706 ms
7 sl-st21-ash-5-0.sprintlink.net (144.232.29.206) 20.686 ms 23.648 ms 19.679 ms
8 sl-franc2-7-0.sprintlink.net (144.223.246.22) 25.349 ms 432.882 ms 128.740 ms
9 po6-0.loncr3.london.opentransit.net (193.251.240.181) 142.640 ms 96.394 ms 101.986 ms
10 so-6-0-0-0.loncr2.london.opentransit.net (193.251.242.218) 91.141 ms 153.091 ms 91.492 ms
11 so-0-0-0-0.fftcr1.frankfurt.opentransit.net (193.251.154.90) 109.374 ms so-2-0-0-0.fftcr2.frankfurt.opentransit.net (193.251.242.137) 115.425 ms so-0-0-0-0.fftcr1.frankfurt.opentransit.net (193.251.154.90) 128.010 ms
12 so-0-3-0-0.wrsbb1.warsawa.opentransit.net (193.251.242.46) 133.063 ms so-1-0-0-0.fftcr1.frankfurt.opentransit.net (193.251.132.89) 118.729 ms so-0-1-0-0.wrsbb1.warsawa.opentransit.net (193.251.240.170) 133.205 ms
13 so-0-1-0-0.wrsbb1.warsawa.opentransit.net (193.251.240.170) 130.141 ms so-0-2-0-0.wrsbb1.warsawa.opentransit.net (193.251.240.162) 144.813 ms tpsa-3.gw.opentransit.net (193.251.248.62) 129.455 ms
14 tpsa-3.gw.opentransit.net (193.251.248.62) 130.269 ms * *
15 * do.war-ar10.z.war-r4.tpnet.pl (213.25.12.214) 133.569 ms do-war-r4.tptransit.pl (195.149.232.130) 129.073 ms
16 do.war-ar10.z.war-r4.tpnet.pl (213.25.12.214) 130.339 ms stegny-gts.stegny.2a.pl (217.153.29.142) 186.383 ms do.war-ar10.z.war-r4.tpnet.pl (213.25.12.214) 138.822 ms
17 steg-gts.stegny.2a.pl (217.153.167.3) 294.193 ms 191.122 ms stegny-gts.stegny.2a.pl (217.153.29.142) 154.150 ms
18 non-reg156.stegny.2a.pl (213.25.156.26) 199.990 ms steg-gts.stegny.2a.pl (217.153.167.3) 147.140 ms non-reg156.stegny.2a.pl (213.25.156.26) 140.760 ms

Let me know what I can supply to track this down. I have root access to the server.


Excellent app,

jeff
cabinone
PL Nut
 
Posts: 17
Joined: 10:05pm, Tue 30 Aug, 2005

Postby jotazzu » 12:35am, Sun 04 Sep, 2005

Hi jade,
If you display the HTML source of the subscription form you find as the first input field the always existing input field 'email'. The only following input field on www.mychildhasdiabetes.com has the name 'attribute1'.

As you have taken the form from the original subsrciption page and slightly changed, I suspect the name of 'attribute1' is displayed as 'name' (all in lower case) when configuring the subscription page.

As the length of a HTML input field can not be really restricted if the attacker uses his own generated form, PHPlist saves this input immediately in a mySQL field with the maximal length of 255 characters. When it sends you the admin email it retrieves the value from the database and therefore the original input is cut after 255 characters. In your post you can see this at the broken last line 'This is a multi-part m'.

I suspect that this hacking attempt is a spider which scans the whole web for HTML forms which contain the input field 'email'. With the first four attempts it checks probably for the reaction of the form. With the fifth attempt it simply starts to fill the following input fields in the form with a malicious email. But PHPlist cuts that email and nothing happens.
jotazzu
PL Master
 
Posts: 183
Joined: 6:31pm, Wed 13 Jul, 2005
Location: Hamburg, Germany

spam again, but solo at that

Postby cabinone » 1:38am, Thu 08 Sep, 2005

Just to keep current:

fwpeza@TheAmericanView.com
212.142.33.108 2005-09-07 16:30:12

This traces out to a domestic address, unlike the others.
...
12 as-1-0.bbr2.newyork1.level3.net (64.159.1.85) 390.831 ms * 386.785 ms
13 ae-10-55.car1.newyork1.level3.net (4.68.97.148) 402.621 ms ae-10-53.car1.newyork1.level3.net (4.68.97.84) 558.311 ms ae-20-52.car1.newyork1.level3.net (4.68.97.52) 557.577 ms
14 level3-upc-us-nyc01a-rd1-gige-2-0.aorta.net (63.209.170.102) 611.297 ms 787.350 ms 328.311 ms
15 fr-par-rc-02-pos-4-0.chellonetwork.com (213.46.160.125) 371.534 ms 445.284 ms 586.080 ms
16 213.46.183.101 (213.46.183.101) 552.133 ms 590.384 ms 595.877 ms
17 213.46.183.106 (213.46.183.106) 488.975 ms 477.151 ms 619.222 ms
18 p14233059.net.upc.nl (212.142.33.59) 718.730 ms 669.449 ms 697.375 ms
19 p2033108.net.upc.nl (212.142.33.108) 649.871 ms 707.469 ms 881.588 ms
cabinone
PL Nut
 
Posts: 17
Joined: 10:05pm, Tue 30 Aug, 2005

Postby jade » 3:44am, Thu 08 Sep, 2005

It's interesting to hear about the experiences others have.

Cabineone: So far we've had this about 10 times and each time I've traced the IP it's been a different part of the world (e.g. Korea, Bolivia, Russia, UK), so I don't imagine that I'm going to get any satisfaction by tracing this.

Jotazzu: Thanks for the info. I didn't realize there was a 255 character limit in a mySQL field, so it's good to learn that. If so, that probably means we don't have much to worry about with this. I did realize that they were doing this through their own form so I couldn't place a restriction on that.

If anyone else is getting these, it would be good to know if they're also seeing a BCC address and if so, is it the same one we're seeing?

Jade
jade
PL Nut
 
Posts: 15
Joined: 2:00am, Tue 23 Aug, 2005

Postby ryzone » 4:37pm, Fri 09 Sep, 2005

Hello,
Wow this exact same thing is happening to me but on a site that I'm not using phplist with (I just started using phplist yesterday and I just happened to come across this thread doing a search for something else). The site is written in ASP and I have a contact form on it and in the last week we started getting these strange emails (see below) (the form sends the content directly to us via email, it's not put into a db). You'll see it uses the exact same email "bergkock8@aol.com". Pretty wacky. My host seems to think it's just "email spoofing", but it seems obvious to me that it isn't that. I just found this: http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

spd@soundway.com
Content-Type: multipart/mixed; boundary="===============0890193714=="
MIME-Version: 1.0
Subject: 3671a5cd
To: spd@soundway.com
bcc: bergkoch8@aol.com
From: spd@soundway.com

This is a multi-part message in MIME format.

--===============0890193714==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

ayl
--===============0890193714==--

spd@soundway.com
age:
reviews?
How often?
complaints:
spd@soundway.com
comment:
spd@soundway.com
ryzone
phpList newbie
 
Posts: 1
Joined: 4:25pm, Fri 09 Sep, 2005

Getting down to solutions

Postby jade » 6:17pm, Fri 09 Sep, 2005

Hi Ryzone, and thanks for the info and link. I hadn't thought of searching for the bcc address, but that was a great idea. According to the discussion thread you provided, this is a recent but growing problem.

I've just read through that entire discussion you posted (well, I skimmed and read) and have pulled out the items I think we could all look at.

In addition, I found another URL that may contain info that will be of use in assessing and solving this problem. This link describes the attempted hacking process which is apparently called "Email Injection":
http://securephp.damonkohler.com/index. ... _Injection

So, without further intro, here are 3 possible methods for solving (or at least minimizing) this problem. If Michiel and the other PHP code junkies can have a look at these and evaluate them, we may be able to come up with a homegrown PHPList solution. I don't know enough about scripting to be able to figure out which of these is possible or appropriate.

All of these come from individual posts on the URL Ryzone provided. I've simply cherrypicked the ones that seemed promising.

#1 - Since all of the attempts I've experienced have used fictitious email addresses using my domain name, this seemed like it might have potential.

From: Joachim from Bremen, Germany, #106 posted on Mon, Sep 5, 2005 04:21 PM
I'm a PHP minimalist and the following seems to prevent from getting any more of these mails:

Code: Select all
if(
eregi("\r",$_POST["email"])
|| eregi("\n",$_POST["email"])
|| eregi("@mydomain.net",$_POST["email"])
|| eregi("@mydomain.net",$_POST["message"])
|| eregi("boundary=",$_POST["message"])
)
{
die($sorry_string);
}



#2 -Since all of the attempts include a BCC address so the spammer can verify their success, this seemed like it might have potential.

From: Lightbox from Dublin Ireland, #114 posted on Tue, Sep 6, 2005 05:31 AM
to stop the annoying mails coming through we have simply put an if statement into the form to stop this type of mail coming through:
They always use bcc to send the mail so now we just block any mail with bcc

Code: Select all
<% if (CGI.getValue("bcc").length()>0) { %>
<%//
// This is SPAM
//
// So dont sent any emails!
//%>

<% } else { %>



#3 - Very importantly, I've noticed that the spam attempts have been submitted without using a signup form. In other words, the spammer is bypassing the form and going directly to the server. As the person below suggested, there's no referrer agent, so this might be a very valuable approach.

From: Arthur from ***SPAM***, USA, #134 posted on Thu, Sep 8, 2005 09:48 AM
Looking at my logs, I noticed that the requests from the bots don't contain the HTTP_USER_AGENT field, and the HTTP_REFERER field is set to my home page, not to the address of my contact form.

So I added the following to my php script:
Code: Select all
$valid_user_agent = isset($_SERVER["HTTP_USER_AGENT"]) && $_SERVER["HTTP_USER_AGENT"] != "";
$valid_referrer = isset($_SERVER["HTTP_REFERER"]) && $_SERVER["HTTP_REFERER"] == "http://{$_SERVER["HTTP_HOST"]}/contact.php";

if ( $valid_user_agent && $valid_referrer ) {
// send email
} else {
// spambot
}


So, there's three different approaches to at least minimizing or hampering if not actually solving this problem. Any PHP junkies wanna take a look?

Jade
jade
PL Nut
 
Posts: 15
Joined: 2:00am, Tue 23 Aug, 2005

Summarizing 3 approaches for a solution

Postby jade » 6:56pm, Fri 09 Sep, 2005

I thought it might be helpful to summarize what I was trying to say in my last post.

Any solution for PHPList to prevent this kind of attack has to be developed to work from within the backend functions (this is because the spammer is circumventing signup forms and any controls there would be useless).

In understanding the problem, I have identified three (3) areas in which vulnerabilities could be closed or limited. How to close them and which elements of the PHPList configurations would need to be altered is completely beyond me.

The three areas of vulnerability mean there are three possible approaches:
    #1 – Disallow BCC content in the processing of submissions
    #2 – Disallow processing of submissions that do not contain appropriate referrer page or user agent.
    #3 – Disallow processing submissions that contain email addresses from the same domain name.

The examples in my last post were simply provided to illustrate the three approaches.

I hope someone can think of a simple way to insert any or all of the above.
Thanks,
Jade
jade
PL Nut
 
Posts: 15
Joined: 2:00am, Tue 23 Aug, 2005

Postby michiel » 7:43pm, Fri 09 Sep, 2005

I think what's going on here is that some worm is trying out all kinds of stuff, to see if it works. It was discussed on the phpmailer mailinglist and someone added this URL, which is pretty good:

http://securephp.damonkohler.com/index. ... _Injection

I will review the entire workings of the frontend of phplist to ensure it is not vulnerable to this kind of stuff.

by the way, checking on "referrer" is useless as that can be spoofed.
michiel
Admin
 
Posts: 1022
Joined: 10:18pm, Fri 11 Apr, 2003
Location: Buenos Aires, Argentina

Next

Return to Answers, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 0 guests