Recent Topics

1 Oct 16, 2005 18:37    

I recently added the send post to friend functionality to my blog and was quite happy with it for awhile. Then I started getting messages from mail servers that were supposedly sent from my server. When I look at the header for the returned messages I see this 'Subject: =?iso-8859-1?B?WW91ciBGaW5hbmNpbmcgU2VydmljZQ==?='

I had a problem with someone hijacking my content form awhile back so I upgraded the script for that and added some other security measures, like a .htaccess file. I have referer spam under control, but this is something new.

When I realized that someone might be hijacking sendmail on my system I checked my stats and saw that the login.php, register.php, and friend.php files were getting hit quite heavily. All three of these have sendmail functionality.

The first thing I did was to remove the 'send post to friend' link in _main.php and to rename friend.php to friend.bak. I'm still getting a few returned messages, but these could just be stragglers that have been bouncing around in mail servers.

Has anyone else had this experience?

I really like the send to friend addon. It was getting quite a bit of use and I was picking up readers because of it. However, if it is not secure enough to handle fake headers posted into input fields then I will have to reluctantly decide not to use it.

Here's a full header from one of the returned messages:

Received: from rubinocrosmer.com [196.35.70.184] by holly.dbwired.com with ESMTP
(SMTPD32-8.15) id AED6444800F0; Sun, 16 Oct 2005 02:10:30 -0400
Message-ID: <c0bb01c5d217$dc0b8d3b$82cc7a2c@6q8nxx1>
From: "Andres Sheffield" <andressheffieldil@xxxxx.com>
Subject: =?iso-8859-1?B?WW91ciBGaW5hbmNpbmcgU2VydmljZQ==?=
Date: Sun, 16 Oct 2005 06:04:10 +0000
MIME-Version: 1.0
X-Sender: <andressheffieldil@xxxxx.com>
In-Reply-To: <804101c5ce43$7f48adf5$9565d656@8hyv9j1>
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 8bit
X-IMAIL-SPAM-DNSBL: (SpamCop,eed3444800f076cf,127.0.0.2)

2 Oct 16, 2005 23:31

It's unclear to me how someone could "hijack" your sendmail using that script BUT I'm not saying its not possible (I just dont know). For what it's worth, I have actually gotten spam mail to my gmail account from my gmail account (same accounts in both instances).

think of thist though, and it requres nothing be faked: I have someone I dont like, and I know an e-mail addy for them. whats to keep me from using a similar item to repeatedly send them your page and accompany it with some sort of harassing message. Sure they may be adverting your site, but theyre also getting their crappy message sent, without attaching said message to their real e-mail addy.

None of that adresses your concerns very well and for that I apologize.

3 Oct 17, 2005 03:57

All anyone needs to do to hijack a form2mail script is to substitute their own header for the one in the script. This will allow them to add cc and bcc fields to the message. That's what appears to be happening here. I've had other problems where they seemed to be spoofing the return address but this seems to be the real thing. They are also trying to compromise the register and lost password scripts in b2evo. These also use sendmail and if the hijacker can paste their own header into the input fields then they can hijack a form unless there are security measures built into the script to stop such attempts.

The form2mail script I use for my contact forms is pretty secure. I'm going to see if I can integrate that into the send link script. Or, create a new 'send to friend' script based on that form processing script.

4 Oct 20, 2005 17:45

The problem didn't go away when I disabled the friend.php script, so it must be done with a different script. My apologies to Scott. His script was not at fault.

The only pages that show unusual activity are the register and login pages. The register page has been hit almost 3000 times and the login page has had over 4400 hits. None of the other pages on my site show suspicious activity.

5 Oct 20, 2005 19:19

what sort of activity are you seeing on the pages you are concerned about? is it email related, or not? if so, are emails hitting your server as a result of the "attempts"?

6 Oct 21, 2005 03:56

I'm seeing 4433 hits on register.php over the last 3 days when I don't even have that feature active on my blog. I've also seen over 2700 hits on login.php when I'm the only one who has to login and that's for admin. In the same time period the css file for the skin I use has only been accessed maybe 150 times in the last 3 days.

I renamed friend.php to friend.bak and still got bounced emails. I received 7 of them so far today. I've renamed register.php and login.php to .bak and am waiting to see if that stops the activity.

All of the messages have a subject line in the header similar to this - "Subject: =?iso-8859-1?b?Rmxhd2xlc3MgZHJ1ZyBPZmZlcmluZ3M=?="

The messages themselves have an ascii character as the first letter of each line -
ÂGood Afternoon
ÂOur customers return for our weekly specials.

The two of these taken together seem to imply that this is an actual hijack and not a simple matter of spoofed return addresses.

8 Oct 21, 2005 16:37

John,

Thanks for emailing me. I'm glad that the freind.php script wasn't the one hijacked. As per our private discussions, am eager to learn about the root cause of the problem.

As you suggested, I've rerouted all mail from our server from :blackhole: to a valid email address (did that a couple of days ago) and so far, so good, as I haven't received a single bouced email off our hosting server.

Keep us posted.

Cheers,

-stk :D

9 Oct 23, 2005 01:49

It looks like the problems I've been having are not hijacked forms. I finally got my hosting company to take a look at the sendmail logs and they said the messages are not passing through their server. This means the spammers are spoofing the return address with my domain as the source. There isn't anything I can do about this, because the messages all seem to come from a different source. This is annoying as heck, because I could still end up on a blacklist if the people who maintain it don't check the headers closely enough to realize that the return addresses are false.

I've added a little security to Scott's friend script and intended to dig deeper into the security that is built into those parts of b2evo that use sendmail.

10 Oct 23, 2005 04:49

ahhh, well it's a good to know that b2evolution is not the source of the problem. good luck, all the same.


Form is loading...