Is this script being hacked?

  • Digitelle
  • Graduate
  • Graduate
  • User avatar
  • Posts: 122
  • Loc: BRKLYN-NY

Post 3+ Months Ago

A friend of mine in Holland is in a tussle with her hosts who say that a php email form is causing their server to be hacked, as spam is being send from their domain.

Below is a copy of the script, what we are wondering is if the script is actually the problem or if the sysadmins need to beef up their security.

Code: [ Select ]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

    <head>
        <?php require("../includes/meta.txt"); ?>
        <link href="../styles.css" rel="stylesheet" media="screen">
<script language = "javascript" src = "../scripts/rollovers.js"></script>

    </head>

    <body bgcolor="#ffffff" topmargin="0" leftmargin="0" onload = "changeTabs(contact)">
        <table class = "mainTable" border="0" cellspacing="0" cellpadding="0">
            
                <?php require("../includes/header.txt"); ?>
            
            <tr height="20">
                <td align="left" valign="bottom" height="20" background="../images/menuLine.gif">
                    <table border="0" cellspacing="0" cellpadding="0">
                        <tr height="23">
                            <td id="overAbsint" class="menuTabFirstCell"><a href="overAbsint.php"><span class = "menuTabText">Over Absint D&amp;C</span></a><br>
                                <img src="../images/placeholder.gif" alt="" class = "menuCellPlaceholder"></td>
                            <td id = "productenDiensten" class="menuTabUnder" ><a href="productenDiensten.php"><span class = "menuTabText">Producten &amp; Diensten</span></a><br>
                                <img src="../images/placeholder.gif" alt="" class = "menuCellPlaceholder"></td>
                            <td id = "portfolio" class="menuTabUnder" ><a href="portfolio.php
"><span class = "menuTabText">Portfolio</span></a><br>
                                <img src="../images/placeholder.gif" alt="" class = "menuCellPlaceholder"></td>
                            <td id = "kennisCentrum" class="menuTabUnder" ><a href="kennisCentrum.php"><span class = "menuTabText">Kenniscentrum</span></a><br>
                                <img src="../images/placeholder.gif" alt="" class = "menuCellPlaceholder"></td>
                            <td id = "nieuws" class="menuTabToTheLeft" ><a href="nieuws.php"><span class = "menuTabText">Nieuws</span></a><br>
                                <img src="../images/placeholder.gif" alt="" class = "menuCellPlaceholder"></td>
                            <td id = "contact" class="menuTabOver" ><a href="contact.php"><span class = "menuTabText">Contact</span></a><br>
                                <img src="../images/placeholder.gif" alt="" class = "menuCellPlaceholder"></td>
                            <td align="center" valign="bottom" width="16" height="23" background="../images/menuRightEdgeOver.gif"><img src="../images/placeholder.gif" alt=""></td>
                        </tr>
                    </table>
                </td>
            </tr>
            <tr>
                <td align="left" valign="top">
                    <table width="100%" border="0" cellspacing="0" cellpadding="0" height="100%">
                        <tr>
                            <td align="center" valign="top" width="300"><img class="menuImage" src="../images/contact/creation.jpg" alt="" width="220" height="146" border="0">
                                <br>
                                <br>
                                <br>
                                <table width="220" border="0" cellspacing="0" cellpadding="0">
                                    <tr>
                                        <td><span class="subHeading">Absint Debat en Communicatie <br>
                                                houdt kantoor te Wormer. <br>
                                                
                                            Onze contactgegevens:</span><br>
                                            <br>
                                            
                                    Bezoekadres:<br>
                                            
                                    Veerdijk XX E<br>
                                            
                                    XXXX MS Wormer<br>
                                            <br>
                                            
                                    Postadres:<br>
                                            
                                    Postbus XXX<br>
                                            
                                    XXXX AD Wormerveer
<br>
                                            <br>
                                            <a href="inschrijven.php">Wilt u inschrijven voor een cursis? klik hier</a></td>
                                    </tr>
                                </table>
                            
                            </td>
                            <td align="center" valign="top" bgcolor="#555555" width="1"><img src="../images/placeholder.gif" alt="" class = "verticalSpacer"></td>
                            <td align="left" valign="top">
                            <div class = "mainText">
<?php

$myemail = " XXXX@gmail.com";
$ccx = "";
if(!$visitormail == "" && (!strstr($visitormail,"@") || !strstr($visitormail,".")))
{
echo "<h2>Use Back - Enter valid e-mail</h2>\n";
$badinput = "<h2>Feedback was NOT submitted</h2>\n";
}
if(empty($visitor) || empty($visitormail) || empty($notes )) {
echo "<h2>Use Back - fill in all fields</h2>\n";
}
echo $badinput;

$todayis = date("l, F j, Y, g:i a") ;

$attn = $attn . "(" . $ccopy . ")" ;
$subject = $attn;

$notes = stripcslashes($notes);

$message = " $todayis [EST] \n
Attention: $attn \n
Message: $notes \n
From: $visitor ($visitormail)\n
Additional Info : IP = $ip \n
Browser Info: $httpagent \n
Referral : $httpref \n
";

$from = "From: $visitormail\r\n";

if (($ccopy == "ccyes") && ($visitormail != ""))
mail($visitormail, $subject, $message, $from);

if ($myemail != "")
mail($myemail, $subject, $message, $from);

if ($ccx != "")
mail($ccx, $subject, $message, $from);

?>



Dank je wel <?php echo $visitor ?> , voor je bericht
<br />
Datuum: <?php echo $todayis ?>
<br />
Kopie naar afzender: <?php echo $attn ?>
<br />
Content:<br />
<?php $notesout = str_replace("\r", "<br/>", $notes);
echo $notesout; ?>
<br />
<?php echo $ip ?>

</div>
                                    
                            </td>
                        </tr>
                    </table>
                </td>
            </tr>
            <tr height="1">
                <td align="left" valign="top" bgcolor="#555555" height="1"><img src="../images/placeholder.gif" alt="" width="1" height="1" border="0"></td>
            </tr>
            <tr height="16">
                <td align="left" valign="bottom" height="16">
                
                        <?php require("../includes/footer.txt"); ?>
                        
                </td>
            </tr>
        </table>
        
    </body>

</html>
  1. <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  2. <html>
  3.     <head>
  4.         <?php require("../includes/meta.txt"); ?>
  5.         <link href="../styles.css" rel="stylesheet" media="screen">
  6. <script language = "javascript" src = "../scripts/rollovers.js"></script>
  7.     </head>
  8.     <body bgcolor="#ffffff" topmargin="0" leftmargin="0" onload = "changeTabs(contact)">
  9.         <table class = "mainTable" border="0" cellspacing="0" cellpadding="0">
  10.             
  11.                 <?php require("../includes/header.txt"); ?>
  12.             
  13.             <tr height="20">
  14.                 <td align="left" valign="bottom" height="20" background="../images/menuLine.gif">
  15.                     <table border="0" cellspacing="0" cellpadding="0">
  16.                         <tr height="23">
  17.                             <td id="overAbsint" class="menuTabFirstCell"><a href="overAbsint.php"><span class = "menuTabText">Over Absint D&amp;C</span></a><br>
  18.                                 <img src="../images/placeholder.gif" alt="" class = "menuCellPlaceholder"></td>
  19.                             <td id = "productenDiensten" class="menuTabUnder" ><a href="productenDiensten.php"><span class = "menuTabText">Producten &amp; Diensten</span></a><br>
  20.                                 <img src="../images/placeholder.gif" alt="" class = "menuCellPlaceholder"></td>
  21.                             <td id = "portfolio" class="menuTabUnder" ><a href="portfolio.php
  22. "><span class = "menuTabText">Portfolio</span></a><br>
  23.                                 <img src="../images/placeholder.gif" alt="" class = "menuCellPlaceholder"></td>
  24.                             <td id = "kennisCentrum" class="menuTabUnder" ><a href="kennisCentrum.php"><span class = "menuTabText">Kenniscentrum</span></a><br>
  25.                                 <img src="../images/placeholder.gif" alt="" class = "menuCellPlaceholder"></td>
  26.                             <td id = "nieuws" class="menuTabToTheLeft" ><a href="nieuws.php"><span class = "menuTabText">Nieuws</span></a><br>
  27.                                 <img src="../images/placeholder.gif" alt="" class = "menuCellPlaceholder"></td>
  28.                             <td id = "contact" class="menuTabOver" ><a href="contact.php"><span class = "menuTabText">Contact</span></a><br>
  29.                                 <img src="../images/placeholder.gif" alt="" class = "menuCellPlaceholder"></td>
  30.                             <td align="center" valign="bottom" width="16" height="23" background="../images/menuRightEdgeOver.gif"><img src="../images/placeholder.gif" alt=""></td>
  31.                         </tr>
  32.                     </table>
  33.                 </td>
  34.             </tr>
  35.             <tr>
  36.                 <td align="left" valign="top">
  37.                     <table width="100%" border="0" cellspacing="0" cellpadding="0" height="100%">
  38.                         <tr>
  39.                             <td align="center" valign="top" width="300"><img class="menuImage" src="../images/contact/creation.jpg" alt="" width="220" height="146" border="0">
  40.                                 <br>
  41.                                 <br>
  42.                                 <br>
  43.                                 <table width="220" border="0" cellspacing="0" cellpadding="0">
  44.                                     <tr>
  45.                                         <td><span class="subHeading">Absint Debat en Communicatie <br>
  46.                                                 houdt kantoor te Wormer. <br>
  47.                                                 
  48.                                             Onze contactgegevens:</span><br>
  49.                                             <br>
  50.                                             
  51.                                     Bezoekadres:<br>
  52.                                             
  53.                                     Veerdijk XX E<br>
  54.                                             
  55.                                     XXXX MS Wormer<br>
  56.                                             <br>
  57.                                             
  58.                                     Postadres:<br>
  59.                                             
  60.                                     Postbus XXX<br>
  61.                                             
  62.                                     XXXX AD Wormerveer
  63. <br>
  64.                                             <br>
  65.                                             <a href="inschrijven.php">Wilt u inschrijven voor een cursis? klik hier</a></td>
  66.                                     </tr>
  67.                                 </table>
  68.                             
  69.                             </td>
  70.                             <td align="center" valign="top" bgcolor="#555555" width="1"><img src="../images/placeholder.gif" alt="" class = "verticalSpacer"></td>
  71.                             <td align="left" valign="top">
  72.                             <div class = "mainText">
  73. <?php
  74. $myemail = " XXXX@gmail.com";
  75. $ccx = "";
  76. if(!$visitormail == "" && (!strstr($visitormail,"@") || !strstr($visitormail,".")))
  77. {
  78. echo "<h2>Use Back - Enter valid e-mail</h2>\n";
  79. $badinput = "<h2>Feedback was NOT submitted</h2>\n";
  80. }
  81. if(empty($visitor) || empty($visitormail) || empty($notes )) {
  82. echo "<h2>Use Back - fill in all fields</h2>\n";
  83. }
  84. echo $badinput;
  85. $todayis = date("l, F j, Y, g:i a") ;
  86. $attn = $attn . "(" . $ccopy . ")" ;
  87. $subject = $attn;
  88. $notes = stripcslashes($notes);
  89. $message = " $todayis [EST] \n
  90. Attention: $attn \n
  91. Message: $notes \n
  92. From: $visitor ($visitormail)\n
  93. Additional Info : IP = $ip \n
  94. Browser Info: $httpagent \n
  95. Referral : $httpref \n
  96. ";
  97. $from = "From: $visitormail\r\n";
  98. if (($ccopy == "ccyes") && ($visitormail != ""))
  99. mail($visitormail, $subject, $message, $from);
  100. if ($myemail != "")
  101. mail($myemail, $subject, $message, $from);
  102. if ($ccx != "")
  103. mail($ccx, $subject, $message, $from);
  104. ?>
  105. Dank je wel <?php echo $visitor ?> , voor je bericht
  106. <br />
  107. Datuum: <?php echo $todayis ?>
  108. <br />
  109. Kopie naar afzender: <?php echo $attn ?>
  110. <br />
  111. Content:<br />
  112. <?php $notesout = str_replace("\r", "<br/>", $notes);
  113. echo $notesout; ?>
  114. <br />
  115. <?php echo $ip ?>
  116. </div>
  117.                                     
  118.                             </td>
  119.                         </tr>
  120.                     </table>
  121.                 </td>
  122.             </tr>
  123.             <tr height="1">
  124.                 <td align="left" valign="top" bgcolor="#555555" height="1"><img src="../images/placeholder.gif" alt="" width="1" height="1" border="0"></td>
  125.             </tr>
  126.             <tr height="16">
  127.                 <td align="left" valign="bottom" height="16">
  128.                 
  129.                         <?php require("../includes/footer.txt"); ?>
  130.                         
  131.                 </td>
  132.             </tr>
  133.         </table>
  134.         
  135.     </body>
  136. </html>
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • UniquelyYoursPC
  • Web Master
  • Web Master
  • User avatar
  • Posts: 2997
  • Loc: Canada "A"

Post 3+ Months Ago

maybe try poasting this int he programing forum
  • CartikaHosting
  • Proficient
  • Proficient
  • CartikaHosting
  • Posts: 455
  • Loc: Wishing I was in Kicking Horse

Post 3+ Months Ago

Quote:
A friend of mine in Holland is in a tussle with her hosts who say that a php email form is causing their server to be hacked, as spam is being send from their domain.

Below is a copy of the script, what we are wondering is if the script is actually the problem or if the sysadmins need to beef up their security.


Yes, Id certainly say this is possible. Now, the threat to the actual server is quite low - however, the problem becomes that the web server is sending spam messages via sendmail and the servers IP addresses are getting blacklisted (so other users utilizing send mail on that server will have a hard time getting their messages out) Looks like you are passing $email directly to the mailheader which can be injected with a huge bcc list and its own subject and messages.

You really need to wrap some security around this code - specifically to permit values being passed (or not permit them)

something like this:

Quote:
<?
if ($REQUEST_METHOD=='POST') {

//Change these values for your form.
$To = "to@domain.com";
$From = "from@domain.com";
$Name = "Company Name";
$Xmailer = "www.domainname.com";
$Attack = "report.abuse@domain.com";




//Function used to validate fields for spam injections.
function checkvalue($field,&$Attack,&$Name,&$To,&$From,&$Xmailer,&$REMOTE_ADDR) {
if ( eregi("to:",$field) || eregi("from:",$field) || eregi("cc:",$field) || eregi("bcc:",$field) ) {

$adminmessage = "$Name form was attacked \r\n";
$adminmessage = $adminmessage . "IP: $REMOTE_ADDR \r\n";
$adminmessage = $adminmessage . "User Agent: " . $_SERVER['HTTP_USER_AGENT'] . "\r\n";
$adminmessage = $adminmessage . "http://www.dnsstuff.com/tools/whois.ch?ip=$REMOTE_ADDR \r\n";
$adminmessage = $adminmessage . "Modsecurity Rule: SecFilterSelective REMOTE_ADDR \"" . str_replace(".", "\.", $REMOTE_ADDR) . "\"\r\n";
$adminmessage = $adminmessage . "SPAMMERS ATTACK: \r\n" . stripslashes($field) . "\r\n";
$headers = "X-Mailer: $Xmailer\nReply-To: $From\nFrom: $From";

if ( mail($Attack, "Attack on $Name", $adminmessage, $headers) ) {
die("You are attacking our mail form. We have blocked your attempt and logged your ip to report to authorities.");
} else {
die("You are attacking our mail form. We have blocked your attempt and logged your ip to report to authorities. Failed to send admin an email");
}
return $failure;
}

}


//variables received from form post
//check each value for invalid entries
$Email = checkvalue($_POST['Email'],$Attack,$Name,$To,$From,$Xmailer,$REMOTE_ADDR);
$Subject = checkvalue($_POST['Subject'],$Attack,$Name,$To,$From,$Xmailer,$REMOTE_ADDR);
$Message = checkvalue($_POST['Message'],$Attack,$Name,$To,$From,$Xmailer,$REMOTE_ADDR);

//strip out slashes from post
$Email = stripslashes($Email);
$Subject = stripslashes($Subject);
$Message = stripslashes($Message);

if ( eregi('^([0-9a-z]+[-._+&])*[0-9a-z]+@([-0-9a-z]+[.])+[a-z]{2,6}$',$Email) ) {

$headers = "X-Mailer: $Xmailer\nReply-To: $Email\nFrom: $Email";

//all checks passed try to send mail
if ( mail($To, $Subject, $Message, $headers) ) {
echo "Your Email address has been added to our mailing list.";
} else {
echo "Failed to send message. Please contact: " . $To;
}

} else {

//invalid email detected, notify user.
echo "Your email address was invalid, Please retry entering your email address.";

}





} else {

echo "<form name=\"form1\" method=\"post\" action=\"$PHP_SELF\">";
echo "Email: <input name=\"Email\" type=\"text\"><BR>";
echo "Subject: <input name=\"Subject\" type=\"text\"><BR>";
echo "Message : <textarea name=\"Message\"></textarea><BR>";
echo "<input name=\"Submit\" type=\"submit\" value=\"Submit\">";
echo "</form>";

}
?>
  • Digitelle
  • Graduate
  • Graduate
  • User avatar
  • Posts: 122
  • Loc: BRKLYN-NY

Post 3+ Months Ago

Thanks for the suggestion, I have passed it on. For posterity, this script is for Word Press and apparently my friend is not the only one who has found holes in it.

http://ryanduff.net/projects/wp-contactform/
http://www.davidseah.com/archives/2005/ ... am-attack/
http://www.gerd-riesselmann.net/archive ... tact-forms
  • CartikaHosting
  • Proficient
  • Proficient
  • CartikaHosting
  • Posts: 455
  • Loc: Wishing I was in Kicking Horse

Post 3+ Months Ago

Digitelle wrote:
Thanks for the suggestion, I have passed it on. For posterity, this script is for Word Press and apparently my friend is not the only one who has found holes in it.


Hi Digitelle,

Oh, I certainly believe you. Alot of mailing scripts are being compromised right now - keeping us all on our toes :)
  • benoitb
  • Graduate
  • Graduate
  • User avatar
  • Posts: 114
  • Loc: Washington, DC

Post 3+ Months Ago

Digitelle wrote:
A friend of mine in Holland is in a tussle with her hosts who say that a php email form is causing their server to be hacked, as spam is being send from their domain.

Below is a copy of the script, what we are wondering is if the script is actually the problem or if the sysadmins need to beef up their security.


The answer to that is always both.
  • CartikaHosting
  • Proficient
  • Proficient
  • CartikaHosting
  • Posts: 455
  • Loc: Wishing I was in Kicking Horse

Post 3+ Months Ago

Quote:
The answer to that is always both.


LOL - fair enough, but theres only so much security and custom mod_security rules you can script to cover up for vulnerable scripts.

Almost every major application has released a patch to address this vulnerability. End of the day, customers need to keep their scripts updated :)

http://drupal.org/node/34181

http://www.oscommerce.com/community/contributions,3534

Post Information

  • Total Posts in this topic: 7 posts
  • Users browsing this forum: No registered users and 11 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.