Spam "Artists" Can Trick A Non-Spamming Website To Send Spam Emails It was the evening of Friday 16th June 2006, and I was rounding up the updates on my websites, when I decided to search online for and install another site recommendation script on my website in place of the one that for some reason I could not fathom, continued to return a "500 - Internal Server Error" error. The Google search results page threw up a slew of referral scripts offering from various authors - some free, others for sale. At this time I was just keen to test and see if I could get one to work on my site. Soon I settled for one called "The PCman Website Refer a Friend" Within minutes, I had it installed and running. One thing I did not do, and which I would advise (based on the benefit of painful hindsight) ANYONE who uses third party scripts on his/her site to do, is to check and confirm the programmer has taken pains to secure the script code against exploitation (Specific details/links to URL resources on how to go about this provided further down). Note: It was only after the event, and following prompts from my hosts that I checked and found the PCManrefer script had inadequate security written into the code. The resulting "security hole" was what the hacker later exploited remotely to launch a massive spam attack. On Tuesday 20th June 2006 a.m, I tried to log into my web hosting account to upload files, but noticed the ftp tool I was using kept returning an "incorrect password" message. After trying repeatedly, and confirming I was using the correct password, I decided to try logging in to my webmail - so as to send an email to the support department for assistance. This presented a problem as well. Each time, I tried, I got a message like "Dropped by ISMAP server". Now quite alarmed, I decided to type the URL to my website - http://www.spontaneousdevelopment.com. My worst fears came to pass - The browser printed a "Page Not Found" message in bold! At this point, I promptly went to my host's website and initiated a chat session with the operator. The following chat conversation took place: -----start of chat session------ : Hello! How may I help you? : hi Visitor42152: Hi Visitor42152: I cannot login to my webmail or access my entire website Visitor42152: MY reg no is : We are writing to inform you that during the past 30 minutes your web hosting account (username = deleted) has sent 625 messages to the email subsystem of the hosting server. This is in violation of our terms of services, and as such, any websites : belonging to that account have been taken offline. : In order to reactivate your account you will need to contact our support department and agree not to abuse our servers again. Any further incidents like this will cause our system to remove your account completely and without warning Visitor42152: I am working from a cyber cafe I normally do not use though it's close to my home Visitor42152: I am certain this is due to activities of email hackers who use the same ISP as these guys : send an email to Visitor42152: How long will it take to resolve this? : 6 -12 hours ---End of chat session------ Well, I did not get it resolved in 12 hours. In fact, by the time I was finished exchanging emails with the support department, I learnt my account would be suspended for 7 days, with the warning that if it happened again, my account would be reconsidered for termination without notice. How They Did It (i.e. Hijacking My Website Referral Script's Form Post) Below, I reproduce the exact text of the explanation given by my host's Abuse Department, when I requested for details that could help me understand how the problem had occurred, and what I could do to prevent a re-occurrence. You will notice that the Perl script I installed (i.e "pcmanrefer.pl") some days before the problem, was identified by the administrator as one of three found to have poor security built into their code. --- "Aplus.Net Abuse Department" wrote (I have re-arranged - but NOT edited - the text for readability): > Hello, > Basically the attack is performed on scripts that trust the information that the submitter enters and are therefore easily exploitable. You can refer to these two documents that describe in details this very specific attack: http://www.anders.com/projects/sysadmin/formPostHijacking/ http://www.nyphp.org/phundamentals/email_header_injection.phpI have reviewed the spam evidence sent to us and in the headers the subject is different every time which means the script used is taking the input data from the visitor and doesn't edit it at all: Subject: Incredibly undervalued, you'll not want to miss this opportunity the protracted I have found several such scripts in your FTP space: /cgi-bin/mailer/simplemail.pl /cgi-bin/mailer/mailer.pl /cgi-bin/pcmanrefer.plThere might be others that are compromiseable too but you know better the structure of your website and which exactly script is sending the data unchanged. The bottom line is to filter out all input data as suggested in the two articles above. Thank you,
Clues Left Behind By The Hacker In My Server Space When I eventually gained access to my server space, I found confirmation that it was indeed the "pcmanrefer.pl" script that had been exploited: Its referral log file (refer-log.txt), had grown to a massive 11.1 Megabytes size(many million bytes up from its 0 bytes size when I uploaded it less than 9 days before)! Opening the file revealed huge volumes of email addresses and message contents, originating from bogus "addresses" at my sub domain e.g. InvestorsWeekly@spontaneousdevelopment.com; my@spontaneousdevelopment.com; stephannie@www.spontaneousdevelopment.com ("who is SHE'", I said to myself) - and many, many more! The Attack Had A Negative Multiplier Effect - Which Is Why You Would Be Wise To Prevent It Happening When my hosting account was suspended, my websites could not be visited, nor could I access mails sent to my webmail account at my domain during that seven day period. But that was just one side of it. ALL the short URLs that I had created to point to various sub domains on my main website were put up for removal by the service provider, who placed a bookmark update link on a page leading the to home page - with the following message: "Due to enormous phishing spam with our sub domains () we will close this short url re-direction. Please update your bookmarks. " One example of short URL that was affected by this problem is http://www.cbsolutions.v27.net, which points to cbsolutions.spontaneousdevelopment.com - the mini site for my Creative Business Solutions(CB Solutions) delivery service. My mind raced back to all the articles I had published at the Ezine articles directory, in which I had used the short URL addresses in the resource boxes invitation to readers(at the end of the article). A number of those articles carrying the short URLs had been syndicated on other websites, where I would not have access to make changes to them. I realised that it would only be a matter of time before readers of some of my articles would find themselves confronted with a "Page Not Found" browser error, or a general advert page for domain names sales etc - instead of my site: Definitely not good for the image I was trying to build online! I provide the above details to give you an idea of just how bad this can be - so you can really understand why it would be in your best interest to make sure you never leave yourself open to the extent that this type of problem can affect your website. Taking Action To Prevent (Future) Attacks I deleted the "pcmanrefer.pl" script and the other two that were identified by the hosting provider's administrator (see email above). I also removed another mailing list managment CGI script that I installed a month before. In a way, I felt like I was taking medicine after death. :-) But at least by this time, I actually had a better idea of WHAT had happened, HOW, and WHY - and what I could do to protect myself for the future. Next, I visited the URLs emailed to me by my web host. Out of curiosity, I also did a number of searches on Google, to see what else I could learn about "form post hijacking", and spamming in general. Below, I provide links to some useful resources I found. If you own a website, I think you will want to spend some time studying them. IMPORTANT NOTE: 1. It would interest you to know that I no longer use a site referral script on my wesbsite. Instead I have developed a simple email recommendation template that anyone who is so keen to tell another about my site can use. Visit http://www.spontaneousdevelopment.com/referus.htm to see what i mean. There are many other effective ways to get marketing exposure for a website, and I am currently modifying my website design/marketing strategy to accommodate them. As time goes on, visitors to my website will see ample evidence of this. 2. Some of the resources whose URLs are listed below, were published as far back as 2002, so they might not exactly offer relevant or effective remedies that can be successfully applied today. However, the educational value they offer towards understanding the problem(s), in my opinion, would still make them worth a visit. So, with that note of warning, I wish you happy reading and good luck in your fight to protect your website against exploitation. Useful Learning/Problem-Solving Resources 1. Using Apache to stop bad robots | evolt.org - by Daniel Cody http://www.evolt.org/article/Using_Apache_to_stop_bad_robots/18/15126/ 2. Why Some Scripts are dangerous to use on your Website - http://webnet77.com/help/dangers.html 3. http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay - By Anders Brownworth Interesting Crack Attempt to Relay Spam (Comment: this is actually a precursor to the full article referred to me by my web host titled "Form Post Hijacking - How to solve the problem.") 4. By Anders Brownworth - Form Post Hijacking - How To Solve The Problem article author http://www.anders.com/projects/sysadmin/formPostHijacking/ 5. http://handsonhowto.com/cgi101.html - A Hands-On How-To(Securing the CGI script section - useful) - from Brass Cannon Consulting 6. WWW Security FAQ: CGI Scripts - http://www.w3.org/Security/Faq/wwwsf4.html -by Lincoln Stein (lstein@cshl.org) and John Stewart (jns@digitalisland.net) - hosted by the World Wide Web Consortium (W3C) as a service to the Web Community. 7. Stopping Spambots: A Spambot Trap - http://www.neilgunton.com/spambot_trap/ 8. How to block spambots, ban spybots, and tell unwanted robots to go ... Spamming of referer logs is a growing nuisance, http://diveintomark.org/archives/2003/02/26/how_to_ block_spambots_ban_spybots_and_tell_unwanted_robots_to_go_to_hell |
