The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
#1
|
|||
|
|||
How can Spammers abuse my apache sendmail?
Hi All,
I am at a loss here... I had vb 3.6 from around 2008 and dident upgrade until recently to vb 4.2.1. The 3.6 was just with standard default captcha and 1 required field nothing else spam prevention related. As i moderate new reg users until after first post. About 1 month ago my host told me that the var/ drive was filling up and that they could see millions of spooled files in sendmail and that they where guessing that addmember.php was the culprint. They deleted mails and files from the sendmail in the size of 380GB! Their suggestion was to upgrade to latest vb version and install some additional spam mods. I did and installed the No captchas no images mod: https://vborg.vbsupport.ru/showthread.php?t=289463 Spam-o-matic rename register mod: https://vborg.vbsupport.ru/showthread.php?t=297834 Now after upgrade and installs of various spam blocking mods the send mail is still being abused even do not to same extent. So the question remains how is it possible to simply bypass all the security checks and get access to sendmail for spamming purposes.(not for spamming my forum but for sending out spam mails to the world like buy viagra and crap like that) My hosting is currently monitoring the apache log file to see if they can see something. They wrote this: "Problem remains that someone or multiple people are able to get around captcha checks etc. in the vbulletin software even though it has been upgraded and many security checks have been installed. I am currently running a capture ngrep -l -q -d eth1 "^POST " tcp and port 80 > /tmp/trace.out 2>&1 in a screen session so someone should be able to pick it up later and stop it and examine the log files in /tmp/trace.out It seems pretty clear that they are getting past all of the security checks in forum/232r24rgnewfb2013.php (addmember function) and we should be able to derive where it is failing from the logged things in that file and comparing to the php file.!" Have any of you guys had something similar happen to you where spammers got access to send out spam from your server and if so how did you close the hole? Any help or suggestions would be greatly appreciated! After the upgrades and security installs and sendmail flushed 2 days ago then number of spooled emails on sendmail right now rising: 22.648 <-- Maybe 50 of these are legit. UPDATE: This is my chat script some minuts ago with my hosting where a Tier3 Engineer discovered a injection hole in register.php: Steven Davis So it appears to be the register.php script that has a hole that is allowing people to send email through it Customer woow really? Steven Davis I have blocked a few ips that kept hitting that page over and over again yup Customer how is that possible i mean what makes u belive that? Steven Davis because after looking at the logging that Craig was doing in seeing a specific IP address hit that page over and over and over again, it made it pretty obvious. Customer the hitting of register.php should be bots trying to register to spam the forums Steven Davis Here are the top abusers: Steven Davis20 client.yota.ru 21 112.101.64.107 21 ks3324546.kimsufi.com 22 199.15.233.135 24 142.4.204.33 26 ks3324731.kimsufi.com 27 host20-165-dynamic.25-79-r.retail.telecomitalia.it 27 hosted-by.slaskdatacenter.pl 36 p5dc37a5f.dip0.t-ipconnect.de 37 sol-fttb.114.153.118.46.sovam.net.ua 41 83-168-126-150.static.espol.com.pl 43 175.44.59.210 48 ks352475.kimsufi.com 49 host144-96-dynamic.25-79-r.retail.telecomitalia.it 59 198.204.239.116 67 91.207.6.154 80 ns4010162.ip-192-99-6.net 98 88-190-63-46.poneytelecom.eu 171 176.31.235.153.megaservers.us 174 137.175.13.33 258 198.2.218.1 281 137.175.11.1 288 91.121.62.208 421 192.95.20.134 459 ns4009215.ip-192-99-8.net 505 199.15.233.141 633 87.98.186.59 Customer ok but what makes u think that because they try and register they get access to send-mail? like the last 1 hour or so i have around 150 bots blocked by the spam hammer from registering to the forum but that don't give them access to send mails thru send-mail if u know what i mean Steven Davis No, it appears that there is a security hole that they have found that exploits a bug in the registration script that is sending email. Customer hmm do u see any of these who tried to register that now are sending mails to the send-mail que? or u assume they do pretty important as im about to contact vbulletin forum site considering the server crashing with 380GB mail files 2 weeks ago Steven Davis I saw the same IP address hitting that register script every second for about 10 minutes. Customer yeah i dont mind that what i mind is somebody is abusing our server sendmail someone trying to keep registering that's not an issue they just keep running into a brick wall and they need to now pass 3 brick walls before getting a mail"ur membership is awaiting moderation" Steven Davis It is not that someone is trying to register over and over, it is that they have found a way to inject their own email and have your server send the email out. Customer really? and u are 100% sure that is what is going on there from what u can see in apache log? Steven Davis About 99% sure at this point. Customer im speechless U still investigating or that is ur conclusion? Steven Davis That is my conclusion. Can vbulletin help with getting this shut down? I really need to get this hole closed so the abuse of my server can stop! |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|