The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
How can Spammers abuse my apache sendmail?
Hi All,
I am at a loss here... I had vb 3.6 from around 2008 and dident upgrade until recently to vb 4.2.1. The 3.6 was just with standard default captcha and 1 required field nothing else spam prevention related. As i moderate new reg users until after first post. About 1 month ago my host told me that the var/ drive was filling up and that they could see millions of spooled files in sendmail and that they where guessing that addmember.php was the culprint. They deleted mails and files from the sendmail in the size of 380GB! Their suggestion was to upgrade to latest vb version and install some additional spam mods. I did and installed the No captchas no images mod: https://vborg.vbsupport.ru/showthread.php?t=289463 Spam-o-matic rename register mod: https://vborg.vbsupport.ru/showthread.php?t=297834 Now after upgrade and installs of various spam blocking mods the send mail is still being abused even do not to same extent. So the question remains how is it possible to simply bypass all the security checks and get access to sendmail for spamming purposes.(not for spamming my forum but for sending out spam mails to the world like buy viagra and crap like that) My hosting is currently monitoring the apache log file to see if they can see something. They wrote this: "Problem remains that someone or multiple people are able to get around captcha checks etc. in the vbulletin software even though it has been upgraded and many security checks have been installed. I am currently running a capture ngrep -l -q -d eth1 "^POST " tcp and port 80 > /tmp/trace.out 2>&1 in a screen session so someone should be able to pick it up later and stop it and examine the log files in /tmp/trace.out It seems pretty clear that they are getting past all of the security checks in forum/232r24rgnewfb2013.php (addmember function) and we should be able to derive where it is failing from the logged things in that file and comparing to the php file.!" Have any of you guys had something similar happen to you where spammers got access to send out spam from your server and if so how did you close the hole? Any help or suggestions would be greatly appreciated! After the upgrades and security installs and sendmail flushed 2 days ago then number of spooled emails on sendmail right now rising: 22.648 <-- Maybe 50 of these are legit. UPDATE: This is my chat script some minuts ago with my hosting where a Tier3 Engineer discovered a injection hole in register.php: Steven Davis So it appears to be the register.php script that has a hole that is allowing people to send email through it Customer woow really? Steven Davis I have blocked a few ips that kept hitting that page over and over again yup Customer how is that possible i mean what makes u belive that? Steven Davis because after looking at the logging that Craig was doing in seeing a specific IP address hit that page over and over and over again, it made it pretty obvious. Customer the hitting of register.php should be bots trying to register to spam the forums Steven Davis Here are the top abusers: Steven Davis20 client.yota.ru 21 112.101.64.107 21 ks3324546.kimsufi.com 22 199.15.233.135 24 142.4.204.33 26 ks3324731.kimsufi.com 27 host20-165-dynamic.25-79-r.retail.telecomitalia.it 27 hosted-by.slaskdatacenter.pl 36 p5dc37a5f.dip0.t-ipconnect.de 37 sol-fttb.114.153.118.46.sovam.net.ua 41 83-168-126-150.static.espol.com.pl 43 175.44.59.210 48 ks352475.kimsufi.com 49 host144-96-dynamic.25-79-r.retail.telecomitalia.it 59 198.204.239.116 67 91.207.6.154 80 ns4010162.ip-192-99-6.net 98 88-190-63-46.poneytelecom.eu 171 176.31.235.153.megaservers.us 174 137.175.13.33 258 198.2.218.1 281 137.175.11.1 288 91.121.62.208 421 192.95.20.134 459 ns4009215.ip-192-99-8.net 505 199.15.233.141 633 87.98.186.59 Customer ok but what makes u think that because they try and register they get access to send-mail? like the last 1 hour or so i have around 150 bots blocked by the spam hammer from registering to the forum but that don't give them access to send mails thru send-mail if u know what i mean Steven Davis No, it appears that there is a security hole that they have found that exploits a bug in the registration script that is sending email. Customer hmm do u see any of these who tried to register that now are sending mails to the send-mail que? or u assume they do pretty important as im about to contact vbulletin forum site considering the server crashing with 380GB mail files 2 weeks ago Steven Davis I saw the same IP address hitting that register script every second for about 10 minutes. Customer yeah i dont mind that what i mind is somebody is abusing our server sendmail someone trying to keep registering that's not an issue they just keep running into a brick wall and they need to now pass 3 brick walls before getting a mail"ur membership is awaiting moderation" Steven Davis It is not that someone is trying to register over and over, it is that they have found a way to inject their own email and have your server send the email out. Customer really? and u are 100% sure that is what is going on there from what u can see in apache log? Steven Davis About 99% sure at this point. Customer im speechless U still investigating or that is ur conclusion? Steven Davis That is my conclusion. Can vbulletin help with getting this shut down? I really need to get this hole closed so the abuse of my server can stop! |
#2
|
||||
|
||||
Are you using the suite? Did you disable the blogs, or the guest usergroups ability to use send email to friend from the blog?
|
#3
|
|||
|
|||
You may want to check for any open relays on your mailserver too.
|
#4
|
|||
|
|||
Quote:
Yes i disabled evything so it was as close to vb3.6 options as possible. no blogs no cms no groups no catalogs no extras enabled versus 3.6 all public email options is shut off all registered members email options is shut off =members not allowed to use the email feature. Contact us button is just a mailto link for the email address not a form or own page. ooh and i have htaccess to my own ip only for the renamed admin folder. |
#5
|
|||
|
|||
In User Group permissions there are are few options for Can Use Email to Friend make sure these are off
|
#6
|
|||
|
|||
Quote:
Steven Davis it is not configured as an open relay. it is only relaying emails from the server. --------------- Added [DATE]1379396944[/DATE] at [TIME]1379396944[/TIME] --------------- I just double checked and it is set to NO for both guests and registered users. |
#7
|
|||
|
|||
I have noticed on my vb4.2.0pl3 build that setting that to off, for some reason only applies itself to the guests, even though it is set off for members too. Members still have access, even unconfirmed members. I know that isnt an add-on issue, but I removed the functionality physically from mys etup. It doesnt sound like you are getting this from registered members though from what I can tell.
|
#8
|
|||
|
|||
Quote:
When i try to moderate new awaiting users and click accept to like 10 new users it takes like 10 min for the page to refresh back to admin control panel. Where before i could accept like 130 new users in 5 seconds.All because of backlog of the mail que. I know we can flush sendmail but that wont solve the security hole as it just keeps climbing in qued mails. |
#9
|
||||
|
||||
There is no such code in the default product.
|
#10
|
|||
|
|||
There are two places for each usergroup where email can be sent.
1) Can Use Email to a Friend 2) Can Email Members Be sure both of those are turned off for these usergroups.. Unregistered/Not Logged In Users Awaiting Email Confirmation Users Awaiting Confirmation and optionally.. Registered Users Any other usergroups you want to turn it off for. If mail is still being sent out after doing that, then it's one of four things.. 1) You have an add-on that's sending the mail. 2) Your mail account has been hacked. 3) Your site has been hacked. 4) Your server itself has been hacked. |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|