Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions

Reply
 
Thread Tools Display Modes
  #1  
Old 09-17-2013, 02:44 AM
mefromspace mefromspace is offline
 
Join Date: Aug 2004
Posts: 33
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default How can Spammers abuse my apache sendmail?

Hi All,

I am at a loss here...

I had vb 3.6 from around 2008 and dident upgrade until recently to vb 4.2.1.

The 3.6 was just with standard default captcha and 1 required field nothing else spam prevention related. As i moderate new reg users until after first post.

About 1 month ago my host told me that the var/ drive was filling up and that they could see millions of spooled files in sendmail and that they where guessing that addmember.php was the culprint. They deleted mails and files from the sendmail in the size of 380GB!

Their suggestion was to upgrade to latest vb version and install some additional spam mods.

I did and installed the
No captchas no images mod: https://vborg.vbsupport.ru/showthread.php?t=289463
Spam-o-matic
rename register mod: https://vborg.vbsupport.ru/showthread.php?t=297834

Now after upgrade and installs of various spam blocking mods the send mail is still being abused even do not to same extent.

So the question remains how is it possible to simply bypass all the security checks and get access to sendmail for spamming purposes.(not for spamming my forum but for sending out spam mails to the world like buy viagra and crap like that)

My hosting is currently monitoring the apache log file to see if they can see something.
They wrote this:

"Problem remains that someone or multiple people are able to get around captcha checks etc. in the vbulletin software even though it has been upgraded and many security checks have been installed.

I am currently running a capture

ngrep -l -q -d eth1 "^POST " tcp and port 80 > /tmp/trace.out 2>&1

in a screen session so someone should be able to pick it up later and stop it and examine the log files in /tmp/trace.out

It seems pretty clear that they are getting past all of the security checks in forum/232r24rgnewfb2013.php (addmember function) and we should be able to derive where it is failing from the logged things in that file and comparing to the php file.!"


Have any of you guys had something similar happen to you where spammers got access to send out spam from your server and if so how did you close the hole?

Any help or suggestions would be greatly appreciated!
After the upgrades and security installs and sendmail flushed 2 days ago then number of spooled emails on sendmail right now rising: 22.648 <-- Maybe 50 of these are legit.



UPDATE:
This is my chat script some minuts ago with my hosting where a Tier3 Engineer discovered a injection hole in register.php:


Steven Davis So it appears to be the register.php script that has a hole that is allowing people to send email through it
Customer woow really?
Steven Davis I have blocked a few ips that kept hitting that page over and over again
yup
Customer how is that possible i mean what makes u belive that?
Steven Davis because after looking at the logging that Craig was doing in seeing a specific IP address hit that page over and over and over again, it made it pretty obvious.
Customer the hitting of register.php should be bots trying to register to spam the forums
Steven Davis Here are the top abusers:
Steven Davis20 client.yota.ru 21 112.101.64.107 21 ks3324546.kimsufi.com
22 199.15.233.135 24 142.4.204.33 26 ks3324731.kimsufi.com
27 host20-165-dynamic.25-79-r.retail.telecomitalia.it
27 hosted-by.slaskdatacenter.pl 36 p5dc37a5f.dip0.t-ipconnect.de
37 sol-fttb.114.153.118.46.sovam.net.ua
41 83-168-126-150.static.espol.com.pl 43 175.44.59.210
48 ks352475.kimsufi.com
49 host144-96-dynamic.25-79-r.retail.telecomitalia.it
59 198.204.239.116 67 91.207.6.154 80 ns4010162.ip-192-99-6.net
98 88-190-63-46.poneytelecom.eu 171 176.31.235.153.megaservers.us
174 137.175.13.33 258 198.2.218.1 281 137.175.11.1
288 91.121.62.208 421 192.95.20.134 459 ns4009215.ip-192-99-8.net
505 199.15.233.141 633 87.98.186.59
Customer ok but what makes u think that because they try and register they get access to send-mail?
like the last 1 hour or so i have around 150 bots blocked by the spam hammer from registering to the forum
but that don't give them access to send mails thru send-mail if u know what i mean
Steven Davis No, it appears that there is a security hole that they have found that exploits a bug in the registration script that is sending email.
Customer hmm
do u see any of these who tried to register that now are sending mails to the send-mail que?
or u assume they do
pretty important as im about to contact vbulletin forum site considering the server crashing with 380GB mail files 2 weeks ago
Steven Davis I saw the same IP address hitting that register script every second for about 10 minutes.
Customer yeah i dont mind that what i mind is somebody is abusing our server sendmail
someone trying to keep registering that's not an issue they just keep running into a brick wall and they need to now pass 3 brick walls before getting a mail"ur membership is awaiting moderation"
Steven Davis It is not that someone is trying to register over and over, it is that they have found a way to inject their own email and have your server send the email out.
Customer really? and u are 100% sure that is what is going on there from what u can see in apache log?
Steven Davis About 99% sure at this point.
Customer im speechless U still investigating or that is ur conclusion?
Steven Davis That is my conclusion.

Can vbulletin help with getting this shut down?

I really need to get this hole closed so the abuse of my server can stop!
Reply With Quote
  #2  
Old 09-17-2013, 04:13 AM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Are you using the suite? Did you disable the blogs, or the guest usergroups ability to use send email to friend from the blog?
Reply With Quote
  #3  
Old 09-17-2013, 04:30 AM
smirkley smirkley is offline
 
Join Date: Apr 2008
Posts: 627
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You may want to check for any open relays on your mailserver too.
Reply With Quote
  #4  
Old 09-17-2013, 04:33 AM
mefromspace mefromspace is offline
 
Join Date: Aug 2004
Posts: 33
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Zachery View Post
Are you using the suite? Did you disable the blogs, or the guest usergroups ability to use send email to friend from the blog?
Yes i purchased the suite.
Yes i disabled evything so it was as close to vb3.6 options as possible.
no blogs
no cms
no groups
no catalogs
no extras enabled versus 3.6
all public email options is shut off
all registered members email options is shut off =members not allowed to use the email feature.
Contact us button is just a mailto link for the email address not a form or own page.

ooh and i have htaccess to my own ip only for the renamed admin folder.
Reply With Quote
  #5  
Old 09-17-2013, 04:45 AM
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Posts: 6,357
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

In User Group permissions there are are few options for Can Use Email to Friend make sure these are off
Reply With Quote
  #6  
Old 09-17-2013, 04:46 AM
mefromspace mefromspace is offline
 
Join Date: Aug 2004
Posts: 33
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by smirkley View Post
You may want to check for any open relays on your mailserver too.
Just asked my hosting and they wrote:

Steven Davis
it is not configured as an open relay.
it is only relaying emails from the server.

--------------- Added [DATE]1379396944[/DATE] at [TIME]1379396944[/TIME] ---------------

Quote:
Originally Posted by ForceHSS View Post
In User Group permissions there are are few options for Can Use Email to Friend make sure these are off
I just double checked and it is set to NO for both guests and registered users.
Reply With Quote
  #7  
Old 09-17-2013, 04:57 AM
smirkley smirkley is offline
 
Join Date: Apr 2008
Posts: 627
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have noticed on my vb4.2.0pl3 build that setting that to off, for some reason only applies itself to the guests, even though it is set off for members too. Members still have access, even unconfirmed members. I know that isnt an add-on issue, but I removed the functionality physically from mys etup. It doesnt sound like you are getting this from registered members though from what I can tell.
Reply With Quote
  #8  
Old 09-17-2013, 05:12 AM
mefromspace mefromspace is offline
 
Join Date: Aug 2004
Posts: 33
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by smirkley View Post
I have noticed on my vb4.2.0pl3 build that setting that to off, for some reason only applies itself to the guests, even though it is set off for members too. Members still have access, even unconfirmed members. I know that isnt an add-on issue, but I removed the functionality physically from mys etup. It doesnt sound like you are getting this from registered members though from what I can tell.
Yeah this seems to be from what they monitored register.php file where u can inject code to use it for sending spam out to the world....Just hope this will get solved as this is so annoying.

When i try to moderate new awaiting users and click accept to like 10 new users it takes like 10 min for the page to refresh back to admin control panel. Where before i could accept like 130 new users in 5 seconds.All because of backlog of the mail que.

I know we can flush sendmail but that wont solve the security hole as it just keeps climbing in qued mails.
Reply With Quote
  #9  
Old 09-17-2013, 06:10 PM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

There is no such code in the default product.
Reply With Quote
  #10  
Old 09-17-2013, 06:35 PM
nhawk nhawk is offline
 
Join Date: Jan 2011
Posts: 1,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

There are two places for each usergroup where email can be sent.

1) Can Use Email to a Friend
2) Can Email Members

Be sure both of those are turned off for these usergroups..

Unregistered/Not Logged In
Users Awaiting Email Confirmation
Users Awaiting Confirmation

and optionally..
Registered Users
Any other usergroups you want to turn it off for.

If mail is still being sent out after doing that, then it's one of four things..

1) You have an add-on that's sending the mail.
2) Your mail account has been hacked.
3) Your site has been hacked.
4) Your server itself has been hacked.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:02 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04818 seconds
  • Memory Usage 2,275KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete