[TriLUG] system inexcplicity sending spam (RESOLVED PART B)

Blackburn, Marvin mblackburn at glenraven.com
Wed Dec 5 08:13:44 EST 2007


 
This turned out to be a configuration option setting that we weren't aware
of.  It allows url's to be treated as files in php.

You should disable allow_url_fopen in the php.ini file:
; Disable allow_url_fopen for security reasons
allow_url_fopen = 'off'

The setting can also be disabled in apache's httpd.conf file:

# Disable allow_url_fopen for security reasons
php_flag  allow_url_fopen  off

Someone was entering a url that executed a web page that sent all this mail.
It was coming from 
alot of ip addresses so tracking it was very hard. 

Thanks for the help.

Blackburn, Marvin wrote:
> This sounds all very familar.   Thank you 
>
> -----Original Message-----
> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org] On
Behalf
> Of Steve Hoffman
> Sent: Sunday, December 02, 2007 2:44 PM
> To: Triangle Linux Users Group General Discussion
> Subject: Re: [TriLUG] system inexcplicity sending spam
>
> I ran a server that hosted a website with a "contact us" form.  The issue
> turned out to be header injection of the form in once case...the
developers
> fixed that and later I found that someone had taken the source of the page
> created a local copy and simply posted their spam message with injections
> directly to our server...I put a php page that intercepted all messages
and
> filtered out any that weren't legit (i.e. no bcc fields allowed, no CC
> fields allowed, only one recipient that was in a predefined list etc.
>
> was a bit tricky to track it all down, but ultimately the apache logs shed
> alot of light on it (POST's from the IP where the spam was originating)
and
> it was all confirmed with a wireshark trace as to exactly what was
> happening.
>
> HTH
> Steve
>
> On Dec 2, 2007 2:17 PM, Blackburn, Marvin <mblackburn at glenraven.com>
wrote:
>
>   
>> We have a server that does not allow incoming smtp traffic into it from
>> the
>> outside.  We have a sendmail running on a RHEL 3 update 7 with the latest
>> sendmail available through redhat.
>> In addition, sendmail is configured only to accept email from the local
>> host: 127.0.0.1.  Late friday, the system started sending spam via
>> sendmail.
>> The only connections from outside that are allowed are through http and
>> https (ports 80 and 443).  We cannot determine what is generating the
>> email.
>> We can see it being sent, but cant determine the process thats
>> responsiblle.
>>
>> Any help would be appreciated in finding what might be causing it.  This
>> server is a webserver.
>>
>>
>>
>> _____________________________________
>> "He's no failure. He's not dead yet."
>> William Lloyd George
>>
>>
>>
>>
>>
>> --
>> TriLUG mailing list        :
http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>
>>     
-- 
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3921 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20071205/34104d33/attachment.bin>


More information about the TriLUG mailing list