Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
selma
Hangin' Around


Joined: May 09, 2006
Posts: 31

PostPosted: Mon Jul 09, 2007 4:02 pm Reply with quote

I noticed a couple of days ago a strange blank email, that came from 127.0.0.1 Been watching closely over the past couple of days.

Have a lot of send to friend activity - which could be legitimate.


But this one is definitely not legitimate and NS didn't block the user. Though the IP didn't get blocked, it does show up on the tracked ip list with this activity:

/modules.php?name=Search&topic=7 2007-07-07 @ 08:24:33

Followed 30 seconds later by

/modules.php?name=Search&query=p0hh0nsee%\') and a union calling for aid, pwd from nuke_authors and a couple of other items.

edit: In case it helps, the code was posted twice, the first time an hour before this one. Exact same code entered after the same search.

I don't want to post all of this code here - I can if necessary. Buttheads probably already have it passed around anyway.

Got an email from my own domain this morning selling watches. That's what started me looking closely at the logs.

Blocked that IP which I don't mind posting 85.98.217.16

Don't know what else to do though, they can come back and use a different IP later.

The good part is that the NS logs let me see easily where the problem came from.
----------------------------

Auxillary question. how do you change the pwd so you don't get blocked out of NS?

Change db + cpanel
nuke
NS

Everytime I do it, I get blocked out completely and have to install again with a new password.

Note:

Found this conversation between fckelly and ons last July
Only registered users can see links on this board! Get registered or login!

The code is the same, but difference is no mail generated and no automatic block. In fact I played with it a couple times to get NS to accept the block.

I replaced my RN 2.02 with 2.10 and the last upgrade of Sentinel about a month ago. Which by the way I am loving!
 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Mon Jul 09, 2007 9:37 pm Reply with quote

You should send a PM to Raven with the details of the attack.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Tue Jul 10, 2007 6:01 am Reply with quote

selma, I want to try this on a few of my sites as well. Would you please PM me too? Thx.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
selma
PostPosted: Tue Jul 10, 2007 2:16 pm Reply with quote

Thanks, for the advice.

Sending to both...
 
selma
PostPosted: Tue Jul 10, 2007 8:51 pm Reply with quote

Montego,

Thanks again. I unblocked you. Smile

Appreciate you checking and all the right blocking signals came through. Mail, htaccess and you were listed on the block list.

I'm sure you've got some extra blessings coming your way soon!

Selma
 
montego
PostPosted: Wed Jul 11, 2007 7:05 am Reply with quote

Quote:

I'm sure you've got some extra blessings coming your way soon!


I am not concerned about that as that is up to my Father...
And, He is THE MAN!

Wink
 
selma
PostPosted: Wed Jul 11, 2007 8:19 am Reply with quote

... and it's one GOOD feeling to KNOW He's watching out for you.

You have a great day.

Smile
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Wed Jul 11, 2007 10:22 am Reply with quote

So was this a new attack or....?

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Wed Jul 11, 2007 6:03 pm Reply with quote

Related to the send to friend activities look deeper into this you and you´ll find out the real spammer. It isn´t so difficult to recognize their activities through the database, NukeSentinel and the logfiles. I have banned many of those spammers in different ways.
Don´t know your Nuke version but in the earlier versions and without patch this function is a problem.
In RavenNuke we added an extra captcha. So there isn´t a great chance to spam with the send to friend function. It´s over. Smile
 
View user's profile Send private message
selma
PostPosted: Wed Jul 11, 2007 6:45 pm Reply with quote

Gremmie - Montego checked the problem on my server and was blocked and the mail came through with notification.

I don't want to guess at anything further, cause that's all it would be, a guess.

Susann,

You are absolutely right. I blocked the entire range of 74.6.0.0 ips today and cut out 50 - 60 visitors from two sites immediately. Couldn't tell right away from the one site, but noticed the same numbers from another, one arts, one construction. And they just sat there all day, slight variations but always 74.6.....

And noticed the same range at another site, blocked by NS.

I'm using the latest RN

But I put on the pc killer today, watching for violators is getting on my nerves and uses up way too much time.

Wanted to err on the side of caution, and not cause an innocent to get caught but at this point I have - correct that - HAD more spammers on site than honest visitors.

Such an irritation!
 
montego
PostPosted: Wed Jul 11, 2007 9:37 pm Reply with quote

yes, the UNION attack was quite "traditional". NS stops it cold. No worries on this specific one...
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Fri Jul 13, 2007 8:17 am Reply with quote

selma wrote:

You are absolutely right. I blocked the entire range of 74.6.0.0 ips today and cut out 50 - 60 visitors from two sites immediately.


You just blocked Yahoo's Inktomi search engine. It won't matter so much, as long as you don't want your site to be indexed by Yahoo

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
selma
PostPosted: Mon Jul 23, 2007 1:25 pm Reply with quote

lol - yes, I noticed that.

I unblocked them and they are back in full force, many times a day.

Talk about being paranoid.

Think I found my problem though.

Noticed that I don't get mail deamon messages when my Outlook 03 is not open. So started closing it down except to check for new mail, a hassle, but evidently cuts my particular spammers ability to send way down. Only get 3 returns a day as opposed to 30 or more - and these seem to be an hour or so after I've opened to check the mail.

Looks like I have to spring for the 07 Outlook.

But then I wondered about something else. I'm using the Contact Plus module. NS still blocks mail that has scripts from getting through, but the original intended mail is stored in the database, evidenced by the fact that the actual text can be found in the tracked IP tables.

Anyone have a clue about how to find all of the attempted mail sends so they can be deleted?

That one is a long shot - but "it could happen".
 
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Mon Jul 23, 2007 3:05 pm Reply with quote

I've reread the entire thread but I don't really understand what you are saying. Why does your closing Outlook '03 stop spammers? You definitely should not have to buy Outlook '07 just to stop that. Or, if you do, I would be very interested in knowing why for my own reasons (I have 03 and have considered '07 but I hate the fact that MS has made it an "extra" instead of putting it in their Student and Teacher's editions). If a spammer has hooks into your email software you have deeper problems than what is posted here.

I just started using the tracked IP feature myself but it just appears to keep a chronological record of selected activity ... sort of a log file on steroids. If the "actual text" you referred to is a post string it will get stored and you can look it up later. I would not worry about deleting them from the tracked_ip table.
 
View user's profile Send private message Visit poster's website
selma
PostPosted: Tue Jul 24, 2007 6:03 am Reply with quote

Hi fkelly,

I'm trying to track where my problem with spam that comes from my domain is originating from.

Comcast claims it isn't from my net connection, though there was a problem a month ago with attacks on my modem that forced them to shut it down for a couple of hours at a time.

I get a bit suspicious at times, but I wondered why did the attacks stop? Did the attacker just give up? Did Comcast's wonderful tech team stop them? Or did they find access somewhere?

In the headers, I can see that much of the mail had an Outlook X-Mailer in common, and a specific version number is listed. Like this:

X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028

Having a vague memory of a problem like this on change over of the last version of Outlook, I wanted to see if the fact that my Outlook was always open on my computer had any impact on that spam originating from my domain.

Though I'm a bit slower in reacting to legitimate mail, the last one I received with the X-Mailer listed as above was about a week and a half ago, when I started the test.

I still get bounces, but they are lighter in frequency, and they are originating from .de and they seem to come within an hour or two after I open and check the mail. Blocked .de and now I can't see a pattern as they seem to come from all over. One time Russia, one time Viet Nam, not enough to block the who area though.

Between Friday and Sunday I received less than 10 returns. Two weeks before, I got that many back on a Friday afternoon.

I also believe it is a particular or one spammer because all the mail is similar. Has very little text and includes a text file and a pdf file attachment, which I haven't opened so I don't know what they contain.

Checked with my host, who is looking for obvious mail script files on my file system, but I watch that fairly closely since I had this problem on the same domain maybe three years ago.

That is why I thought that one of the strings that were posted to mail and still residing on the system might contain something that allowed this person(s) to access the server.

---------------------------

If the "actual text" you referred to is a post string it will get stored and you can look it up later. I would not worry about deleting them from the tracked_ip table.

----------------------

Those tracked IP files are huge so I definitely didn't relish the idea of sorting through them. Thanks.

I have the same problem with buying the new Outlook as it isn't bundled even with the professional office system. So to upgrade you need the office system and a stand alone Outlook.

I'll get it sorted eventually. But I have to admit I feel a bit out of the loop without my instant notification of mail since Outlook isn't open.

May all spammers rot and burn ...
 
evaders99
PostPosted: Tue Jul 24, 2007 7:47 am Reply with quote

You're now saying your web server is being used to host email spam?

How do you know spam is being generated from your server? Do you have the logs with the actual source coming from your machine?
(And not just the return address.. those are easily spoofed)
 
fkelly
PostPosted: Tue Jul 24, 2007 8:22 am Reply with quote

I'm puzzled too. I'm not sure how your Outlook being open could open the door to spam. Unless your own PC is compromised -- that is they have hooks into your Outlook. Do you have Windows Defender running or something similar? I'd run a scanner like that if you think someone has broken into your computer.
 
selma
PostPosted: Tue Jul 24, 2007 10:00 am Reply with quote

How do you know spam is being generated from your server? Do you have the logs with the actual source coming from your machine?

This part I know because I get the mail daemon messages, and a few requests from people with spam blockers to verify that the spam I sent them is from an ok address.

If the mail is only spoofing my address, I would only get those mails addressed to someone at my domain, which I have plenty of, and not the ones that are returned to sender... Is that correct?

I can't prove that the mail is attached to the Outlook use, the only thing I can prove is that I get a lot less of them if my Outlook is not open. The regular spam I can live with and just block,

But I've already bought dedicated IP's through comcast to keep the domain off the spamhaus list because of mail send problems. We don't even send mail from that domain except 2 months out of the year.

Then the other thing I thought of was just shutting down mail from the domain all together and using another throw away domain. Then when I see a problem starting, I can just move to another.

So I'm going to send the two of you the latest headers by way of pm, If you would look at it I'd appreciate it - cause it's bugging the heck out of me.

p.s.

Forgot to add,

I run Norton 07 every 24 hours,
spybot no less than every 48 hours but sometimes every 8 hours (which catches more than Norton)

Have RN 2.10.0 running on the site Spam Blocker (which catches a bunch of other stuff, but not this)

and NS 2.5.08
 
Gremmie
PostPosted: Tue Jul 24, 2007 10:26 am Reply with quote

It sort of sounds like someone is just spoofing your address as the from-address. When these messages bounce, you get the returned mail. But I too am having difficulty understanding your situation... Smile
 
fkelly
PostPosted: Tue Jul 24, 2007 11:02 am Reply with quote

Selma sent a couple of us some mail headers. I'll put a reply here. I noticed a Brazilian IP address (Received: from [201.74.197.191] (port=39511 helo=201-74-197-191-am.cpe.vivax.com.br) in the header. Unless you are from Brazil I'd be very suspicious of this and maybe ask your host to look into it further. In fact, it looks to me like you are going to need to get your host more involved because the problem is probably at their end. Reading and interpreting mail headers is an art in itself and you may well need someone with that specialty to get into this from your host.
 
selma
PostPosted: Tue Jul 24, 2007 11:40 am Reply with quote

Man you guys are fast...

It's a frustrating problem because I couldn't tell if it was something I'm leaving open out of ignorance, or something a lot deeper than I can deal with.

And thanks for that about the mail headers, I gave the host one last week, but I'll send these on as well.

Appreciate the help.
 
montego
PostPosted: Wed Jul 25, 2007 5:57 am Reply with quote

Gremmie wrote:
It sort of sounds like someone is just spoofing your address as the from-address. When these messages bounce, you get the returned mail. But I too am having difficulty understanding your situation... Smile


I am getting the same "feeling" here as I am getting these types of "bounces" myself on a domain where I do not have BoxTrapper set up. These guys have just found your email address (shared list most likely) and are just spoofing the from email address.

I honestly believe Outlook being open is a complete coincidence. However, if you are still not sure, then you have to invest in a tool to scan your PC for the possibility of having been compromised.
 
evaders99
PostPosted: Wed Jul 25, 2007 10:15 am Reply with quote

Hey selma

From what you've sent me, I'm guessing your site is tapology?
None of the email headers actually indicate that the email was created from your server's IP address. They can spoof your email address.

Why do you get bounce messages? Because your address is spoofed in the FROM header. None of the email servers track where it is really coming from, it just assumes the FROM address is correct and sends a bounce.

Your server is probably fine.
 
selma
PostPosted: Wed Jul 25, 2007 11:38 am Reply with quote

Update:

First thanks everyone for the suggestions and advice. And thanks again for the questions along the way.

I sent those 3 headers to my host yesterday at 2 pm as suggested. Haven't heard back from them yet, but I have not received one, not one piece of spam, much less a bounce notice since yesterday around 6 pm. Not on that domain anyway.

Even left Outlook open all morning and I feel like I'm in CONTROL again. Ha Ha!!!

I generally took a lot of time banning IP's, but that one posted above in fkelly's post got banned by NS yesterday afternoon.

Don't know what happened, but I do know it's a lot more fun working without all that junk taunting me every 5 minutes from the mail notification box, singing "ha ha we got you!"
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©