Hi!

I have a server with a couple of sites on it.
Some of them have a webform where people can send them emails that they are interested in their work etc. though the "To:" and "From:" adress can't be change by the enduser, you can only enter text and press send.
However it seems that someone (not on the server) has found a hole/exploit to use those webforms to send mails to who ever he wants..

I have the webserver setup with ssmtp (simple smtp) and it just forwards the mail sent from the server to my mail-server and there on it sends it out on the internet.

If I check my log on the mail-server I can see the whole smtp session, where it's comming from and where it's going etc.
I see that it comes from my webserver and over there I only have these log entries:

Oct 6 22:04:47 ettan2 sSMTP[1771]: Sent mail for itaumail@itau.com.br (221 2.0.0 Bye) uid=204 username=torget outbytes=3290

There are loads of those log entries, mostly at after office-hours between 17:00 and 7:00

I have scanned through all the Apache logs and can't find Anything that point to the e-mail addresses used or something like that.


The reason I found this out was because he tries to send to a host that doesn't allow connection on port 25 so all the mails got stuck in the queue, over 1000 atm..

I'm using Apache 2.2 and Postfix 2.6 on a Debian Lenny install.
What can I do to find out how he's doing this and close the "exploit"?

Who would you recommend to setup the mail() thing in PHP for most security?


Thanks,
-Patric

How many exactly?


How many exactly? Are they home-brewn scripts? Do you have copies of them? Do they run any other applications like forum or web log software, et cetera? Do processes look OK by name? Are there any oddly owned files in their docroots or directories holding temporary files? Do user logins check out OK? And when did this start happening?


If you want help with that host or upload a compressed tarball with the logs for us to D/L? Or run 'logwatch' on all of the logs and then pastebin or docs.google the report?

I have something like 70 domains but most of them are really small site with just one front page with contact info. I would guess that at least 15 of them are more complicated than that.

Around at least 7 sites has a webform of some sort, most of them I guess they have made them self or a webdesigner made For them.

I can report the logs to pastebin but I'm not sure that the logs tell that much..
Right now I have this for every vhost:
How do you recommend logging for every vhost so that I can see as much as possible whats going on?

Webserver isn't my main task, I started hosting a mail-servern and then just added some websites for people who wanted it, so my knowledge isn't that great when it comes to Apache.

In apache.conf I have:

I don't know if thats optimized, so if you can recommend something better please do!

I was hoping I could get better logging by tonight so if he tries again, I would see it more noticeably.
I've checked the logs on the webserver by the same time the mails got sent from the mailserver and can't find anything that would show that a site is doing something..

OK, but you only answered 2 out of 8 questions in that part of my reply. For efficiency sake please be precise, complete and verbose in your replies.


Right now I only want to check for indications of remote users trying to exploit scripts by the requsts they send. If you're uncomfortable hosting logs or posting reports publicly you're invited to email me the location of your tarball drop-off privately. It would help if you limit logs to a certain hour in which events happened or at most a 24 hour period.


This isn't the time to talk optimizations so AFAIK combined logging should do for now.

He started spamming again and I found out how!

He came from this IP: 189.58.170.198
Don't know if thats a botnet or not.
He had somehow successfully hacked a site that was using Joomla and put out a webform where he could send mail to whoever he wanted.
It was in Portuguese.

I blocked his IP in our router for the moment and I'm now going to check All the websites on my server for the same thing.
I'm glad I found the problem, it's the first time AFAIK that I've had a problem like this, and want to thank you for your help!


If I remember correctly there is some kind of software out there and a database with known botnets, so it blockes them automatically but I can't remember what it's called.
Do you know?

I'm also going to check the Apache configuration to see if I can make it more secure somehow.


Thanks,
-Patric

A single IP doesn't constitute a "botnet".


How exactly?


For what exactly?


There's Dshield, malware.com.br, malwaredomains.com, emergingthreats.net and other blocklists to extract info from and there's a DNS Blacklist Packet Filter (search Freshmeat.net for "packetbl"). All nice but those should only be added after you addressed more urgent matters. Using blacklists addresses symptoms not causes.




Best invest time assessing the integrity of your server, scan locally and remotely for any problems and fix those, before doing that.

I know I meant part of a botnet.

He had made a .php form and put it in some places on the site called thumbs.php but it was a form to send out mail from. Exactly How he did it I'm not sure but apparently lots of people using Joomla has had problem with people hacking them. So an upgrade is gonna take place on the Joomla sites and some security plugins.

For the thumbs.php file that he used.

Thanks, I'm gonna check those out after I find out how he planted the thumbs.php.



Yeah I'm gonna scan through all my websites for the same kind of code to see if other sites has been infected.
I'm going to check the mail-logs more thoroughly in the couple of days to see if he does it again.