Forum Subject: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/06/10 11:27pm
By: joelbarrios
Somehow an unprivileged, using a newly created regular user account, managed to access the mail component and sent one spam message to all users registered at the website. How this user did it, is still a mistery for me. What I can presume, for the moment, is that there could be a flaw in the admin/mail.php component, since is the only thing I think that could be used to send a email to every registered user.
Unfortunately, there is not any useful data in access.log and error.log.The only data we have is the mail account used: jeniferbaby4life at yahoo dot com. My website uses Geeklog 1.5.2sr6.
The spammer sent a bilingual message with broken spanish and broken english:
Hello.
My Name is jenifer i want to your profile today at (xx.xxxxxxx.xxx) and i love it i think we can clcik from thier!please i will like you to email me back through my email thus;(xxxxx@xxxxx) am waiting to recive your lovely reply soonest!
Yours
jenifer!
please contact me through my email address so i can give you my picture and tell you my datel have a nice day
Unfortunately, there is not any useful data in access.log and error.log.The only data we have is the mail account used: jeniferbaby4life at yahoo dot com. My website uses Geeklog 1.5.2sr6.
The spammer sent a bilingual message with broken spanish and broken english:
Text Formatted Code
xxxxx@xxxxxHello.
My Name is jenifer i want to your profile today at (xx.xxxxxxx.xxx) and i love it i think we can clcik from thier!please i will like you to email me back through my email thus;(xxxxx@xxxxx) am waiting to recive your lovely reply soonest!
Yours
jenifer!
please contact me through my email address so i can give you my picture and tell you my datel have a nice day
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/07/10 02:18am
By: ::Ben
Hello,
Do you use a captcha on your site?
Do you use a captcha on your site?
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/07/10 03:57am
By: Dirk
Quote by: joelbarrios[pWhat I can presume, for the moment, is that there could be a flaw in the admin/mail.php component, since is the only thing I think that could be used to send a email to every registered user.[/p]
So in other words, you suspect that they did it through admin/mail.php, but you're not sure? How do you know the email was sent to all users?
Please send us the complete headers of such an email to our security contact[*1] .
bye, Dirk
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/07/10 11:52am
By: joelbarrios
Quote by: cordiste
Hello,
Do you use a captcha on your site?
Yes, CAPTCHA was enabled.
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/07/10 12:05pm
By: joelbarrios
Quote by: DirkSo in other words, you suspect that they did it through admin/mail.php, but you're not sure? How do you know the email was sent to all users?
Me, my wife and all our staff received the mail. Plus a many users sent complaints about the message because it was originated from our web server :-/
I'll ask if somebody kept a copy, but I'm afraid, by now, probably everybody has deleted it.
We revised headers from the message and was originated within the server, as any other mail sent from Geeklog. For the moment I only have forwarded copies from complaints.
For the moment we have resticted the access to all /admin/ using a .htaccess file.
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/08/10 03:28am
By: Dirk
Quote by: joelbarrios
I'll ask if somebody kept a copy, but I'm afraid, by now, probably everybody has deleted it.
Geeklog adds some extra headers, e.g. X-Mailer: Geeklog, so that would help to figure out if the mails were really sent through Geeklog.
If you have enough time and patience, you could send emails through the profiles, so it doesn't have to be a problem with the Mail admin function (in fact I doubt it was sent through the admin panel - if you could break into admin/mail.php, you could just as well break into any other admin function).
Also, have you checked your webserver's logfiles? You should be able to tell whether somebody accessed admin/mail.php at the time the emails were sent.
If you have any more information, please let us know.
bye, Dirk
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/08/10 11:15am
By: suprsidr
@joelbarrios
Are you using the newsletter plugin?
-s
Are you using the newsletter plugin?
-s
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/08/10 01:34pm
By: joelbarrios
Quote by: suprsidr
@joelbarrios
Are you using the newsletter plugin?
-s
No. Actually, we have deactivated many plugins.
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/08/10 01:37pm
By: suprsidr
Just making sure they weren't somehow sending through the newsletter's mail.class which is different then GL's
-s
-s
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/08/10 01:41pm
By: joelbarrios
Dirk, I have finally managed to get a copy from the message, but can't publish here, because spamx says it's spam.
The relevant data is:
X-Mailer: Geeklog 1.5.2sr6
X-Originating-IP: 41.214.123.71
IP Address is from Senegal.
The relevant data is:
X-Mailer: Geeklog 1.5.2sr6
X-Originating-IP: 41.214.123.71
IP Address is from Senegal.
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/08/10 01:56pm
By: joelbarrios
I have sent full message source to geeklog-security at lists dot geeklog dot net.
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/08/10 02:18pm
By: Dirk
Quote by: joelbarrios
The relevant data is:
X-Mailer: Geeklog 1.5.2sr6
X-Originating-IP: 41.214.123.71
So this was NOT sent from admin/mail.php - since as of 1.5.2, we don't include the X-Originating-IP header any more for mails that are sent through the admin interface.
Given the origin, this could very well have been a manual operation. Do you have access to your webserver's logfiles at the time those emails were sent? Oh, and did you compare the times on several of those emails? I.e. are they a few minutes apart or all sent at the same time?
bye, Dirk
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/08/10 03:27pm
By: joelbarrios
Thak you, Dirk. You are right. My apologies for blamming admin/mail.php.
Let me confirm, seems at least a hundered users were mailed (we have +2400 registered users, and list purged every week). This made us think it could heve been done from admin/mail.php. CAPTCHA was enabled at Website. I'll ty to check access_log to determine time between first and last email sent. It will take some time, because I have no admin access to my sponsor's server and there are really big logs.
After the issue, we updated to captcha 3.3.0. The day spam happened, we were using captcha 3.1.2. Maybe script made to exploit a flaw in captcha 3.1.2?
Let me confirm, seems at least a hundered users were mailed (we have +2400 registered users, and list purged every week). This made us think it could heve been done from admin/mail.php. CAPTCHA was enabled at Website. I'll ty to check access_log to determine time between first and last email sent. It will take some time, because I have no admin access to my sponsor's server and there are really big logs.
After the issue, we updated to captcha 3.3.0. The day spam happened, we were using captcha 3.1.2. Maybe script made to exploit a flaw in captcha 3.1.2?
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/08/10 04:45pm
By: joelbarrios
I have analized the access_log file. It's pretty huge output to post here (787 lines). So, this is a summary:
Basically, the culprit accessed the forum on 30/May/2010:09:05:24 -0500 and watched members list:
Then... at 09:05:29 -0500, showing he/she has no-life, started mailing one by one:
After sending last message, then went back to members list and mailed again to next user:
41.214.123.71 - - [30/May/2010:09:06:21 -0500] "GET /captcha/captcha.php?csid=4c0270da8be6&.jpg HTTP/1.1" 200 3321 "http://my-website/profiles.php?uid=3699" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"
Mailed users from 3698 ID down to 3323 ID (again, seems his guy/gal has no life). Repeated until 16:03:06 -0500:
Around 30/May/2010:16:03:06 -0500, I detected spam delivered to my mail account and deleted user's account. That day I received lots of complaints about the spam, originated from my website and targeted to resgitered users. We thought it was via admin/mail.php because the large ammount of users affected, and restricted access to /admin directory to allow acces only from certain Latin American countries.
Looking more closely at access_log, we discovered more activity. On June 01 2010 at 21:43 -0500, returned with another browser and started to mail stories util 23:59:10 -0500:
Same day, for unknown reasons, he/she aparently felt interest for open source docs, accessed filemgmt and downloaded a few of files I host there:
mar 01 jun 2010 22:00:05 CDT (anon@41.214.12.37) - Visit.php => Download File:Python_para_todos.pdf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:06 CDT (anon@41.214.12.37) - Visit.php => Download File:Curso-Ubuntu-por-SinWindows.tar.bz2, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:06 CDT (anon@41.214.12.37) - Visit.php => Download File:linwin.pdf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:06 CDT (anon@41.214.12.37) - Visit.php => Download File:compaq-armada-m300-kernel-2.6.26.tar.bz2, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:07 CDT (anon@41.214.12.37) - Visit.php => Download File:config-kernel-2.6.29.1-3.aaoneA150-D150-AL.gz, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:08 CDT (anon@41.214.12.37) - Visit.php => Download File:acer-aspire-one-xorg-1.0.conf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:08 CDT (anon@41.214.12.37) - Visit.php => Download File:xorg-AAONE-D150.conf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:09 CDT (anon@41.214.12.37) - Visit.php => Download File:slparatinum06.pdf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:09 CDT (anon@41.214.12.37) - Visit.php => Download File:Manual_de_programacion_en_Bash_Shell.zip, User ID is:1, Remote address is: 41.214.12.37
Seems he/she returned on jun 02 2010 at 00:03 and then started to access profiles directly (do not know what he/she did), first the ones starting with number 1:
41.214.12.37 - - [02/Jun/2010:00:03:16 -0500] "GET /profiles.php?uid=10 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:20 -0500] "GET /profiles.php?uid=101 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:22 -0500] "GET /profiles.php?uid=102 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:23 -0500] "GET /profiles.php?uid=103 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:25 -0500] "GET /profiles.php?uid=105 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:24 -0500] "GET /profiles.php?uid=104 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:25 -0500] "GET /profiles.php?uid=106 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:26 -0500] "GET /profiles.php?uid=107 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:26 -0500] "GET /profiles.php?uid=108 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
Etc, etc. etc., Then 20's, 30's, 40's, 50's, 90's and then random users.
41.214.12.37 - - [02/Jun/2010:00:06:57 -0500] "GET /profiles.php?uid=964 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:02 -0500] "GET /profiles.php?uid=3841 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:04 -0500] "GET /profiles.php?uid=637 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:11 -0500] "GET /profiles.php?uid=2752 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:13 -0500] "GET /profiles.php?uid=637 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:18 -0500] "GET /profiles.php?uid=435 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:25 -0500] "GET /profiles.php?uid=3603 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS
Nobody complained since sunday. Do not know what he/she did or intended to do.
On 02/Jun/2010:00:07:25 -0500 I decided to block 41.214.0.0/16 (I don't care about Senegal. My target audience is in Latin America and Spain).
Again, my apologies for blamming admin/mail.php.
Never realized that actually there were people with so much time to spare to do something like this.
Basically, the culprit accessed the forum on 30/May/2010:09:05:24 -0500 and watched members list:
Text Formatted Code
41.214.123.71 - - [30/May/2010:09:05:24 -0500] "GET /profiles.php?uid=3698 HTTP/1.1" 200 27628 "http://my-website/forum/memberlist.php?&show=100&order=1&prevorder=0&direction=desc&chkactivity=0&page=24" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"Then... at 09:05:29 -0500, showing he/she has no-life, started mailing one by one:
Text Formatted Code
41.214.123.71 - - [30/May/2010:09:05:29 -0500] "GET /captcha/captcha.php?csid=4c0270a5499a&.jpg HTTP/1.1" 200 2869 "http://my-website/profiles.php?uid=3698" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"After sending last message, then went back to members list and mailed again to next user:
Text Formatted Code
41.214.123.71 - - [30/May/2010:09:06:17 -0500] "GET /profiles.php?uid=3699 HTTP/1.1" 200 27633 "http://my-website/forum/memberlist.php?&show=100&order=1&prevorder=0&direction=desc&chkactivity=0&page=24" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"41.214.123.71 - - [30/May/2010:09:06:21 -0500] "GET /captcha/captcha.php?csid=4c0270da8be6&.jpg HTTP/1.1" 200 3321 "http://my-website/profiles.php?uid=3699" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"
Mailed users from 3698 ID down to 3323 ID (again, seems his guy/gal has no life). Repeated until 16:03:06 -0500:
Text Formatted Code
41.214.120.37 - - [30/May/2010:16:03:06 -0500] "GET /profiles.php?uid=3323 HTTP/1.1" 200 22552 "http://my-website/forum/memberlist.php?&show=100&order=1&prevorder=0&direction=desc&chkactivity=0&page=22" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"Around 30/May/2010:16:03:06 -0500, I detected spam delivered to my mail account and deleted user's account. That day I received lots of complaints about the spam, originated from my website and targeted to resgitered users. We thought it was via admin/mail.php because the large ammount of users affected, and restricted access to /admin directory to allow acces only from certain Latin American countries.
Looking more closely at access_log, we discovered more activity. On June 01 2010 at 21:43 -0500, returned with another browser and started to mail stories util 23:59:10 -0500:
Text Formatted Code
41.214.12.37 - - [01/Jun/2010:21:43:04 -0500] "GET /profiles.php?sid=renaut-teoria-conspiracion-clase-politic&what=emailstory HTTP/1.1" 200 22378 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"Same day, for unknown reasons, he/she aparently felt interest for open source docs, accessed filemgmt and downloaded a few of files I host there:
Text Formatted Code
mar 01 jun 2010 22:00:05 CDT (anon@41.214.12.37) - Visit.php => Download File:Implementacion_Servidores_Linux-MARZO-20100315.tar.bz2, User ID is:1, Remote address is: 41.214.12.37mar 01 jun 2010 22:00:05 CDT (anon@41.214.12.37) - Visit.php => Download File:Python_para_todos.pdf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:06 CDT (anon@41.214.12.37) - Visit.php => Download File:Curso-Ubuntu-por-SinWindows.tar.bz2, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:06 CDT (anon@41.214.12.37) - Visit.php => Download File:linwin.pdf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:06 CDT (anon@41.214.12.37) - Visit.php => Download File:compaq-armada-m300-kernel-2.6.26.tar.bz2, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:07 CDT (anon@41.214.12.37) - Visit.php => Download File:config-kernel-2.6.29.1-3.aaoneA150-D150-AL.gz, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:08 CDT (anon@41.214.12.37) - Visit.php => Download File:acer-aspire-one-xorg-1.0.conf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:08 CDT (anon@41.214.12.37) - Visit.php => Download File:xorg-AAONE-D150.conf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:09 CDT (anon@41.214.12.37) - Visit.php => Download File:slparatinum06.pdf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:09 CDT (anon@41.214.12.37) - Visit.php => Download File:Manual_de_programacion_en_Bash_Shell.zip, User ID is:1, Remote address is: 41.214.12.37
Seems he/she returned on jun 02 2010 at 00:03 and then started to access profiles directly (do not know what he/she did), first the ones starting with number 1:
Text Formatted Code
41.214.12.37 - - [02/Jun/2010:00:03:16 -0500] "GET /profiles.php?uid=100 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"41.214.12.37 - - [02/Jun/2010:00:03:16 -0500] "GET /profiles.php?uid=10 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:20 -0500] "GET /profiles.php?uid=101 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:22 -0500] "GET /profiles.php?uid=102 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:23 -0500] "GET /profiles.php?uid=103 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:25 -0500] "GET /profiles.php?uid=105 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:24 -0500] "GET /profiles.php?uid=104 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:25 -0500] "GET /profiles.php?uid=106 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:26 -0500] "GET /profiles.php?uid=107 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:26 -0500] "GET /profiles.php?uid=108 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
Etc, etc. etc., Then 20's, 30's, 40's, 50's, 90's and then random users.
Text Formatted Code
41.214.12.37 - - [02/Jun/2010:00:06:57 -0500] "GET /profiles.php?uid=3841 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"41.214.12.37 - - [02/Jun/2010:00:06:57 -0500] "GET /profiles.php?uid=964 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:02 -0500] "GET /profiles.php?uid=3841 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:04 -0500] "GET /profiles.php?uid=637 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:11 -0500] "GET /profiles.php?uid=2752 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:13 -0500] "GET /profiles.php?uid=637 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:18 -0500] "GET /profiles.php?uid=435 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:25 -0500] "GET /profiles.php?uid=3603 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS
Nobody complained since sunday. Do not know what he/she did or intended to do.
On 02/Jun/2010:00:07:25 -0500 I decided to block 41.214.0.0/16 (I don't care about Senegal. My target audience is in Latin America and Spain).
Again, my apologies for blamming admin/mail.php.
Never realized that actually there were people with so much time to spare to do something like this.
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/08/10 05:01pm
By: suprsidr
I've had literally millions of $_REQUEST (s) like those.
And the same pattern repeats day after day after day...... Different IP every day but in the same range.
I had thought (at one time) that geeklog sites were being targeted as the same requests were being tried / specifically geeklog directories(unproven)
But my *bsd machine does not allow directory listings and such so no fruit for the hacker?
Losers with plenty of time on their hands
:
Hey what good does it do to send 1000's of the same message to the same email account? I ignored the 1st thousand, maybe I'll latch onto the 100,000th?
Spammers have a whole other mentality.
Shoot 'em all.
-s
And the same pattern repeats day after day after day...... Different IP every day but in the same range.
I had thought (at one time) that geeklog sites were being targeted as the same requests were being tried / specifically geeklog directories(unproven)
But my *bsd machine does not allow directory listings and such so no fruit for the hacker?
Losers with plenty of time on their hands
: Hey what good does it do to send 1000's of the same message to the same email account? I ignored the 1st thousand, maybe I'll latch onto the 100,000th?
Spammers have a whole other mentality.
Shoot 'em all.
-s
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/09/10 05:25am
By: Dirk
Quote by: joelbarrios
I have analized the access_log file. It's pretty huge output to post here (787 lines). So, this is a summary:
(...)
Never realized that actually there were people with so much time to spare to do something like this.
Thanks for the analysis.
If you've never heard of those people before, you may want to read up on the "Nigeria" or "419" scammers. They seem to have some criminal energy, a lot of time and patience, but not a very good grasp of technology ...
geeklog.net was also a target of those guys on occasion. At one point, I had the entire 41.0.0.0/8 blocked here, which was an over-reaction but I didn't know how else to stop them
bye, Dirk
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/09/10 08:13am
By: scarecrow
"Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
In the past I've had some headaches related to the "DTS Agent" which, if I recall correctly, was/is associated with an email address harvester bot. Something like the "Beijing Address Collector" or something similar.
*After-thought: I'm pretty sure that Bad Behavior blocks that agent
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/09/10 11:00pm
By: Anonymous (ironmax)
Quote by: joelbarrios
I have analized the access_log file. It's pretty huge output to post here (787 lines). So, this is a summary:
Nobody complained since sunday. Do not know what he/she did or intended to do.
On 02/Jun/2010:00:07:25 -0500 I decided to block 41.214.0.0/16 (I don't care about Senegal. My target audience is in Latin America and Spain).
Again, my apologies for blamming admin/mail.php.
Never realized that actually there were people with so much time to spare to do something like this.
This is a very good reason why I have all mail copied from the site to a mailbox in the domain. This way I can monitor any BS the spammers are doing if and when they decide to try and attack me. This has only happened to me once several years ago and I plugged the leak.
Michael
Spacequad AntiSpam Services
Thunder Bay, Ontario
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/13/10 09:54am
By: suprsidr
In this morning's weekly PHP Classes newsletter I found a simple firewall.class which may be of interest.
http://www.phpclasses.org/package/6112-PHP-Accept-or-deny-requests-depending-on-IP-address.html[*2]
If included at the very beginning of lib-common.php one could easily deny a whole IP range or single IPs before any of the rest of the gl system has to load.
So it would preempt the Ban pugin and all other methods of IP screening/filtering.
This guy even included a great BSOD you could serve up to banned surfers.
-s
http://www.phpclasses.org/package/6112-PHP-Accept-or-deny-requests-depending-on-IP-address.html[*2]
If included at the very beginning of lib-common.php one could easily deny a whole IP range or single IPs before any of the rest of the gl system has to load.
So it would preempt the Ban pugin and all other methods of IP screening/filtering.
This guy even included a great BSOD you could serve up to banned surfers.
-s
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/14/10 11:53am
By: Laugh
This type of thing happening is one of the reasons why I hoped the Core Notification Service would of happened this Google Summer of Code. As part of the project a rule system could have been created to prevent users from sending so many emails per hour/day.
ON a related note,I would also like to expand the Ban plugin at some point to create rules for visitors to prevent people from downloading entire sites with bots.
Now all I need is the time
ON a related note,I would also like to expand the Ban plugin at some point to create rules for visitors to prevent people from downloading entire sites with bots.
Now all I need is the time
Re: Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Posted on: 06/14/10 03:51pm
By: 1000ideen
Quote by: Laugh
ON a related note,I would also like to expand the Ban plugin at some point to create rules for visitors to prevent people from downloading entire sites with bots.
What about making a sort of plugin for BadBehavior? Something like a maximum number of access per IP per hour sounds like a good thing.