Welcome to Geeklog, Anonymous Tuesday, December 24 2024 @ 09:32 pm EST
Geeklog Forums
Posible security issue in admin/mail.php in Geeklog 1.5.2sr6
Page navigation
joelbarrios
Unfortunately, there is not any useful data in access.log and error.log.The only data we have is the mail account used: jeniferbaby4life at yahoo dot com. My website uses Geeklog 1.5.2sr6.
The spammer sent a bilingual message with broken spanish and broken english:
Hello.
My Name is jenifer i want to your profile today at (xx.xxxxxxx.xxx) and i love it i think we can clcik from thier!please i will like you to email me back through my email thus;(xxxxx@xxxxx) am waiting to recive your lovely reply soonest!
Yours
jenifer!
please contact me through my email address so i can give you my picture and tell you my datel have a nice day
--
https://www.AlcanceLibre.org/
https://blog.AlcanceLibre.org/
La libertad del conocimiento al alcance de quien la busca.
Dirk
So in other words, you suspect that they did it through admin/mail.php, but you're not sure? How do you know the email was sent to all users?
Please send us the complete headers of such an email to our security contact.
bye, Dirk
joelbarrios
Hello,
Do you use a captcha on your site?
Yes, CAPTCHA was enabled.
--
https://www.AlcanceLibre.org/
https://blog.AlcanceLibre.org/
La libertad del conocimiento al alcance de quien la busca.
joelbarrios
Me, my wife and all our staff received the mail. Plus a many users sent complaints about the message because it was originated from our web server :-/
I'll ask if somebody kept a copy, but I'm afraid, by now, probably everybody has deleted it.
We revised headers from the message and was originated within the server, as any other mail sent from Geeklog. For the moment I only have forwarded copies from complaints.
For the moment we have resticted the access to all /admin/ using a .htaccess file.
--
https://www.AlcanceLibre.org/
https://blog.AlcanceLibre.org/
La libertad del conocimiento al alcance de quien la busca.
Dirk
I'll ask if somebody kept a copy, but I'm afraid, by now, probably everybody has deleted it.
Geeklog adds some extra headers, e.g. X-Mailer: Geeklog, so that would help to figure out if the mails were really sent through Geeklog.
If you have enough time and patience, you could send emails through the profiles, so it doesn't have to be a problem with the Mail admin function (in fact I doubt it was sent through the admin panel - if you could break into admin/mail.php, you could just as well break into any other admin function).
Also, have you checked your webserver's logfiles? You should be able to tell whether somebody accessed admin/mail.php at the time the emails were sent.
If you have any more information, please let us know.
bye, Dirk
suprsidr
Are you using the newsletter plugin?
-s
FlashYourWeb and Your Gallery with the E2 XML Media Player for Gallery2 - http://www.flashyourweb.com
joelbarrios
@joelbarrios
Are you using the newsletter plugin?
-s
No. Actually, we have deactivated many plugins.
--
https://www.AlcanceLibre.org/
https://blog.AlcanceLibre.org/
La libertad del conocimiento al alcance de quien la busca.
suprsidr
-s
FlashYourWeb and Your Gallery with the E2 XML Media Player for Gallery2 - http://www.flashyourweb.com
joelbarrios
The relevant data is:
X-Mailer: Geeklog 1.5.2sr6
X-Originating-IP: 41.214.123.71
IP Address is from Senegal.
--
https://www.AlcanceLibre.org/
https://blog.AlcanceLibre.org/
La libertad del conocimiento al alcance de quien la busca.
joelbarrios
--
https://www.AlcanceLibre.org/
https://blog.AlcanceLibre.org/
La libertad del conocimiento al alcance de quien la busca.
Dirk
The relevant data is:
X-Mailer: Geeklog 1.5.2sr6
X-Originating-IP: 41.214.123.71
So this was NOT sent from admin/mail.php - since as of 1.5.2, we don't include the X-Originating-IP header any more for mails that are sent through the admin interface.
Given the origin, this could very well have been a manual operation. Do you have access to your webserver's logfiles at the time those emails were sent? Oh, and did you compare the times on several of those emails? I.e. are they a few minutes apart or all sent at the same time?
bye, Dirk
joelbarrios
Let me confirm, seems at least a hundered users were mailed (we have +2400 registered users, and list purged every week). This made us think it could heve been done from admin/mail.php. CAPTCHA was enabled at Website. I'll ty to check access_log to determine time between first and last email sent. It will take some time, because I have no admin access to my sponsor's server and there are really big logs.
After the issue, we updated to captcha 3.3.0. The day spam happened, we were using captcha 3.1.2. Maybe script made to exploit a flaw in captcha 3.1.2?
--
https://www.AlcanceLibre.org/
https://blog.AlcanceLibre.org/
La libertad del conocimiento al alcance de quien la busca.
joelbarrios
Basically, the culprit accessed the forum on 30/May/2010:09:05:24 -0500 and watched members list:
Then... at 09:05:29 -0500, showing he/she has no-life, started mailing one by one:
After sending last message, then went back to members list and mailed again to next user:
41.214.123.71 - - [30/May/2010:09:06:21 -0500] "GET /captcha/captcha.php?csid=4c0270da8be6&.jpg HTTP/1.1" 200 3321 "http://my-website/profiles.php?uid=3699" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"
Mailed users from 3698 ID down to 3323 ID (again, seems his guy/gal has no life). Repeated until 16:03:06 -0500:
Around 30/May/2010:16:03:06 -0500, I detected spam delivered to my mail account and deleted user's account. That day I received lots of complaints about the spam, originated from my website and targeted to resgitered users. We thought it was via admin/mail.php because the large ammount of users affected, and restricted access to /admin directory to allow acces only from certain Latin American countries.
Looking more closely at access_log, we discovered more activity. On June 01 2010 at 21:43 -0500, returned with another browser and started to mail stories util 23:59:10 -0500:
Same day, for unknown reasons, he/she aparently felt interest for open source docs, accessed filemgmt and downloaded a few of files I host there:
mar 01 jun 2010 22:00:05 CDT (anon@41.214.12.37) - Visit.php => Download File:Python_para_todos.pdf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:06 CDT (anon@41.214.12.37) - Visit.php => Download File:Curso-Ubuntu-por-SinWindows.tar.bz2, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:06 CDT (anon@41.214.12.37) - Visit.php => Download File:linwin.pdf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:06 CDT (anon@41.214.12.37) - Visit.php => Download File:compaq-armada-m300-kernel-2.6.26.tar.bz2, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:07 CDT (anon@41.214.12.37) - Visit.php => Download File:config-kernel-2.6.29.1-3.aaoneA150-D150-AL.gz, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:08 CDT (anon@41.214.12.37) - Visit.php => Download File:acer-aspire-one-xorg-1.0.conf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:08 CDT (anon@41.214.12.37) - Visit.php => Download File:xorg-AAONE-D150.conf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:09 CDT (anon@41.214.12.37) - Visit.php => Download File:slparatinum06.pdf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:09 CDT (anon@41.214.12.37) - Visit.php => Download File:Manual_de_programacion_en_Bash_Shell.zip, User ID is:1, Remote address is: 41.214.12.37
Seems he/she returned on jun 02 2010 at 00:03 and then started to access profiles directly (do not know what he/she did), first the ones starting with number 1:
41.214.12.37 - - [02/Jun/2010:00:03:16 -0500] "GET /profiles.php?uid=10 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:20 -0500] "GET /profiles.php?uid=101 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:22 -0500] "GET /profiles.php?uid=102 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:23 -0500] "GET /profiles.php?uid=103 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:25 -0500] "GET /profiles.php?uid=105 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:24 -0500] "GET /profiles.php?uid=104 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:25 -0500] "GET /profiles.php?uid=106 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:26 -0500] "GET /profiles.php?uid=107 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:26 -0500] "GET /profiles.php?uid=108 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
Etc, etc. etc., Then 20's, 30's, 40's, 50's, 90's and then random users.
41.214.12.37 - - [02/Jun/2010:00:06:57 -0500] "GET /profiles.php?uid=964 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:02 -0500] "GET /profiles.php?uid=3841 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:04 -0500] "GET /profiles.php?uid=637 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:11 -0500] "GET /profiles.php?uid=2752 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:13 -0500] "GET /profiles.php?uid=637 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:18 -0500] "GET /profiles.php?uid=435 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:25 -0500] "GET /profiles.php?uid=3603 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS
Nobody complained since sunday. Do not know what he/she did or intended to do.
On 02/Jun/2010:00:07:25 -0500 I decided to block 41.214.0.0/16 (I don't care about Senegal. My target audience is in Latin America and Spain).
Again, my apologies for blamming admin/mail.php.
Never realized that actually there were people with so much time to spare to do something like this.
--
https://www.AlcanceLibre.org/
https://blog.AlcanceLibre.org/
La libertad del conocimiento al alcance de quien la busca.
suprsidr
And the same pattern repeats day after day after day...... Different IP every day but in the same range.
I had thought (at one time) that geeklog sites were being targeted as the same requests were being tried / specifically geeklog directories(unproven)
But my *bsd machine does not allow directory listings and such so no fruit for the hacker?
Losers with plenty of time on their hands :
Hey what good does it do to send 1000's of the same message to the same email account? I ignored the 1st thousand, maybe I'll latch onto the 100,000th?
Spammers have a whole other mentality.
Shoot 'em all.
-s
FlashYourWeb and Your Gallery with the E2 XML Media Player for Gallery2 - http://www.flashyourweb.com
Dirk
I have analized the access_log file. It's pretty huge output to post here (787 lines). So, this is a summary:
(...)
Never realized that actually there were people with so much time to spare to do something like this.
Thanks for the analysis.
If you've never heard of those people before, you may want to read up on the "Nigeria" or "419" scammers. They seem to have some criminal energy, a lot of time and patience, but not a very good grasp of technology ...
geeklog.net was also a target of those guys on occasion. At one point, I had the entire 41.0.0.0/8 blocked here, which was an over-reaction but I didn't know how else to stop them
bye, Dirk
scarecrow
In the past I've had some headaches related to the "DTS Agent" which, if I recall correctly, was/is associated with an email address harvester bot. Something like the "Beijing Address Collector" or something similar.
*After-thought: I'm pretty sure that Bad Behavior blocks that agent
ironmax
I have analized the access_log file. It's pretty huge output to post here (787 lines). So, this is a summary:
Nobody complained since sunday. Do not know what he/she did or intended to do.
On 02/Jun/2010:00:07:25 -0500 I decided to block 41.214.0.0/16 (I don't care about Senegal. My target audience is in Latin America and Spain).
Again, my apologies for blamming admin/mail.php.
Never realized that actually there were people with so much time to spare to do something like this.
This is a very good reason why I have all mail copied from the site to a mailbox in the domain. This way I can monitor any BS the spammers are doing if and when they decide to try and attack me. This has only happened to me once several years ago and I plugged the leak.
Michael
Spacequad AntiSpam Services
Thunder Bay, Ontario
suprsidr
http://www.phpclasses.org/package/6112-PHP-Accept-or-deny-requests-depending-on-IP-address.html
If included at the very beginning of lib-common.php one could easily deny a whole IP range or single IPs before any of the rest of the gl system has to load.
So it would preempt the Ban pugin and all other methods of IP screening/filtering.
This guy even included a great BSOD you could serve up to banned surfers.
-s
FlashYourWeb and Your Gallery with the E2 XML Media Player for Gallery2 - http://www.flashyourweb.com
Laugh
ON a related note,I would also like to expand the Ban plugin at some point to create rules for visitors to prevent people from downloading entire sites with bots.
Now all I need is the time
One of the Geeklog Core Developers.
Page navigation
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content