Welcome to Geeklog, Anonymous Wednesday, November 27 2024 @ 07:46 pm EST
Geeklog Forums
Is lib-common vulnerable?
Status: offline
LewisR
Forum User
Junior
Registered: 06/30/03
Posts: 29
Since upgrading to 1.4.1 (and possibly before; I've just noticed it), I seem to be getting a number of spam messages sent from my own server to me (which bypasses my firewall, traveling behind it). I am using PHP's mail() function for sending mail, which is in turn configured for sendmail (I use CommuniGate Pro's "sendmail" work-alike).
Here's a typical bogus message (I'm seeing about five of these per day, and luckily, according to the logs in my mail server, only to me, so I'm not relaying out - yet):
Received: by 2rosenthals.com (CommuniGate Pro PIPE 5.1.3)
with PIPE id 1574007; Sat, 29 Dec 2007 12:49:09 -0500
To: Lewis Rosenthal <me@mydomain.com>
Subject: =?utf-8?B?QnV5IFVsdHJhbSBPbmxpbmUhIDUwbWcgMzAgUGlsbHMgb25seSA2MCQhIE5vIFByZXNjcmlwdGlvbiBSZXF1aXJlZC4=?=
From: some_bogus_address_here <some_bogus_address_here@gmail.com>
Date: Sat, 29 Dec 2007 12:49:00 -0500
Content-Type: text/plain; charset=utf-8
X-Mailer: GeekLog 1.4.1
Message-ID: <auto-000001574007@mydomain.com>
(...typical pharmaceutical junk in the body...)
As I currently host several GL sites, it's hard to tell which one is being hit. Here's an entry from my CommuniGate Pro log (different message, but illustrative of the report):
13:32:52.690 2 QUEUE([1573227]) from <some_bogus_address_here@gmail.com>, 788 bytes <auto-000001573227@mydomain.com>)
13:32:52.690 2 QUEUE([1573227]) enqueued
13:32:52.790 2 MAILBOX(mybox/INBOX) [1573227] stored as 146375
13:32:52.790 2 ACCOUNT(mybox) [1573227] delivered
13:32:52.790 2 DEQUEUER [1573227] LOCAL(mybox) delivered: Delivered to the user mailbox
13:32:52.840 2 QUEUE([1573227]) deleted
Wanting to not switch to the custom mail setup in lib-custom just yet, I tweaked lib-common to add the site name to the X-Mailer header in the hope that I may be able to determine which site it is which may have been penetrated. Looking at my GL users, I have not found the address used to send the messages, nor have I seen anyone logged in at the time any of these seem to have come through (I have fairly low traffic sites over here), so I am guessing that someone is able to pass arguments to lib-common.php (admin/mail.php is fairly well protected) to generate the traffic.
Any thoughts on this, or what I might want to do to better lock down my installations?
TIA
Lewis Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
Here's a typical bogus message (I'm seeing about five of these per day, and luckily, according to the logs in my mail server, only to me, so I'm not relaying out - yet):
Text Formatted Code
Return-Path: <some_bogus_address_here@gmail.com>Received: by 2rosenthals.com (CommuniGate Pro PIPE 5.1.3)
with PIPE id 1574007; Sat, 29 Dec 2007 12:49:09 -0500
To: Lewis Rosenthal <me@mydomain.com>
Subject: =?utf-8?B?QnV5IFVsdHJhbSBPbmxpbmUhIDUwbWcgMzAgUGlsbHMgb25seSA2MCQhIE5vIFByZXNjcmlwdGlvbiBSZXF1aXJlZC4=?=
From: some_bogus_address_here <some_bogus_address_here@gmail.com>
Date: Sat, 29 Dec 2007 12:49:00 -0500
Content-Type: text/plain; charset=utf-8
X-Mailer: GeekLog 1.4.1
Message-ID: <auto-000001574007@mydomain.com>
(...typical pharmaceutical junk in the body...)
As I currently host several GL sites, it's hard to tell which one is being hit. Here's an entry from my CommuniGate Pro log (different message, but illustrative of the report):
Text Formatted Code
13:32:52.650 2 PIPE [1573227] received in {Submitted\M396200.sub}, 788 bytes13:32:52.690 2 QUEUE([1573227]) from <some_bogus_address_here@gmail.com>, 788 bytes <auto-000001573227@mydomain.com>)
13:32:52.690 2 QUEUE([1573227]) enqueued
13:32:52.790 2 MAILBOX(mybox/INBOX) [1573227] stored as 146375
13:32:52.790 2 ACCOUNT(mybox) [1573227] delivered
13:32:52.790 2 DEQUEUER [1573227] LOCAL(mybox) delivered: Delivered to the user mailbox
13:32:52.840 2 QUEUE([1573227]) deleted
Wanting to not switch to the custom mail setup in lib-custom just yet, I tweaked lib-common to add the site name to the X-Mailer header in the hope that I may be able to determine which site it is which may have been penetrated. Looking at my GL users, I have not found the address used to send the messages, nor have I seen anyone logged in at the time any of these seem to have come through (I have fairly low traffic sites over here), so I am guessing that someone is able to pass arguments to lib-common.php (admin/mail.php is fairly well protected) to generate the traffic.
Any thoughts on this, or what I might want to do to better lock down my installations?
TIA
Lewis Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
11
14
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Not sure how you're coming to the conclusion that the problem is with lib-common.php?
FWIW, lib-common.php has a simple protection against being called directly (it redirects to index.php). Besides, you would still need some code that actually calls the COM_mail function to send the email. So I'd say you should look elsewhere.
Make sure that you really replaced all the files when you did the upgrade. Make sure you don't have files in your webroot that shouldn't be there (anything outside of Geeklog's public_html directory, for example). Check that all the plugins you're using are up to date.
You could also try and correlate the date and time of those emails with suspicious entries in your webserver logfiles. Also see earlier discussions here and here.
bye, Dirk
FWIW, lib-common.php has a simple protection against being called directly (it redirects to index.php). Besides, you would still need some code that actually calls the COM_mail function to send the email. So I'd say you should look elsewhere.
Make sure that you really replaced all the files when you did the upgrade. Make sure you don't have files in your webroot that shouldn't be there (anything outside of Geeklog's public_html directory, for example). Check that all the plugins you're using are up to date.
You could also try and correlate the date and time of those emails with suspicious entries in your webserver logfiles. Also see earlier discussions here and here.
bye, Dirk
14
11
Quote
Status: offline
LewisR
Forum User
Junior
Registered: 06/30/03
Posts: 29
Thanks for the quick follow-up, Dirk.
Only because mail.php is inaccessible from the outside without a login.
I know that it's supposed to redirect to index.php (tested that, just to be sure), and with REGISTER_GLOBALS off, it shouldn't be possible to push variables to it from outside, yet, I'm hard pressed to figure out from where these messages are originating (just got a new one this morning, and I see it is from my LI WireFree site, based on the modified X-Mailer).
Good advice. I'll look all of these over today. I wonder what else would allow for an email sent to root...? CAPTCHA, perhaps?
You could also try and correlate the date and time of those emails with suspicious entries in your webserver logfiles. Also see earlier discussions here and here.
[/QUOTE]
Thanks for the references. I tried looking through my Apache logs yesterday, but didn't come up with anything useful. I'll have another look today, and perhaps now that I know which site is generating the traffic, turn up the logging for that vhost in the conf.
Again, Dirk, thanks for your thoughts on this. I'll have a look at the links you've provided, dig a bit deeper into the logs, check my upgrade, and will follow up here when I know more. Hopefully, my experience may help someone else with a similar issue.
Cheers.
Lewis Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
Quote by: Dirk
Not sure how you're coming to the conclusion that the problem is with lib-common.php?
Only because mail.php is inaccessible from the outside without a login.
FWIW, lib-common.php has a simple protection against being called directly (it redirects to index.php). Besides, you would still need some code that actually calls the COM_mail function to send the email. So I'd say you should look elsewhere.
I know that it's supposed to redirect to index.php (tested that, just to be sure), and with REGISTER_GLOBALS off, it shouldn't be possible to push variables to it from outside, yet, I'm hard pressed to figure out from where these messages are originating (just got a new one this morning, and I see it is from my LI WireFree site, based on the modified X-Mailer).
Make sure that you really replaced all the files when you did the upgrade. Make sure you don't have files in your webroot that shouldn't be there (anything outside of Geeklog's public_html directory, for example). Check that all the plugins you're using are up to date.
Good advice. I'll look all of these over today. I wonder what else would allow for an email sent to root...? CAPTCHA, perhaps?
You could also try and correlate the date and time of those emails with suspicious entries in your webserver logfiles. Also see earlier discussions here and here.
[/QUOTE]
Thanks for the references. I tried looking through my Apache logs yesterday, but didn't come up with anything useful. I'll have another look today, and perhaps now that I know which site is generating the traffic, turn up the logging for that vhost in the conf.
Again, Dirk, thanks for your thoughts on this. I'll have a look at the links you've provided, dig a bit deeper into the logs, check my upgrade, and will follow up here when I know more. Hopefully, my experience may help someone else with a similar issue.
Cheers.
Lewis Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
14
14
Quote
Status: offline
LewisR
Forum User
Junior
Registered: 06/30/03
Posts: 29
Okay, I've just made some modifications and updates.
First, I removed the following (really) old files from webroot:
7-17-03 10:18a 25,407 0 ---- calendar_event.php
8-09-03 8:00p 169,315 0 ---- lib-common.old
7-17-03 10:18a 10,240 0 ---- links.php
7-17-03 10:18a 7,185 0 ---- pollbooth.php
7-17-03 10:18a 2,808 0 ---- portal.php
Next, here were the installed plugins:
blog 1.1.0 1.3.11
calendar 1.0.0 1.4.1
captcha 3.0.2 1.4.1
dokuwiki 1.3.0 1.4.1
links 1.0.1 1.4.1
polls 1.1.0 1.4.1
spamx 1.1.0 1.4.1
staticpages 1.4.3 1.4.1
vthemes 1.0.1 1.4.1
I then upgraded:
dokuwiki 1.3.1
vthemes 1.0.2
My GL directory itself is located outside of webspace, and the contents appear to be clean (no old files hanging around).
I'll look over the Apache logs again shortly to see what I can find.
Thanks again for your help and suggestions, Dirk!
Lewis Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
First, I removed the following (really) old files from webroot:
Text Formatted Code
8-22-03 10:47p 37,202 0 ---- calendar.php7-17-03 10:18a 25,407 0 ---- calendar_event.php
8-09-03 8:00p 169,315 0 ---- lib-common.old
7-17-03 10:18a 10,240 0 ---- links.php
7-17-03 10:18a 7,185 0 ---- pollbooth.php
7-17-03 10:18a 2,808 0 ---- portal.php
Next, here were the installed plugins:
Text Formatted Code
bad_behavior2 2.0.10 1.4.1 blog 1.1.0 1.3.11
calendar 1.0.0 1.4.1
captcha 3.0.2 1.4.1
dokuwiki 1.3.0 1.4.1
links 1.0.1 1.4.1
polls 1.1.0 1.4.1
spamx 1.1.0 1.4.1
staticpages 1.4.3 1.4.1
vthemes 1.0.1 1.4.1
I then upgraded:
Text Formatted Code
bad_behavior2 2.0.11dokuwiki 1.3.1
vthemes 1.0.2
My GL directory itself is located outside of webspace, and the contents appear to be clean (no old files hanging around).
I'll look over the Apache logs again shortly to see what I can find.
Thanks again for your help and suggestions, Dirk!
Lewis Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
14
12
Quote
Status: offline
LewisR
Forum User
Junior
Registered: 06/30/03
Posts: 29
Hmmm... It looks like it may have had something to do with the email story function. I did see entries in the log for that (and access to /profiles.php). I just tested it on myself, and sure enough, I had CAPTCHA turned off for emailing stories (though I'm not seeing a story in my received spam, just the junk).
I'll investigate further this afternoon, but I think that's what it was.
Lewis Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
I'll investigate further this afternoon, but I think that's what it was.
Lewis Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
15
9
Quote
All times are EST. The time is now 07:46 pm.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content