12 replies to this topic

[Biancoblu]

Can you help please?

Today I was informed by my host about some spamming activity taking place on my site, attack seemingly sent from www.mysite.com/tell_a_redacted.php. I searched the whole of my site but couldn't find that file. I thought maybe tell_a_friend.php had been corrupted but didn't look like it had.

Having no help from host except being told to "update to the latest version of oscommerce as outdated third party software is not safe", I took the following steps to clean the site:
Wiped the whole site, restored from a clean backup, removed tell a friend box, set tell_a_friend.php permissions to 0000, checked all folder and files permissions.

I run 2.2ms2 version and already had applied the following security measures long ago: site monitor, IP trap, security pro, all permissions set correctly, admin renamed and pw protected, file_manager.php and define_language.php removed long ago, htaccess protection.

My problem is I don't know where they came in from, in case it's from a place other than tell_a_friend.php, it could happen again.

Any advice would be greatly appreciated.
Thank you for reading.

Isabella

Edited by Biancoblu, 08 January 2011, 18:30.

[Procommerce]

The file you are dealing with is not the important one.... you should look for: includes/classes/email.php

if (EMAIL_TRANSPORT == 'smtp') {
        return mail($to_addr, $subject, $this->output, 'From: ' . $from . $this->lf . 'To: ' . $to . $this->lf . implode($this->lf, $this->headers) . $this->lf . implode($this->lf, $xtra_headers));
      } else {
        return mail($to, $subject, $this->output, 'From: '.$from.$this->lf.implode($this->lf, $this->headers).$this->lf.implode($this->lf, $xtra_headers));
      }

And change if for something like this:

      if (EMAIL_TRANSPORT == 'smtp') {
        return mail($to_addr, $subject, $this->output, 'From: ' . $from . $this->lf . 'To: ' . $to . $this->lf . implode($this->lf, $this->headers) . $this->lf . implode($this->lf, $xtra_headers),'-fuser@domain.com');
      } else {
        return mail($to, $subject, $this->output, 'From: '.$from.$this->lf.implode($this->lf, $this->headers).$this->lf.implode($this->lf, $xtra_headers),'-f user@domain.com');
      }

But depends on Your provider who must avoid to allow the anonymous sender in the Real FROM field of emails sent... Besides, safe_mode de PHP must ne off.

Protect that email.php file aswell.

If you find lost, check my profile for more information

[Biancoblu]

I will look into that, thank you for the info.

[pastorhale]

Biancoblu, I'm very curious about the outcome/results/fix of this issue, because I am dealing with the same "tell_friend.php" spam crack/hack. I've added the fix above, but appreciate knowing if it worked for you? Did you find another or other solutions? Or if you were able to develop a satisfactory "fix" to the problem. Thank you!

[rmanbike]

I am dealing with some security issues with my oscommerce website and will need these patches also: as you mentioned

quote "I run 2.2ms2 version and already had applied the following security measures long ago: site monitor, IP trap, security pro, all permissions set correctly, admin renamed and pw protected, file_manager.php and define_language.php removed long ago, htaccess protection".

But would like to understand how much work it was to make all these patches or about how many hours did it take for you to complete the above?

[Taipo]

Also take a look at osC_Sec as well. See link in my signature.

[sajuk]

Hi,

we just had this problem, i kind of sorted it out, for now, what happen is a remote ip was using the tell_a_friend.php to send out spam emails,

What we did is because we don't use that file we removed it, this stopped the the emails going out, in the cpanel error logs we saw which ip was trying to use this file every second, made a note of the IP and just put a block in the IP Deny Manager for now this has stopped the emails. no doubt when they renew their IP they will be back, but the file has been deleted so i don't see how they can send email through the file. but will keep an eye out for it,

There was not suspect code or file in the root, that we could find, it just a remote IP accsess, we think,

Any further advice anybody can give us is welcome,

Thanks

[geoffreywalton]

you can add a recaptcha to it

Cheers

G

[Taipo]

What happens if you set 'Allow Guest To Tell A Friend' to false? (admin/configuration/my store)

[Taipo]

Ah ok I see that even with that set, it seems a logged in user can still spam from and to, using any email address they wish.

[Biancoblu]

pastorhale, on 05 December 2011, 16:08, said:

Biancoblu, I'm very curious about the outcome/results/fix of this issue, because I am dealing with the same "tell_friend.php" spam crack/hack. I've added the fix above, but appreciate knowing if it worked for you? Did you find another or other solutions? Or if you were able to develop a satisfactory "fix" to the problem. Thank you!

First of all I have rebuilt my site using version 2.3.1 which has action recorder, I have set tell a friend with a minimum of 15 minutes between each email. I have also added a recaptcha box.

On older versions I guess you could also limit the number of how many addresses you can enter to send your mail to.

[djp-at]

Easy fix to this is to add a count to a session variable, and before the process check the variable if the count is over 1 (or whatever you want to allow)

on action process
// Amount Allowed
$allowed_tellafriend_count = '1';

// Add Number Of Emails Sent To Count
$_SESSION['tell_a_friend_count'] = $_SESSION['tell_a_friend_count'] + 1;

// If Count Is Less Then Allowed Permitted Then Do Action
if ($_SESSION['tell_a_friend_count'] < $allowed_tellafriend_count) {
// Process Code
} else {

[newmediaz]

I have the same issue

Subject: Your friend ELSA has recommended this great product from
From: "ELSA"

How can i stop it ?? Ahhhhhhhhhhhh