HELP! PHP Form being exploited

[dharrison]

Please help.

One of my customers have a php form. A couple of weeks ago, he kept getting all these "Mail Delivery Failure" messages. They were all Viagra and horrid stuff like that. He got about 30 of them each evening.

Anyway the random code (part of the PHP form script) was text show I changed it to images and this worked for 2 weeks.

Anyway I got a message just now and it is being exploited again. I am beginning to run out of answers. Can anyone look on Contact U Store Solutions - Online Enquiry form and tell me if they see any obvious vulnerabilities.

Otherwise can anyone recommend another secure form script which should keep the b****rs out.

Any help gratefully received. Any quick help even more gratefully received.

TIA

[speed]

The way I've got around spam bots (at the moment anyway) is to send all our enquiries through our ticketing system and run the ticketing system over SSL.

Without seeing the PHP running the form it's impossible to tell if they are using OCR to read the characters, or some exploit in the code.

You could change the PHP so that it asks a random maths question or other simple question such as the name of the company or are there pictures of boxes on this page?

[wige]

Other than the addition of captcha, do you have anything specific in the e-mails that narrows it down to a vulnerability in the script itself?

Also, as soon as possible, check the input validation. It looks like the script may be vulnerable to a XSS attack, not related to the e-mail problem but still a bad thing - you can test this by entering the following code in the requirement in detail text area

Code:

</textarea><script>alert()</script><textarea>

To save time I didn't bother entering a message, you do have input validation to prevent SQL injections and I didn't want to waste too much time on exploring this (but fix it). Also, is the site on a shared or dedicated host?

[joncase]

Hi Deb,
I was having the same problem with a cgi form. (Alien Form) No sort of validation I did on the client side stopped the spamming. (They were listing lots of websites in the textarea using anchor tags.) So I had to alter the script itself because they were bypassing the html form with their bot. Now the script on the server will not process the form if the textarea contains html tags.

Also, you may want to look at dB Masters FormM@iler. I haven't tried it yet, but it looks promising.

[Dubbya]

Are you certain that the script is being exploited?

You might want to check with the host to ensure that email relay has been disabled at the server.

They should also be able to specify that the server only sends email from the legit domain and email addresses.

I'd do my best to secure the form itself using SSL. If the form and the data it transmits isn't secured, it's vulnerable to interception.

I found a thread in *cough* in another forum with a few promising links to php security related info.

Check it out.
Securing PHP Forms - Kionic Community Forums

Good Luck.

[dharrison]

Quote:

Originally Posted by wige

Also, is the site on a shared or dedicated host?

I am on shared host.

It is definitely the form (or thats what the hosting people said).

Thanx for all your help so far.

[speed]

Quote:

Originally Posted by dharrison

I am on shared host.

It is definitely the form (or thats what the hosting people said).

Thanx for all your help so far.

Have you asked the developers of the form about this, if it's a flaw in their code then they should fix it.

Whose form is it?

[wige]

Quote:

Originally Posted by dharrison

I am on shared host.

Well that rules out some things...

Quote:

Originally Posted by dharrison

It is definitely the form.

I don't suppose they mentioned how they came to that conclusion, did they? (If they know it was done by the form, they might be able to determine what about the form was exploited) Would it be possible for you to either post or send me one of the bounce messages, or even better one of the spam e-mails, preferably with the headers intact?

Your site is vulnerable to a TRACE/TRACK XSS attack, which can be prevented by adding the following code to your htaccess file:

Code:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule  .* - [F]

I was able to find a running smtp (email) server, but was not able to send a message to it, so that is a good sign. I may be able to determine more from one of the bounce messages though.

[wige]

Actually, I take back my previous post about not being able to access SMTP. I've never done much with those types of servers. You should see an e-mail from info@ustoresolutions.co.uk to mail@ustoresolutions.co.uk in a few moments, which I sent as a test. I think if I had passed a cc: it might have been able to spam outside of the network, but I am not extremely familiar with SMTP. It would not, however, let me directly send an e-mail to an external domain.

[katom]

Quote:

Originally Posted by dharrison

Please help.

One of my customers have a php form. A couple of weeks ago, he kept getting all these "Mail Delivery Failure" messages. They were all Viagra and horrid stuff like that. He got about 30 of them each evening.

Anyway the random code (part of the PHP form script) was text show I changed it to images and this worked for 2 weeks.

Anyway I got a message just now and it is being exploited again. I am beginning to run out of answers. Can anyone look on Contact U Store Solutions - Online Enquiry form and tell me if they see any obvious vulnerabilities.

Otherwise can anyone recommend another secure form script which should keep the b****rs out.

Any help gratefully received. Any quick help even more gratefully received.

TIA

We have received spam via php forms for some time and it really picked up a lot over the past 2 months. It has gotten to the point that we were receiving in excess of 300 per day. We are implementing captcha on all forms via php code in hopes of stopping the spam. We designed our forms where we receive the spam but it can not be forwarded on to others.

[tcustomgolf]

How about PHP Form Mail Script - Ultimate Form Mail

Seems to work for me and has lots of spam control, validation, etc.

[colincartwright]

Not being that technically minded with PHP, I can't help you re-write the code so the spam goes away, but I did suffer a similar fate recently with two of my sites. I got around it by buying Form generating software from Coffee Cup Software. Their software is quite clever and designs the forms to work as SWF (shock wave flash forms). Since U uploaded these forms not had one bit of spam from the new forms - presumably its not possible for them to be spammed?

I have to say that the software allows you to be very creative designing forms, including images etc. All you do is placve the SWF object where you want the form to display on the page and upload a few extra files. Seems to work fine and it didn't cost that much to buy - about $34 if memory serves.

Another trick I read about recently was to do with spam coming from emails on websites, where people had designed the sites using the email address as text. Another poster on this form suggested designing email addresses as jpg or gif images with hyperlinks instead as being more effective at reducing direct email spam from your website?? Not tried this.

[wige]

There are a few other solutions as well, such as rather than having the form send an e-mail, it could simply take the passed data and store it in a text file on the server, then have a cron task set up to run a script every hour or so to check if the file exists (meaning someone filled out the form) and have that send the data to you and delete the text file. This way you are hardcoding the e-mail address in such a way that the script can't be hijacked (the script the public can access no longer knows how to send e-mail, and the new script that can send e-mail can not be accessed publicly).

[niggles]

There is an excellent article at the URL below which tells you about creating SPAM-free forms.

WebAIM: Blog - Spam-free accessible forms

A few of us have implemented these recommendations on several sites and they work really well, particularly the hidden field (if it gets filled in you know it's a spambot) and the timestamping (as spambots often process the form before going back later to submit it).

Cheers,
Nigel

[wpriley]

Have you considered the possibility that your return E-mail address may have been spoofed by a spammer and that the return E-mails you're getting never originated on your server?

[deepsand]

Quote:

Originally Posted by wpriley

Have you considered the possibility that your return E-mail address may have been spoofed by a spammer and that the return E-mails you're getting never originated on your server?

And, if the e-mail address was obtained by harvesting it from the site prior to its being changed from text to image, the horse is out of the barn, & it's not coming back!

In that case, the only good solution is to discard the old address, and make certain that the new one cannot be harvested.

[hostBrain]

Quote:

Originally Posted by colincartwright

I got around it by buying Form generating software from Coffee Cup Software. Their software is quite clever and designs the forms to work as SWF (shock wave flash forms). Since U uploaded these forms not had one bit of spam from the new forms - presumably its not possible for them to be spammed?

I have to say that the software allows you to be very creative designing forms, including images etc. All you do is placve the SWF object where you want the form to display on the page and upload a few extra files. Seems to work fine and it didn't cost that much to buy - about $34 if memory serves.

Nice tip on this software... you've been repped

- will check it out

[DrTandem1]

At the moment, I'm getting a 404 error (page not found). You need to strip tags from the results as well as block line feeds. Also, I would recommend not allowing URLs in the text fields. The reason they exploit forms is to launch spam, usually using your own domain as the sender's domain. By disallowing your own domain from the form results, this will usually end it. Of course, I also recommend adding CAPTCHA, if you haven't already done so.

Lastly, it may simply be a virus/worm on your client's computer sending out spam using their web site's email address. Remember, when you see a hoof print, look for horses not zebras.

[deepsand]

Quote:

Originally Posted by DrTandem1

<snip>

Remember, when you see a hoof print, look for horses not zebras.

But, how to tell the difference, considering that both are Animalia/Chordata/Mammalia/Perissodactyla/Equidae/Equus?

[dharrison]

DT1 - You're getting a 404 page not found because I took this offline overnight. Basically the script/virus, etc sends out at night so I thought I would eliminate this. Good point though. Thanx man.

I have opted for ditching the PHP for the NMS formmail but I shall add RECAPTCHA to this. I don't know enough about PHP really.

Although I think I have worked out how they/it are exploiting the form thanks to that article. Thanx niggles.

Actually thanx all of you. There is certainly food for thought there.