HELP! PHP Form being exploited

[dharrison]

Please help.

One of my customers have a php form. A couple of weeks ago, he kept getting all these "Mail Delivery Failure" messages. They were all Viagra and horrid stuff like that. He got about 30 of them each evening.

Anyway the random code (part of the PHP form script) was text show I changed it to images and this worked for 2 weeks.

Anyway I got a message just now and it is being exploited again. I am beginning to run out of answers. Can anyone look on Contact U Store Solutions - Online Enquiry form and tell me if they see any obvious vulnerabilities.

Otherwise can anyone recommend another secure form script which should keep the b****rs out.

Any help gratefully received. Any quick help even more gratefully received.

TIA

[speed]

The way I've got around spam bots (at the moment anyway) is to send all our enquiries through our ticketing system and run the ticketing system over SSL.

Without seeing the PHP running the form it's impossible to tell if they are using OCR to read the characters, or some exploit in the code.

You could change the PHP so that it asks a random maths question or other simple question such as the name of the company or are there pictures of boxes on this page?

[wige]

Other than the addition of captcha, do you have anything specific in the e-mails that narrows it down to a vulnerability in the script itself?

Also, as soon as possible, check the input validation. It looks like the script may be vulnerable to a XSS attack, not related to the e-mail problem but still a bad thing - you can test this by entering the following code in the requirement in detail text area

Code:

</textarea><script>alert()</script><textarea>

To save time I didn't bother entering a message, you do have input validation to prevent SQL injections and I didn't want to waste too much time on exploring this (but fix it). Also, is the site on a shared or dedicated host?

[joncase]

Hi Deb,
I was having the same problem with a cgi form. (Alien Form) No sort of validation I did on the client side stopped the spamming. (They were listing lots of websites in the textarea using anchor tags.) So I had to alter the script itself because they were bypassing the html form with their bot. Now the script on the server will not process the form if the textarea contains html tags.

Also, you may want to look at dB Masters FormM@iler. I haven't tried it yet, but it looks promising.

[Dubbya]

Are you certain that the script is being exploited?

You might want to check with the host to ensure that email relay has been disabled at the server.

They should also be able to specify that the server only sends email from the legit domain and email addresses.

I'd do my best to secure the form itself using SSL. If the form and the data it transmits isn't secured, it's vulnerable to interception.

I found a thread in *cough* in another forum with a few promising links to php security related info.

Check it out.
Securing PHP Forms - Kionic Community Forums

Good Luck.

[dharrison]

Quote:

Originally Posted by wige

Also, is the site on a shared or dedicated host?

I am on shared host.

It is definitely the form (or thats what the hosting people said).

Thanx for all your help so far.

[speed]

Quote:

Originally Posted by dharrison

I am on shared host.

It is definitely the form (or thats what the hosting people said).

Thanx for all your help so far.

Have you asked the developers of the form about this, if it's a flaw in their code then they should fix it.

Whose form is it?

[wige]

Quote:

Originally Posted by dharrison

I am on shared host.

Well that rules out some things...

Quote:

Originally Posted by dharrison

It is definitely the form.

I don't suppose they mentioned how they came to that conclusion, did they? (If they know it was done by the form, they might be able to determine what about the form was exploited) Would it be possible for you to either post or send me one of the bounce messages, or even better one of the spam e-mails, preferably with the headers intact?

Your site is vulnerable to a TRACE/TRACK XSS attack, which can be prevented by adding the following code to your htaccess file:

Code:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule  .* - [F]

I was able to find a running smtp (email) server, but was not able to send a message to it, so that is a good sign. I may be able to determine more from one of the bounce messages though.

[wige]

Actually, I take back my previous post about not being able to access SMTP. I've never done much with those types of servers. You should see an e-mail from info@ustoresolutions.co.uk to mail@ustoresolutions.co.uk in a few moments, which I sent as a test. I think if I had passed a cc: it might have been able to spam outside of the network, but I am not extremely familiar with SMTP. It would not, however, let me directly send an e-mail to an external domain.

[katom]

Quote:

Originally Posted by dharrison

Please help.

One of my customers have a php form. A couple of weeks ago, he kept getting all these "Mail Delivery Failure" messages. They were all Viagra and horrid stuff like that. He got about 30 of them each evening.

Anyway the random code (part of the PHP form script) was text show I changed it to images and this worked for 2 weeks.

Anyway I got a message just now and it is being exploited again. I am beginning to run out of answers. Can anyone look on Contact U Store Solutions - Online Enquiry form and tell me if they see any obvious vulnerabilities.

Otherwise can anyone recommend another secure form script which should keep the b****rs out.

Any help gratefully received. Any quick help even more gratefully received.

TIA

We have received spam via php forms for some time and it really picked up a lot over the past 2 months. It has gotten to the point that we were receiving in excess of 300 per day. We are implementing captcha on all forms via php code in hopes of stopping the spam. We designed our forms where we receive the spam but it can not be forwarded on to others.

[tcustomgolf]

How about PHP Form Mail Script - Ultimate Form Mail

Seems to work for me and has lots of spam control, validation, etc.

[colincartwright]

Not being that technically minded with PHP, I can't help you re-write the code so the spam goes away, but I did suffer a similar fate recently with two of my sites. I got around it by buying Form generating software from Coffee Cup Software. Their software is quite clever and designs the forms to work as SWF (shock wave flash forms). Since U uploaded these forms not had one bit of spam from the new forms - presumably its not possible for them to be spammed?

I have to say that the software allows you to be very creative designing forms, including images etc. All you do is placve the SWF object where you want the form to display on the page and upload a few extra files. Seems to work fine and it didn't cost that much to buy - about $34 if memory serves.

Another trick I read about recently was to do with spam coming from emails on websites, where people had designed the sites using the email address as text. Another poster on this form suggested designing email addresses as jpg or gif images with hyperlinks instead as being more effective at reducing direct email spam from your website?? Not tried this.

[wige]

There are a few other solutions as well, such as rather than having the form send an e-mail, it could simply take the passed data and store it in a text file on the server, then have a cron task set up to run a script every hour or so to check if the file exists (meaning someone filled out the form) and have that send the data to you and delete the text file. This way you are hardcoding the e-mail address in such a way that the script can't be hijacked (the script the public can access no longer knows how to send e-mail, and the new script that can send e-mail can not be accessed publicly).

[niggles]

There is an excellent article at the URL below which tells you about creating SPAM-free forms.

WebAIM: Blog - Spam-free accessible forms

A few of us have implemented these recommendations on several sites and they work really well, particularly the hidden field (if it gets filled in you know it's a spambot) and the timestamping (as spambots often process the form before going back later to submit it).

Cheers,
Nigel

[wpriley]

Have you considered the possibility that your return E-mail address may have been spoofed by a spammer and that the return E-mails you're getting never originated on your server?

[deepsand]

Quote:

Originally Posted by wpriley

Have you considered the possibility that your return E-mail address may have been spoofed by a spammer and that the return E-mails you're getting never originated on your server?

And, if the e-mail address was obtained by harvesting it from the site prior to its being changed from text to image, the horse is out of the barn, & it's not coming back!

In that case, the only good solution is to discard the old address, and make certain that the new one cannot be harvested.

[hostBrain]

Quote:

Originally Posted by colincartwright

I got around it by buying Form generating software from Coffee Cup Software. Their software is quite clever and designs the forms to work as SWF (shock wave flash forms). Since U uploaded these forms not had one bit of spam from the new forms - presumably its not possible for them to be spammed?

I have to say that the software allows you to be very creative designing forms, including images etc. All you do is placve the SWF object where you want the form to display on the page and upload a few extra files. Seems to work fine and it didn't cost that much to buy - about $34 if memory serves.

Nice tip on this software... you've been repped

- will check it out

[DrTandem1]

At the moment, I'm getting a 404 error (page not found). You need to strip tags from the results as well as block line feeds. Also, I would recommend not allowing URLs in the text fields. The reason they exploit forms is to launch spam, usually using your own domain as the sender's domain. By disallowing your own domain from the form results, this will usually end it. Of course, I also recommend adding CAPTCHA, if you haven't already done so.

Lastly, it may simply be a virus/worm on your client's computer sending out spam using their web site's email address. Remember, when you see a hoof print, look for horses not zebras.

[deepsand]

Quote:

Originally Posted by DrTandem1

<snip>

Remember, when you see a hoof print, look for horses not zebras.

But, how to tell the difference, considering that both are Animalia/Chordata/Mammalia/Perissodactyla/Equidae/Equus?

[dharrison]

DT1 - You're getting a 404 page not found because I took this offline overnight. Basically the script/virus, etc sends out at night so I thought I would eliminate this. Good point though. Thanx man.

I have opted for ditching the PHP for the NMS formmail but I shall add RECAPTCHA to this. I don't know enough about PHP really.

Although I think I have worked out how they/it are exploiting the form thanks to that article. Thanx niggles.

Actually thanx all of you. There is certainly food for thought there.

[dharrison]

And now I don't know because my client had 50+ spams in his mailbox this morning.

Now I am running out of answers.

[speed]

Assuming you removed ALL the files that make up the form then it sounds like the form isn't the problem, but rather the clients email address is being used as the return path or it's being directly targeted.

These emails, are they bounces or are they emails direct to the clients address?

Can we see one of these emails?

[dharrison]

Hi speed

Sorry for the delay in reply, I think something went wrong with the forum earlier.

They are bouncing (Mail Delivery Failure Notifications) I have taken all the scripts offline and he is apprently still getting them.

But wouldn't they be cached or something?

I am genuinely asking as I do not know and would welcome some help on this.

Thanx mate.

[speed]

There may be some emails still floating around from their previous attack on the form as an email can wait a few days before it fails, however once the form has been removed they should subside unless the spammer is just using your clients email address as the return path.

If the spammer has set emails to bounce back to your client then your best bet is to delete the email account and create another one.

If they were/are spamming through the contact form, then as you had image verification on I would lean towards a bug in the form. Visual inspection of the code should be the first step.

It would still be good to see the entire message as was it giving up after a 72hr delay or was it an instant non delivery because the destination address doesn't exist. The information in the returns can aid in diagnosis.

[wige]

The bounces could be delayed, but most likely there is another issue. The only way to truely determine the source of the problem, I think, is to look at the headers for one of these e-mails. Some bounce messages show the full or partial headers for diagnostics and forensic investigation. If you could, PM me with one of the messages and I can try to narrow down where it is originating.

[dharrison]

Shall I PM it speed? or psot it here?

[speed]

I've PMed you my email address to forward it to, you can post the bounced email here if you can select all the headers and everything.

[dharrison]

Posted.

Thanks Paul.

[wige]

Looking through the headers in the e-mail, I do not see any indication that the e-mail passed through your server. The bounce message contains the following lines:

Code:

 Received: from ppp91-122-141-3.pppoe.avangard-dsl.ru (ppp91-122-141-3.pppoe.avangard-dsl.ru [91.122.141.3])
 	by -server info removed- (Spam Firewall) with ESMTP id 00B8B211422

This is the originating ISP server. In other words, this is most likely the mail server of the spammer's ISP on the first line, and the second line is the mail server of the recipient's ISP, or more specifically a spam filtering firewall. If your script was compromised, the originating IP address would be that of your server. Based on this e-mail, there is no evidence of a compromise. Check the other bounce notices and compare the originating IP addresses, as long as the address is not your server, the script was not the problem.

[speed]

Yep, that's what I found. The script appears to be innocent.

[jganders]

I've experienced this behavior on several of my sites where there are no forms and no php. I've checked out the server mail logs using whm and found no relaying activity. So I think some ppl are simply spoofing the sending address on their outgoing spam.
This was months ago. I did a lot of research and did a couple things. Now I get a lot less of the 'returned mail' email. I entered my domains into a free service (maybe sorbs.net) that some mts servers use as a double check. I guess these servers can see that the 'from:' domain is not present elsewhere in the mail header, the spam is dropped.
I still get some returned spam email so I'm not sure there is any way to totally stop spammers from spoofing your domain.

[dharrison]

I have just heard form the hosting company that one this occasion it was nothing to do with the form.

Phew! Now time to think of how we can stop this.

Thanx all.

[speed]

Quote:

Originally Posted by dharrison

Now time to think of how we can stop this.

You can't really.

SPF was supposed to tell receiving mail servers which servers are allowed to send email for a given domain, this would stop this type of thing because the spam would never be accepted.

However for that to work it would require everyone enable and use SPF.

[deepsand]

Quote:

Originally Posted by dharrison

I have just heard form the hosting company that one this occasion it was nothing to do with the form.

Phew! Now time to think of how we can stop this.

Thanx all.

See Hack Yourself! for similar discussion, what you can & cannot do, etal..

[shannonlp]

What about just writing a regular expression that looks for common offensive words. This could help block the bad content.

[deepsand]

Quote:

Originally Posted by shannonlp

What about just writing a regular expression that looks for common offensive words. This could help block the bad content.

Block what content?

As the problem here is one of a spoofed Sender's Address, the owner of such Address has no control over the content of the offending e-mails.

Are you suggesting that the resulting Bounces be filtered based on content? If so, to what end?

[shannonlp]

Quote:

Originally Posted by deepsand

Block what content?

As the problem here is one of a spoofed Sender's Address, the owner of such Address has no control over the content of the offending e-mails.

Are you suggesting that the resulting Bounces be filtered based on content? If so, to what end?

My assumption is that the email has in the subject or body offensive terms. You could filter these out before processing the email. Much the way you check an email address to be sure it is valid.

Other things could be making sure that the form is good enough to stop injection style attacks where the spammer simply rewrites the post information adding bcc and cc to the URL.

[deepsand]

Quote:

Originally Posted by shannonlp

My assumption is that the email has in the subject or body offensive terms. You could filter these out before processing the email. Much the way you check an email address to be sure it is valid.

Other things could be making sure that the form is good enough to stop injection style attacks where the spammer simply rewrites the post information adding bcc and cc to the URL.

???

The offending e-mails are not originating from the site in question.

The offender is spoofing the Sender's Address to make it appear that the e-mails originated from the site in question.

The owner of the site in question has no control over the content of said e-mails.

[shannonlp]

I made a test on the site with just fghj as input for everything. My point is I could send emails to anyone with this form.

The PHP for the form is wide open to be exploited.

dharrison

If you look at your mail logs are the messages being sent from your server. If they are you need to better filter your data within your http://www.ustoresolutions.co.uk/enquiry.php

[deepsand]

Quote:

Originally Posted by shannonlp

I made a test on the site with just fghj as input for everything. My point is I could send emails to anyone with this form.

The PHP for the form is wide open to be exploited.

dharrison

If you look at your mail logs are the messages being sent from your server. If they are you need to better filter your data within your http://www.ustoresolutions.co.uk/enquiry.php

See HELP! PHP Form being exploited re. analysis of Headers of Bounces.

[shannonlp]

I see.. Sorry about that... The form is still very exposed to other exploits other than this problem...

[deepsand]

Quote:

Originally Posted by shannonlp

I see.. Sorry about that... The form is still very exposed to other exploits other than this problem...

The originator of this thread seems to be satisfied with the host's statement that there is no problem with the script.

You might consider sending a private message to Deb, so as to make sure that it comes to her attention, by using the link at HELP! PHP Form being exploited , detailing your findings.

Just because her present problem is not owing to such vulnerabilty, does not mean that such will never be the case.

[cPages]

Deb,

A couple of things we can recommend without giving away too many tricks.

You can add The Official CAPTCHA Siteimage verification and it will help a bit, per the other posts.

You should ensure your host has mod_security enabled with BCC and other form attack rules in their list.

You should set bounced email to fail [in case you have a default email address setup, change it to fail]. Ask your host if they are "verifying existance of mail senders". this is recommended.

Rename your form to something other than "contact" or "form" and more importantly rename your processing script to something completely different. [We believe bots are actually looking for words "form" etc].

Even if you are not experiencing these attacks from your form, what ever is causing these issues should be addressed with your web host in more depth. They can review logs to see why/how this is happenening and should be able to offer the best advice depending on what security scripts and policies they have in place.

Regards.

[ctabuk]

cPages - Desist from posting please - I know what you are attempting and I have removed your sig.