Welcome to Geeklog Sunday, December 15 2019 @ 11:48 pm EST

Geeklog Forums

Posible security issue in admin/mail.php in Geeklog 1.5.2sr6

Page navigation


Status: offline

joelbarrios

Forum User
Junior
Registered: 03/05/04
Posts: 22
Location:Mexico
Somehow an unprivileged, using a newly created regular user account, managed to access the mail component and sent one spam message to all users registered at the website. How this user did it, is still a mistery for me. What I can presume, for the moment, is that there could be a flaw in the admin/mail.php component, since is the only thing I think that could be used to send a email to every registered user.

Unfortunately, there is not any useful data in access.log and error.log.The only data we have is the mail account used: jeniferbaby4life at yahoo dot com. My website uses Geeklog 1.5.2sr6.

The spammer sent a bilingual message with broken spanish and broken english:
PHP Formatted Code
xxxxx@xxxxx
Hello.
My Name is jenifer i want to your profile today at (xx.xxxxxxx.xxx) and i love it i think we can clcik from thier!please i will like you to email me back through my email thus;(xxxxx@xxxxx) am waiting to recive your lovely reply soonest!
 Yours
 jenifer!
please contact me through my email address so i can give you my picture and tell you my datel have a nice day

-- http://www.AlcanceLibre.org/ La libertad del conocimiento al alcance de quien la busca.
 Quote

Status: offline

::Ben

Forum User
Full Member
Registered: 14/01/05
Posts: 1569
Location:la rochelle, France
Hello,

Do you use a captcha on your site?
I'm available to customise your themes or plugins for your Geeklog CMS
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: joelbarrios[pWhat I can presume, for the moment, is that there could be a flaw in the admin/mail.php component, since is the only thing I think that could be used to send a email to every registered user.[/p]

So in other words, you suspect that they did it through admin/mail.php, but you're not sure? How do you know the email was sent to all users?

Please send us the complete headers of such an email to our security contact.

bye, Dirk
 Quote

Status: offline

joelbarrios

Forum User
Junior
Registered: 03/05/04
Posts: 22
Location:Mexico
Quote by: cordiste

Hello,

Do you use a captcha on your site?



Yes, CAPTCHA was enabled.
-- http://www.AlcanceLibre.org/ La libertad del conocimiento al alcance de quien la busca.
 Quote

Status: offline

joelbarrios

Forum User
Junior
Registered: 03/05/04
Posts: 22
Location:Mexico
Quote by: DirkSo in other words, you suspect that they did it through admin/mail.php, but you're not sure? How do you know the email was sent to all users?


Me, my wife and all our staff received the mail. Plus a many users sent complaints about the message because it was originated from our web server :-/


Please send us the complete headers of such an email to our security contact.

bye, Dirk[/p]


I'll ask if somebody kept a copy, but I'm afraid, by now, probably everybody has deleted it.

We revised headers from the message and was originated within the server, as any other mail sent from Geeklog. For the moment I only have forwarded copies from complaints.

For the moment we have resticted the access to all /admin/ using a .htaccess file.
-- http://www.AlcanceLibre.org/ La libertad del conocimiento al alcance de quien la busca.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: joelbarrios

I'll ask if somebody kept a copy, but I'm afraid, by now, probably everybody has deleted it.


Geeklog adds some extra headers, e.g. X-Mailer: Geeklog, so that would help to figure out if the mails were really sent through Geeklog.

If you have enough time and patience, you could send emails through the profiles, so it doesn't have to be a problem with the Mail admin function (in fact I doubt it was sent through the admin panel - if you could break into admin/mail.php, you could just as well break into any other admin function).

Also, have you checked your webserver's logfiles? You should be able to tell whether somebody accessed admin/mail.php at the time the emails were sent.

If you have any more information, please let us know.

bye, Dirk
 Quote

Status: offline

suprsidr

Forum User
Full Member
Registered: 29/12/04
Posts: 555
Location:Champaign, Illinois
@joelbarrios
Are you using the newsletter plugin?

-s
FlashYourWeb and Your Gallery with the E2 XML Media Player for Gallery2 - http://www.flashyourweb.com
 Quote

Status: offline

joelbarrios

Forum User
Junior
Registered: 03/05/04
Posts: 22
Location:Mexico
Quote by: suprsidr

@joelbarrios
Are you using the newsletter plugin?

-s



No. Actually, we have deactivated many plugins.
-- http://www.AlcanceLibre.org/ La libertad del conocimiento al alcance de quien la busca.
 Quote

Status: offline

suprsidr

Forum User
Full Member
Registered: 29/12/04
Posts: 555
Location:Champaign, Illinois
Just making sure they weren't somehow sending through the newsletter's mail.class which is different then GL's

-s
FlashYourWeb and Your Gallery with the E2 XML Media Player for Gallery2 - http://www.flashyourweb.com
 Quote

Status: offline

joelbarrios

Forum User
Junior
Registered: 03/05/04
Posts: 22
Location:Mexico
Dirk, I have finally managed to get a copy from the message, but can't publish here, because spamx says it's spam.

The relevant data is:

X-Mailer: Geeklog 1.5.2sr6
X-Originating-IP: 41.214.123.71

IP Address is from Senegal.

-- http://www.AlcanceLibre.org/ La libertad del conocimiento al alcance de quien la busca.
 Quote

Status: offline

joelbarrios

Forum User
Junior
Registered: 03/05/04
Posts: 22
Location:Mexico
I have sent full message source to geeklog-security at lists dot geeklog dot net.
-- http://www.AlcanceLibre.org/ La libertad del conocimiento al alcance de quien la busca.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: joelbarrios


The relevant data is:

X-Mailer: Geeklog 1.5.2sr6
X-Originating-IP: 41.214.123.71


So this was NOT sent from admin/mail.php - since as of 1.5.2, we don't include the X-Originating-IP header any more for mails that are sent through the admin interface.

Given the origin, this could very well have been a manual operation. Do you have access to your webserver's logfiles at the time those emails were sent? Oh, and did you compare the times on several of those emails? I.e. are they a few minutes apart or all sent at the same time?

bye, Dirk
 Quote

Status: offline

joelbarrios

Forum User
Junior
Registered: 03/05/04
Posts: 22
Location:Mexico
Thak you, Dirk. You are right. My apologies for blamming admin/mail.php.

Let me confirm, seems at least a hundered users were mailed (we have +2400 registered users, and list purged every week). This made us think it could heve been done from admin/mail.php. CAPTCHA was enabled at Website. I'll ty to check access_log to determine time between first and last email sent. It will take some time, because I have no admin access to my sponsor's server and there are really big logs.

After the issue, we updated to captcha 3.3.0. The day spam happened, we were using captcha 3.1.2. Maybe script made to exploit a flaw in captcha 3.1.2?
-- http://www.AlcanceLibre.org/ La libertad del conocimiento al alcance de quien la busca.
 Quote

Status: offline

joelbarrios

Forum User
Junior
Registered: 03/05/04
Posts: 22
Location:Mexico
I have analized the access_log file. It's pretty huge output to post here (787 lines). So, this is a summary:

Basically, the culprit accessed the forum on 30/May/2010:09:05:24 -0500 and watched members list:

PHP Formatted Code
41.214.123.71 - - [30/May/2010:09:05:24 -0500] "GET /profiles.php?uid=3698 HTTP/1.1" 200 27628 "http://my-website/forum/memberlist.php?&show=100&order=1&prevorder=0&direction=desc&chkactivity=0&page=24" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"


Then... at 09:05:29 -0500, showing he/she has no-life, started mailing one by one:

PHP Formatted Code
41.214.123.71 - - [30/May/2010:09:05:29 -0500] "GET /captcha/captcha.php?csid=4c0270a5499a&.jpg HTTP/1.1" 200 2869 "http://my-website/profiles.php?uid=3698" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"


After sending last message, then went back to members list and mailed again to next user:

PHP Formatted Code
41.214.123.71 - - [30/May/2010:09:06:17 -0500] "GET /profiles.php?uid=3699 HTTP/1.1" 200 27633 "http://my-website/forum/memberlist.php?&show=100&order=1&prevorder=0&direction=desc&chkactivity=0&page=24" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"
41.214.123.71 - - [30/May/2010:09:06:21 -0500] "GET /captcha/captcha.php?csid=4c0270da8be6&.jpg HTTP/1.1" 200 3321 "http://my-website/profiles.php?uid=3699" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"


Mailed users from 3698 ID down to 3323 ID (again, seems his guy/gal has no life). Repeated until 16:03:06 -0500:

PHP Formatted Code
41.214.120.37 - - [30/May/2010:16:03:06 -0500] "GET /profiles.php?uid=3323 HTTP/1.1" 200 22552 "http://my-website/forum/memberlist.php?&show=100&order=1&prevorder=0&direction=desc&chkactivity=0&page=22" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"


Around 30/May/2010:16:03:06 -0500, I detected spam delivered to my mail account and deleted user's account. That day I received lots of complaints about the spam, originated from my website and targeted to resgitered users. We thought it was via admin/mail.php because the large ammount of users affected, and restricted access to /admin directory to allow acces only from certain Latin American countries.

Looking more closely at access_log, we discovered more activity. On June 01 2010 at 21:43 -0500, returned with another browser and started to mail stories util 23:59:10 -0500:

PHP Formatted Code
41.214.12.37 - - [01/Jun/2010:21:43:04 -0500] "GET /profiles.php?sid=renaut-teoria-conspiracion-clase-politic&what=emailstory HTTP/1.1" 200 22378 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"


Same day, for unknown reasons, he/she aparently felt interest for open source docs, accessed filemgmt and downloaded a few of files I host there:

PHP Formatted Code
mar 01 jun 2010 22:00:05 CDT (anon@41.214.12.37) - Visit.php => Download File:Implementacion_Servidores_Linux-MARZO-20100315.tar.bz2, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:05 CDT (anon@41.214.12.37) - Visit.php => Download File:Python_para_todos.pdf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:06 CDT (anon@41.214.12.37) - Visit.php => Download File:Curso-Ubuntu-por-SinWindows.tar.bz2, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:06 CDT (anon@41.214.12.37) - Visit.php => Download File:linwin.pdf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:06 CDT (anon@41.214.12.37) - Visit.php => Download File:compaq-armada-m300-kernel-2.6.26.tar.bz2, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:07 CDT (anon@41.214.12.37) - Visit.php => Download File:config-kernel-2.6.29.1-3.aaoneA150-D150-AL.gz, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:08 CDT (anon@41.214.12.37) - Visit.php => Download File:acer-aspire-one-xorg-1.0.conf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:08 CDT (anon@41.214.12.37) - Visit.php => Download File:xorg-AAONE-D150.conf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:09 CDT (anon@41.214.12.37) - Visit.php => Download File:slparatinum06.pdf, User ID is:1, Remote address is: 41.214.12.37
mar 01 jun 2010 22:00:09 CDT (anon@41.214.12.37) - Visit.php => Download File:Manual_de_programacion_en_Bash_Shell.zip, User ID is:1, Remote address is: 41.214.12.37


Seems he/she returned on jun 02 2010 at 00:03 and then started to access profiles directly (do not know what he/she did), first the ones starting with number 1:

PHP Formatted Code
41.214.12.37 - - [02/Jun/2010:00:03:16 -0500] "GET /profiles.php?uid=100 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:16 -0500] "GET /profiles.php?uid=10 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:20 -0500] "GET /profiles.php?uid=101 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:22 -0500] "GET /profiles.php?uid=102 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:23 -0500] "GET /profiles.php?uid=103 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:25 -0500] "GET /profiles.php?uid=105 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:24 -0500] "GET /profiles.php?uid=104 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:25 -0500] "GET /profiles.php?uid=106 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:26 -0500] "GET /profiles.php?uid=107 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:03:26 -0500] "GET /profiles.php?uid=108 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"


Etc, etc. etc., Then 20's, 30's, 40's, 50's, 90's and then random users.

PHP Formatted Code
41.214.12.37 - - [02/Jun/2010:00:06:57 -0500] "GET /profiles.php?uid=3841 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:06:57 -0500] "GET /profiles.php?uid=964 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:02 -0500] "GET /profiles.php?uid=3841 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:04 -0500] "GET /profiles.php?uid=637 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:11 -0500] "GET /profiles.php?uid=2752 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:13 -0500] "GET /profiles.php?uid=637 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:18 -0500] "GET /profiles.php?uid=435 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
41.214.12.37 - - [02/Jun/2010:00:07:25 -0500] "GET /profiles.php?uid=3603 HTTP/1.1" 200 21616 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS


Nobody complained since sunday. Do not know what he/she did or intended to do.

On 02/Jun/2010:00:07:25 -0500 I decided to block 41.214.0.0/16 (I don't care about Senegal. My target audience is in Latin America and Spain).

Again, my apologies for blamming admin/mail.php.

Never realized that actually there were people with so much time to spare to do something like this.
-- http://www.AlcanceLibre.org/ La libertad del conocimiento al alcance de quien la busca.
 Quote

Status: offline

suprsidr

Forum User
Full Member
Registered: 29/12/04
Posts: 555
Location:Champaign, Illinois
I've had literally millions of $_REQUEST (s) like those.
And the same pattern repeats day after day after day...... Different IP every day but in the same range.

I had thought (at one time) that geeklog sites were being targeted as the same requests were being tried / specifically geeklog directories(unproven)
But my *bsd machine does not allow directory listings and such so no fruit for the hacker?

Losers with plenty of time on their hands Confused:
Hey what good does it do to send 1000's of the same message to the same email account? I ignored the 1st thousand, maybe I'll latch onto the 100,000th?
Spammers have a whole other mentality.

Shoot 'em all.

-s
FlashYourWeb and Your Gallery with the E2 XML Media Player for Gallery2 - http://www.flashyourweb.com
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: joelbarrios

I have analized the access_log file. It's pretty huge output to post here (787 lines). So, this is a summary:
(...)
Never realized that actually there were people with so much time to spare to do something like this.


Thanks for the analysis.

If you've never heard of those people before, you may want to read up on the "Nigeria" or "419" scammers. They seem to have some criminal energy, a lot of time and patience, but not a very good grasp of technology ...

geeklog.net was also a target of those guys on occasion. At one point, I had the entire 41.0.0.0/8 blocked here, which was an over-reaction but I didn't know how else to stop them Neutral

bye, Dirk
 Quote

Status: offline

scarecrow

Forum User
Junior
Registered: 24/10/07
Posts: 33
"Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"


In the past I've had some headaches related to the "DTS Agent" which, if I recall correctly, was/is associated with an email address harvester bot. Something like the "Beijing Address Collector" or something similar.

*After-thought: I'm pretty sure that Bad Behavior blocks that agent
 Quote

ironmax

Anonymous
Quote by: joelbarrios

I have analized the access_log file. It's pretty huge output to post here (787 lines). So, this is a summary:

Nobody complained since sunday. Do not know what he/she did or intended to do.

On 02/Jun/2010:00:07:25 -0500 I decided to block 41.214.0.0/16 (I don't care about Senegal. My target audience is in Latin America and Spain).

Again, my apologies for blamming admin/mail.php.

Never realized that actually there were people with so much time to spare to do something like this.



This is a very good reason why I have all mail copied from the site to a mailbox in the domain. This way I can monitor any BS the spammers are doing if and when they decide to try and attack me. This has only happened to me once several years ago and I plugged the leak.

Michael
Spacequad AntiSpam Services
Thunder Bay, Ontario
 Quote

Status: offline

suprsidr

Forum User
Full Member
Registered: 29/12/04
Posts: 555
Location:Champaign, Illinois
In this morning's weekly PHP Classes newsletter I found a simple firewall.class which may be of interest.
http://www.phpclasses.org/package/6112-PHP-Accept-or-deny-requests-depending-on-IP-address.html

If included at the very beginning of lib-common.php one could easily deny a whole IP range or single IPs before any of the rest of the gl system has to load.
So it would preempt the Ban pugin and all other methods of IP screening/filtering.

This guy even included a great BSOD you could serve up to banned surfers.

-s
FlashYourWeb and Your Gallery with the E2 XML Media Player for Gallery2 - http://www.flashyourweb.com
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 27/09/05
Posts: 1384
This type of thing happening is one of the reasons why I hoped the Core Notification Service would of happened this Google Summer of Code. As part of the project a rule system could have been created to prevent users from sending so many emails per hour/day.

ON a related note,I would also like to expand the Ban plugin at some point to create rules for visitors to prevent people from downloading entire sites with bots.

Now all I need is the time Big Grin
One of the Geeklog Core Developers.
 Quote

Page navigation

All times are EST. The time is now 11:48 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content