Welcome to Geeklog, Anonymous Friday, March 29 2024 @ 02:16 am EDT

Geeklog Forums

Is lib-common vulnerable?


Status: offline

LewisR

Forum User
Junior
Registered: 06/30/03
Posts: 29
Since upgrading to 1.4.1 (and possibly before; I've just noticed it), I seem to be getting a number of spam messages sent from my own server to me (which bypasses my firewall, traveling behind it). I am using PHP's mail() function for sending mail, which is in turn configured for sendmail (I use CommuniGate Pro's "sendmail" work-alike).

Here's a typical bogus message (I'm seeing about five of these per day, and luckily, according to the logs in my mail server, only to me, so I'm not relaying out - yet):

Text Formatted Code
Return-Path: <some_bogus_address_here@gmail.com>
Received: by 2rosenthals.com (CommuniGate Pro PIPE 5.1.3)
  with PIPE id 1574007; Sat, 29 Dec 2007 12:49:09 -0500
To: Lewis Rosenthal <me@mydomain.com>
Subject: =?utf-8?B?QnV5IFVsdHJhbSBPbmxpbmUhIDUwbWcgMzAgUGlsbHMgb25seSA2MCQhIE5vIFByZXNjcmlwdGlvbiBSZXF1aXJlZC4=?=
From: some_bogus_address_here <some_bogus_address_here@gmail.com>
Date: Sat, 29 Dec 2007 12:49:00 -0500
Content-Type: text/plain; charset=utf-8
X-Mailer: GeekLog 1.4.1
Message-ID: <auto-000001574007@mydomain.com>

(...typical pharmaceutical junk in the body...)

 


As I currently host several GL sites, it's hard to tell which one is being hit. Here's an entry from my CommuniGate Pro log (different message, but illustrative of the report):

Text Formatted Code
13:32:52.650 2 PIPE [1573227] received in {Submitted\M396200.sub}, 788 bytes
13:32:52.690 2 QUEUE([1573227]) from <some_bogus_address_here@gmail.com>, 788 bytes <auto-000001573227@mydomain.com>)
13:32:52.690 2 QUEUE([1573227]) enqueued
13:32:52.790 2 MAILBOX(mybox/INBOX) [1573227] stored as 146375
13:32:52.790 2 ACCOUNT(mybox) [1573227] delivered
13:32:52.790 2 DEQUEUER [1573227] LOCAL(mybox) delivered: Delivered to the user mailbox
13:32:52.840 2 QUEUE([1573227]) deleted
 


Wanting to not switch to the custom mail setup in lib-custom just yet, I tweaked lib-common to add the site name to the X-Mailer header in the hope that I may be able to determine which site it is which may have been penetrated. Looking at my GL users, I have not found the address used to send the messages, nor have I seen anyone logged in at the time any of these seem to have come through (I have fairly low traffic sites over here), so I am guessing that someone is able to pass arguments to lib-common.php (admin/mail.php is fairly well protected) to generate the traffic.

Any thoughts on this, or what I might want to do to better lock down my installations?

TIA

Lewis Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Not sure how you're coming to the conclusion that the problem is with lib-common.php?

FWIW, lib-common.php has a simple protection against being called directly (it redirects to index.php). Besides, you would still need some code that actually calls the COM_mail function to send the email. So I'd say you should look elsewhere.

Make sure that you really replaced all the files when you did the upgrade. Make sure you don't have files in your webroot that shouldn't be there (anything outside of Geeklog's public_html directory, for example). Check that all the plugins you're using are up to date.

You could also try and correlate the date and time of those emails with suspicious entries in your webserver logfiles. Also see earlier discussions here and here.

bye, Dirk
 Quote

Status: offline

LewisR

Forum User
Junior
Registered: 06/30/03
Posts: 29
Thanks for the quick follow-up, Dirk.

Quote by: Dirk

Not sure how you're coming to the conclusion that the problem is with lib-common.php?



Only because mail.php is inaccessible from the outside without a login.

FWIW, lib-common.php has a simple protection against being called directly (it redirects to index.php). Besides, you would still need some code that actually calls the COM_mail function to send the email. So I'd say you should look elsewhere.


I know that it's supposed to redirect to index.php (tested that, just to be sure), and with REGISTER_GLOBALS off, it shouldn't be possible to push variables to it from outside, yet, I'm hard pressed to figure out from where these messages are originating (just got a new one this morning, and I see it is from my LI WireFree site, based on the modified X-Mailer).

Make sure that you really replaced all the files when you did the upgrade. Make sure you don't have files in your webroot that shouldn't be there (anything outside of Geeklog's public_html directory, for example). Check that all the plugins you're using are up to date.


Good advice. I'll look all of these over today. I wonder what else would allow for an email sent to root...? CAPTCHA, perhaps?

You could also try and correlate the date and time of those emails with suspicious entries in your webserver logfiles. Also see earlier discussions here and here.
[/QUOTE]

Thanks for the references. I tried looking through my Apache logs yesterday, but didn't come up with anything useful. I'll have another look today, and perhaps now that I know which site is generating the traffic, turn up the logging for that vhost in the conf.

Again, Dirk, thanks for your thoughts on this. I'll have a look at the links you've provided, dig a bit deeper into the logs, check my upgrade, and will follow up here when I know more. Hopefully, my experience may help someone else with a similar issue.

Cheers.
Lewis Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
 Quote

Status: offline

LewisR

Forum User
Junior
Registered: 06/30/03
Posts: 29
Okay, I've just made some modifications and updates.

First, I removed the following (really) old files from webroot:

Text Formatted Code
  8-22-03 10:47p        37,202      0 ----  calendar.php
  7-17-03 10:18a        25,407      0 ----  calendar_event.php
  8-09-03  8:00p       169,315      0 ----  lib-common.old
  7-17-03 10:18a        10,240      0 ----  links.php
  7-17-03 10:18a         7,185      0 ----  pollbooth.php
  7-17-03 10:18a         2,808      0 ----  portal.php


Next, here were the installed plugins:

Text Formatted Code
bad_behavior2   2.0.10          1.4.1  
blog            1.1.0    1.3.11
calendar        1.0.0     1.4.1        
captcha         3.0.2    1.4.1  
dokuwiki        1.3.0     1.4.1        
links           1.0.1    1.4.1
polls           1.1.0    1.4.1
spamx           1.1.0    1.4.1
staticpages     1.4.3    1.4.1  
vthemes         1.0.1    1.4.1


I then upgraded:

Text Formatted Code
bad_behavior2   2.0.11
dokuwiki        1.3.1
vthemes         1.0.2


My GL directory itself is located outside of webspace, and the contents appear to be clean (no old files hanging around).

I'll look over the Apache logs again shortly to see what I can find.

Thanks again for your help and suggestions, Dirk!

Lewis Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
 Quote

Status: offline

LewisR

Forum User
Junior
Registered: 06/30/03
Posts: 29
Hmmm... It looks like it may have had something to do with the email story function. I did see entries in the log for that (and access to /profiles.php). I just tested it on myself, and sure enough, I had CAPTCHA turned off for emailing stories (though I'm not seeing a story in my received spam, just the junk).

I'll investigate further this afternoon, but I think that's what it was.

Lewis Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
 Quote

All times are EDT. The time is now 02:16 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content