Spam PHP injection problem

[BillieGDJoe]

Hi folks,




I have an issue on my Linux Plesk Server. Users are using it to send spam directly to Qmail queue through PHP injection. Badmailfrom, spamassassin and Dr. Web dont catch this, because it is injected on queue directly. Disabling PHP mail() function solve this problem, but I need it enabled, so it still is a problem. Any ideas ?? Thanks in advice !

 

[DigitalCrowd]

Im having the same issue. I have shut down two sites with these issues. The key is to have sites running updated code. Of course, heading that off before issues happen would be best.

They are typically associated with contact us pages on sites.

 

[wmchurch]

I caught this before it got out of control. Your best bet is something like mod_security (http://www.modsecurity.org/) it's not too difficult to setup, and protects against a lot of web based exploits.

From what I could tell, from the captures I got it injects a variable called "email" and adds something like the following:

Content-Transfer-Encoding: 7bit
Content-Type: text/plain
Subject: anuary early
bcc: [email][email protected][/email],[email protected],etc...
then the message body...

that's enough to make it bcc to other people, as well as send a copy to wherever else that contact form should go. I think the mod_security already checks for this type of attack.

 

[breun]

This is not a Plesk or PHP problem, you need to update/fix your mail script.

http://www.securephpwiki.com/index.php/Email_Injection
http://www.nyphp.org/phundamentals/email_header_injection.php

Yes, e-mail header injection is nasty...

 

[wmchurch]

Originally posted by breun
This is not a Plesk or PHP problem, you need to update/fix your mail script.

Agreed, but when you have a plesk server with over 200 domains and users doing their own things, you can't really rely on good programming practices. mod_security or a good IPS is the best way for a hosting company to combat this.

-Bill