Tuesday, 13th September 2005
Grrr .. Spam Attacked
Today i woke up with a long list of things to do. I got to work, fired up 'Thuderbird' and was reading mail when a friend of mine told me, she just saw the new pictures i had put up on the site. I wondered which ones, so i visited my site and the rudest shock awaited me. The 'Recent Comments' section was littered with junk. It had a long list of comments which contained, what looked to me as HTTP headers. (Later on i came to realise that they are SMTP headers). If you have guessed right by now, yup i had just been 'Spammed Attack'.
The script in question was the 'Add Comment' part of the script posted in my articles page. The form allows the user to post a comment about an article. The comment is added to the article xml file and a link to it is made in a recent comments file. My first reaction was to assume that it was done by a human. I quickly began to think about who the possible malicious source was and whom i had rub the wrong way and when. In a haste i browsed through the affected article pages looking for clues as to who might have done this. In this haste i nearly messed up the possibility of tracing the person responsible. My weh host nexcess.net offers siteworx for its content and web hosting management tools unlike my previous host which used CPanel. The problem (which i found today) was that features in siteworx gives you less power than Cpanel. For instance CPanel allows you to look at the raw logs of your site wherease siteworx gives access to only the last 'n' number of visitors. I might be mistaken on this thought. Anyways as i kept browsing my site, making hits along the way, i very nearly erased the important 'last few visitors' records. Thankfully i still had the common sense to check the logs and wasnt clouded with rage as to who the person might be to attempt to deface my site. I found a couple of IP addresses (68.142.251.142) and (68.142.250.178). I tracked the IP address information
Results of IP Tracking for 68.142.250.178
IP address 68.142.250.178Hostname lj2368.inktomisearch.com
ISP Inktomi Corporation
Country United States
OrgName: Inktomi Corporation
OrgID: INKT
Address: 701 First Ave
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US.
I wondered why i was getting an attack from someone in Calif. I dont have any enemies in Calif. Atleast not yet, Hell i havent even been to Calif yet. My initial thoughts were that some person (Human) was pasting HTTP/SMTP header fields in the comments section. Why ? Why ? My curiousity grew and i decided to expolore furthur into the attack. But first of all i had to clean up my sorry looking site. Thankfully i managed to keep my wits about me and saved the text material of the attack.
Content-Type: multipart/mixed; boundary="===============1402836522=="
MIME-Version: 1.0
Subject: 3c458248
To: yteowl@nikhilzkingdom.com
bcc: mhkoch321@aol.com
From: yteowl@nikhilzkingdom.com
This is a multi-part message in MIME format.
--===============1402836522==
Content-Type: text/plain;
charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
fwkqiimjcy
--===============1402836522==--
The first thing that caught my eye was the bcc: mhkoch321@aol.com field. I wondered if the (supposed) human was trying to track back his attack or something like that. I had half a mind to report this to AOL. but i've heard that it is hard useful to do so and they barely respond to such requests, although they do investigate some requests.
I then googled on mhkoch321@aol.com and voilda, guess what the first few links were a gold mine. Apparently this is a recent spam attack (started over the weekend) and is now a fairly common occurence. [wicked-grin]Feels real good when you realise others are in the same boat as you.[/wicked-grin]. A good explanation of the attack can be read here. There is a huge list of people who posted about it
I'm seeing an interesting new attack on my website where the attacker is hoping to exploit unchecked fields in a "web to email" form. The attack works by assuming a field used in an email header (such as the "From: address or the "Subject:") is passed unchecked to the mail subsystem. Appending a newline character and a few more carefully crafted header lines with a BCC list and a spam message body might trick the underlying mail system into relaying spam for the attacker. An initial test sending a BCC copy to killerhamster@punkass.com has been used on most forms on my site to phish for vulnerable scripts. I had an old perl script which didn't check for new lines in the "email" field which alerted me to the problem and allowed me to quickly fix it. If you run a site, you should check and strip fields for carriage return and newline characters used directly in email headers.
Details of this attack:
This is an attempt to exploit my comments form. There are many hits from a number of different IPs which I assume are other compromised hosts. Form field data is presented between brackets in the example hit below. Notice how the email field contains a newline character and finishes off the email header fields. It even has Multi-Part support. Impressive! .
I quickly decided to check my script and fix the vulnerability. It was then that i saw that my script (atleast this one for recent comments) wasnt even a 'web to e-mail' type script. By this i mean, the script doesnt even try to send me a mail. All it does is record the comment in its appropriate file. So if my understanding is correct the fact that my script is devoid of a call to mail function, i'm immune to being used as a Spam relay. However this doesnt make my script immune to such bots crawling aroung posting junk on my site. Anyone with clues on how to keep these nuisances away (apart from domain blacklists and such not), kindly let me. Time constrains severly restrict my ability to research on this security vulnerability issue. How i wish the 'Information Security' classes i had enrolled for hadn't got cancelled (due to low enrollment) !!!
Posted by Nikhil on Tuesday, 13th September 2005 in TechnoBabble | Events | Nonsense
Comments
Simplest of the tricks is to generate an image with a code and ask the user to type it back in. I thought of doing this sometime ago when I faced a similar "guestbook spam" bot. Lazyness prevented me from doing so and I havent been a target of such spam since then.. thus an uneasy lull continues.. lol -Rajesh
Posted by: Rajesh Goli on Wednesday 14th of September 2005 09:04:42 AM
