Announcement

Collapse
No announcement yet.

My Hosting says vbulletin register.php can be injected to send spam!

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • mefromspace
    replied
    ok so i guess the wording threw you off lol

    "Support ticket with log files is made."
    read
    Support ticket with LINK TO log files is made.

    Leave a comment:

  • mefromspace
    replied
    Originally posted by Wayne Luke View Post
    Attachments are stripped out of the support system in the process of going from email to web. This was originally done 10 years ago for security purposes but has never been updated.
    I dont understand? ...I write i did NOT attach the actual log files to the ticket but i wrote a link where the logs could be downloaded by you.

    Seems like Joe.D simply saw the title of the ticket and that nothing was attached instead of opening the ticket to see what was in it

    Leave a comment:

  • Wayne Luke
    replied
    Attachments are stripped out of the support system in the process of going from email to web. This was originally done 10 years ago for security purposes but has never been updated.

    Leave a comment:

  • mefromspace
    replied
    Originally posted by Joe D. View Post
    FYI, attachments (files) get stripped from the support ticket system, so please either provide a link where we can download the logs from or paste in the relevant portion of the log into the email body itself. I see the ticket but no logs are visible.

    Add this to your existing ticket, please.
    I have attached link to suppprt ticket link...u dont see the link in the message of the ticket?

    Leave a comment:

  • BirdOPrey5
    replied
    FYI, attachments (files) get stripped from the support ticket system, so please either provide a link where we can download the logs from or paste in the relevant portion of the log into the email body itself. I see the ticket but no logs are visible.

    Add this to your existing ticket, please.

    Leave a comment:

  • mefromspace
    replied
    Support ticket with log files is made.

    Leave a comment:

  • mefromspace
    replied
    Originally posted by Paul M View Post
    First of all, about this ;


    That is not a valid vbulletin file, no vB files have such weird names - whatever that is, I suggest you should remove it.


    Secondly, according to that chat they have no actual evidence of an exploit ;
    All they have done is make a wild guess based on the fact someone is hitting register.php
    This is a common spammers trick to try and register new accounts, and has nothing to do with sending spam e-mails.

    If they think there is an exploit, they need to provide actual evidence to you (and then you can pass that along).
    As i wrote i installed the rename register.php mod that changes the register.php name in the templates to derail bots that are hardcoded to search for vbulletin forums that have default register.php names. The point is not what i renamed register.php to but that the injection happened before i upgraded and had any mod installed.

    As for the chat then they have forwarded the evidence in a long server log i will send to you with all the information on whats going on.

    Leave a comment:

  • mefromspace
    replied
    Originally posted by Joe D. View Post
    You should open a support ticket in the Member's Area (or email [email protected]) with whatever details the tech can provide - such as the POST/GET headers in the case of an SQL Injection What was posted here is pretty vague, hopefully on purpose because you shouldn't post such details in public.

    Just the fact someone is hitting your register.php page once a second however doesn't mean there is an exploit.
    Yes i will go ahead and open a ticket and i do have the log forwarded by the hosting company with the post/get headers and they said it was obvious what was going on and you would be able to see that from the log.

    Leave a comment:

  • DemOnstar
    commented on 's reply
    Is that the case?
    I am using the same mod too but my naming is a little less inventive than "forum/232r24rgnewfb2013.php ".
  • Fly
    replied
    Originally posted by Paul M View Post
    First of all, about this ;


    That is not a valid vbulletin file, no vB files have such weird names - whatever that is, I suggest you should remove it.


    Secondly, according to that chat they have no actual evidence of an exploit ;
    All they have done is make a wild guess based on the fact someone is hitting register.php
    This is a common spammers trick to try and register new accounts, and has nothing to do with sending spam e-mails.

    If they think there is an exploit, they need to provide actual evidence to you (and then you can pass that along).
    Just for clarity he used the following mod to rename register.php to that odd file name.

    rename register mod: http://www.vbulletin.org/forum/showthread.php?t=297834

    Leave a comment:

  • Paul M
    replied
    First of all, about this ;
    It seems pretty clear that they are getting past all of the security checks in forum/232r24rgnewfb2013.php
    That is not a valid vbulletin file, no vB files have such weird names - whatever that is, I suggest you should remove it.


    Secondly, according to that chat they have no actual evidence of an exploit ;
    All they have done is make a wild guess based on the fact someone is hitting register.php
    This is a common spammers trick to try and register new accounts, and has nothing to do with sending spam e-mails.

    If they think there is an exploit, they need to provide actual evidence to you (and then you can pass that along).

    Leave a comment:

  • BirdOPrey5
    replied
    You should open a support ticket in the Member's Area (or email [email protected]) with whatever details the tech can provide - such as the POST/GET headers in the case of an SQL Injection What was posted here is pretty vague, hopefully on purpose because you shouldn't post such details in public.

    Just the fact someone is hitting your register.php page once a second however doesn't mean there is an exploit.

    Leave a comment:

  • mefromspace
    started a topic My Hosting says vbulletin register.php can be injected to send spam!

    My Hosting says vbulletin register.php can be injected to send spam!

    Hello,

    I have also posted on vb org but will copy paste the same here:

    Hi All,

    I am at a loss here...

    I had vb 3.6 from around 2008 and dident upgrade until recently to vb 4.2.1.

    The 3.6 was just with standard default captcha and 1 required field nothing else spam prevention related. As i moderate new reg users until after first post.

    About 1 month ago my host told me that the var/ drive was filling up and that they could see millions of spooled files in sendmail and that they where guessing that addmember.php was the culprint. They deleted mails and files from the sendmail in the size of 380GB!

    Their suggestion was to upgrade to latest vb version and install some additional spam mods.

    I did and installed the
    No captchas no images mod: http://www.vbulletin.org/forum/showthread.php?t=289463
    Spam-o-matic
    rename register mod: http://www.vbulletin.org/forum/showthread.php?t=297834

    Now after upgrade and installs of various spam blocking mods the send mail is still being abused even do not to same extent.

    So the question remains how is it possible to simply bypass all the security checks and get access to sendmail for spamming purposes.(not for spamming my forum but for sending out spam mails to the world like buy viagra and crap like that)

    My hosting is currently monitoring the apache log file to see if they can see something.
    They wrote this:

    "Problem remains that someone or multiple people are able to get around captcha checks etc. in the vbulletin software even though it has been upgraded and many security checks have been installed.

    I am currently running a capture

    ngrep -l -q -d eth1 "^POST " tcp and port 80 > /tmp/trace.out 2>&1

    in a screen session so someone should be able to pick it up later and stop it and examine the log files in /tmp/trace.out

    It seems pretty clear that they are getting past all of the security checks in forum/232r24rgnewfb2013.php (addmember function) and we should be able to derive where it is failing from the logged things in that file and comparing to the php file.!"

    Have any of you guys had something similar happen to you where spammers got access to send out spam from your server and if so how did you close the hole?

    Any help or suggestions would be greatly appreciated!
    After the upgrades and security installs and sendmail flushed 2 days ago then number of spooled emails on sendmail right now rising: 22.648 <-- Maybe 50 of these are legit.







    UPDATE:
    This is my chat script today with my hosting where a Tier3 Engineer discovered a hole in register.php:


    Steven Davis So it appears to be the register.php script that has a hole that is allowing people to send email through it
    Customer woow really?
    Steven Davis I have blocked a few ips that kept hitting that page over and over again
    yup
    Customer how is that possible i mean what makes u belive that?
    Steven Davis because after looking at the logging that Craig was doing in seeing a specific IP address hit that page over and over and over again, it made it pretty obvious.
    Customer the hitting of register.php should be bots trying to register to spam the forums
    Steven Davis Here are the top abusers:
    Steven Davis20 client.yota.ru 21 112.101.64.107 21 ks3324546.kimsufi.com
    22 199.15.233.135 24 142.4.204.33 26 ks3324731.kimsufi.com
    27 host20-165-dynamic.25-79-r.retail.telecomitalia.it
    27 hosted-by.slaskdatacenter.pl 36 p5dc37a5f.dip0.t-ipconnect.de
    37 sol-fttb.114.153.118.46.sovam.net.ua
    41 83-168-126-150.static.espol.com.pl 43 175.44.59.210
    48 ks352475.kimsufi.com
    49 host144-96-dynamic.25-79-r.retail.telecomitalia.it
    59 198.204.239.116 67 91.207.6.154 80 ns4010162.ip-192-99-6.net
    98 88-190-63-46.poneytelecom.eu 171 176.31.235.153.megaservers.us
    174 137.175.13.33 258 198.2.218.1 281 137.175.11.1
    288 91.121.62.208 421 192.95.20.134 459 ns4009215.ip-192-99-8.net
    505 199.15.233.141 633 87.98.186.59
    Customer ok but what makes u think that because they try and register they get access to send-mail?
    like the last 1 hour or so i have around 150 bots blocked by the spam hammer from registering to the forum
    but that don't give them access to send mails thru send-mail if u know what i mean
    Steven Davis No, it appears that there is a security hole that they have found that exploits a bug in the registration script that is sending email.
    Customer hmm
    do u see any of these who tried to register that now are sending mails to the send-mail que?
    or u assume they do
    pretty important as im about to contact vbulletin forum site considering the server crashing with 380GB mail files 2 weeks ago
    Steven Davis I saw the same IP address hitting that register script every second for about 10 minutes.
    Customer yeah i dont mind that what i mind is somebody is abusing our server sendmail
    someone trying to keep registering that's not an issue they just keep running into a brick wall and they need to now pass 3 brick walls before getting a mail"ur membership is awaiting moderation"
    Steven Davis It is not that someone is trying to register over and over, it is that they have found a way to inject their own email and have your server send the email out.
    Customer really? and u are 100% sure that is what is going on there from what u can see in apache log?
    Steven Davis About 99% sure at this point.
    Customer im speechless U still investigating or that is ur conclusion?
    Steven Davis That is my conclusion.

    Can vbulletin help with getting this shut down?

    I really need to get this hole closed so the abuse of my server can stop!
    Tags: None
Previous template Next
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X