Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Email Was Spamed


awisdoms

Recommended Posts

Hi,

Well last few days have been awful as I have been working with my host to figure out what was going on with my email account. This what they found out for me.

 

On closer examination of the logs it was found that spam mails were

being send from your file contact_us.php with your email address.This

might be due a flaw in the contact_us.php file through which your email

address might have been compromised.It was also found that this email

address was banned by the aol for spamming.We have blocked the

contact_us.php script in your domain and hence it will prevent further spoofing of

your email id.Please contact your webdesigner to code the

contact_us.php file better and protect it against being compromised.

 

Can someone please help me to do this...

Thanks

Dia

Link to comment
Share on other sites

  • Replies 119
  • Created
  • Last Reply

Are they sure it came from the Oscommerce contact_us.php?

 

I can't imagine HOW someone could use contact_us.php to send spam. The email address that mail is sent to is pulled straight from the database via PHP. The file should already be secure.

 

Open your contact_us.php file in a text editor. Does line 24 look like this?

tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address);

Or has it been altered?

Link to comment
Share on other sites

Well my hosting company took a few days to come up with that answer... and has now somehow closed off my contact us page.

I dont know how it happened and they could be wrong which is why I came here hoping to find some answers.

Is there a secure way of stopping this from happening again...and thanks for all the help...and I will try that contribution..

Dia

Link to comment
Share on other sites

Well I tried that and it did not work. I went back to my hosting company and asked if they could help me again, and they said once again that it has to do with the scripting of my contact_us.php file........I dont know how as I went over everything and it seems fine...

I have been up all night searching for answers in this forum and it seems no one has been spamed or had the problem I do. Does anyone have any ideas for me to stop this from happening?

Thanks,

Dia

Link to comment
Share on other sites

Well I tried that and it did not work.  I went back to my hosting company and asked if they could help me again, and they said once again that it has to do with the scripting of my contact_us.php file........I dont know how as I went over everything and it seems fine...

I have been up all night searching for answers in this forum and it seems no one has been spamed or had the problem I do.  Does anyone have any ideas for me to stop this from happening?

Thanks,

Dia

Ask you webhost to also install and add this to there robots text file if they have one.

 

Your site could be hacked through search engine cache if you havent installed the contact_us fix

 

 

Disallow: catalog/contact_us.php

( WARNING )

I think I know what Im talking about.

BACK UP BACK UP BACK UP BACK UP

Link to comment
Share on other sites

It was also found that this email  address was banned by the aol for spamming

 

AOL routinely bans entirely innocent e-mail addresses, because they make no check to see if headers have been forged on spam mail. I get god knows how many MAILER_DAEMON 'Returned Mail' messages from AOL - for e-mail addresses that don't even exist on the domain in question.

 

On closer examination of the logs it was found that spam mails were

being send from your file contact_us.php with your email address

 

Get your web hosting company to verify to you (send sample of logs to you) that the spam was actually passing through your mail service. My guess is that it wasn't.

 

Vger

Link to comment
Share on other sites

Your site could be hacked through search engine cache if you havent installed the contact_us fix

Disallow: catalog/contact_us.php

What do you mean disallow?

And my hosting company sent me another email and told me to upload a new version of contact_us.pho file from OS. So i will try that.

Link to comment
Share on other sites

Your site could be hacked through search engine cache if you havent installed the contact_us fix

Disallow: catalog/contact_us.php

What do you mean disallow?

And my hosting company sent me another email and told me to upload a new version of contact_us.pho file from OS.  So i will try that.

 

With out a robots text file spider will index all your files including the ones you dont want indexed.

login, accounts,create_account,password_forgotten,checkout_shipping,login.php

 

Then these pages will be publicly displayed on the net for any one to enter.

 

This is a Sample robots text file

 

# Sample robots.txt file (make sure the filename is ALL LOWERCASE on Linux/Unix systems)

# This file should go in your web site's ROOT directory

# The root directory is where your site's main /index.html file would be found

# It is usually found in /yourhomedir/public_html/ or /yourhomedir/httpdocs

# Where "yourhomedir" is your user account's name

#

# We invite you to also check out our popular contribution: Simple Template System (STS)

# It lets you layout or change your OSC look-and-feel by modifying a single HTML file

# http://www.oscommerce.com/community/contributions,1524 or SimpleTemplateSystem.com

# Enjoy! - Brian Gallagher @ DiamondSea.com

 

# This says to apply these settings to ALL search engine spiders/crawlers

User-agent: *

 

# These settings will keep spiders from indexing your unwanted pages

# This assumes that your OSC install is in your web site's ROOT directory

# ie: http://www.yoursite.com/index.php <- Use if this brings up your OSC main page

Disallow: /admin

Disallow: /account.php

Disallow: /advanced_search.php

Disallow: /checkout_shipping.php

Disallow: /create_account.php

Disallow: /login.php

Disallow: /login.php

Disallow: /password_forgotten.php

Disallow: /popup_image.php

Disallow: /shopping_cart.php

Disallow: /product_reviews_write.php

Disallow: /cookie_usage.php

# Feel free to add any other pages on your site that you don't want to be indexed by

# the search engines.

# PLEASE NOTE: Any pages that you list here should be secured by other means if you

# don't want people to be able to view them, as some malicious users will look at a

# robots.txt file to try to find "hidden" or "secret" areas of web sites to find

# confidential information.

# Just Uncomment a line or add new ones as you see fit.

# Disallow: /private

# Disallow: /hidden

 

# IF YOU DO NOT WISH TO HAVE THE GOOGLE IMAGE BOT SCAN YOUR DOMAIN FOR IMAGES

# THEN YOU CAN INCLUDE THE FOLLOWING IN YOUR ROBOTS FILE.

# I FOUND THAT MY BANDWIDTH USAGE DROPPED BY A MASSIVE AMOUNT AFTER I GOT RID

# OF THE GOOGLE IMAGE BOT. ALL I HAD WAS IMAGE HUNTERS STEALING PRODUCT SHOTS

# AND NOT EVEN BROWSING THE SITE.

 

#User-agent: Googlebot-Image

#Disallow: /

( WARNING )

I think I know what Im talking about.

BACK UP BACK UP BACK UP BACK UP

Link to comment
Share on other sites

Firstly, you _have_ properly secured your admin area, yes?

 

If this has been compromised, and someone has uploaded scripts to your webspace, all bets are off.

 

Apart from that, there's no way anyone can use your contact_us page for sending spam. Your host seems a bit clueless.

 

I would carefully check your raw access logs for anything that looks suspicious, and also check your entire web space for any suspicious looking files.

Link to comment
Share on other sites

Yes I am and have been secured... which is why I dont understand how all this happened...usually my host company is very good and they have helped me with a lot but now it seems they act as if they have no clue how to help me. All I can say is Thank all of you for your help.

Dia

Link to comment
Share on other sites

There is a setting in the servers httpd.conf file which sets whether .htaccess files are invisible or not. They should be set to be invisible. You can check this by FTP'ing to your website. If you can see the .htaccess files then they're not set to be invisible, in which case it's just possible that someone penetrated them (password protection is controlled by these files).

 

If they are visible get back to your hosting company - they control the httpd.conf file!

 

Vger

Link to comment
Share on other sites

The passwords themselves are actually stored encrypted in the .htpasswds directory, above web root, so allowing access to .htaccess files, while not desireable, is not such a big security risk.

Anything above your web root is usually fairly safe from unwanted access (as long as your scripts are secure)

 

You can easily prevent access to .htaccess files by adding this to a .htaccess file in your public_html directory:

 

<Files .htaccess>

order allow,deny

deny from all

</Files>

Link to comment
Share on other sites

I went to my site through my ftp and I do see a file called .htaccess and I cant open because it states cant find a valid editor for this file extension. I will also contact my host company angain and post what you have written to have it set to invisible.

Thanks

Link to comment
Share on other sites

Whilst Dawn is right about .htpasswd files, the .htaccess file does give the user name associated with the protection - and once a hacker has the user name they only need to run a password cracker and they're in.

 

It's a bad setup that allows .htaccess files to be visible.

 

Vger

Link to comment
Share on other sites

hello, I saw this topic here, because the something happened to me, some body else sent a lot of emails from my server in the logs wich were the emails was this:

 

MIME-Version: 1.0

X-Mailer: osCommerce Mailer

 

so how do i fix this problem?

 

i?m waiting thanks.... davi souza

Davi S Souza

Link to comment
Share on other sites

  • 4 weeks later...

This is how it was done.

 

The name field is not checked for newlines this allows someone to inject more headers into the mail and turn your form into a spambot.

 

A quick test can be done by creating $name like so with some of your email addresses before the tep_mail function in contact_us.php and you will see mail can be sent to alternate addresses.

$name = '[email protected]
To: [email protected]
bcc: [email protected]
From: [email protected]
';

tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address);

 

Here is a fix for tep_mail() function in general.php.

 

  function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
   if (SEND_EMAILS != 'true') return false;
   //Remove any newline and anything after it on the header fields of the mail.
   //$to_email_address and $from_email_address are checked with tep_validate_email().
   $to_name = preg_replace('/[\n|\r].*/', '', $to_name);
   $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject);
   $from_name = preg_replace('/[\n|\r].*/', '', $from_name);

 

Here is more info.

 

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

 

http://securephp.damonkohler.com/index.php/Email_Injection

Link to comment
Share on other sites

The newsletter is an admin function so you dont have to worry about it, the fix above and the XSS fix is for the catalog side.

 

You can find several XSS fixes here.

 

http://www.oscommerce.com/community/contributions,2976

 

I did it this way to fix all textareas.

// Output a form textarea field
 function tep_draw_textarea_field($name, $wrap, $width, $height, $text = '', $parameters = '', $reinsert_value = true) {
   $field = '<textarea name="' . tep_output_string($name) . '" wrap="' . tep_output_string($wrap) . '" cols="' . tep_output_string($width) . '" rows="' . tep_output_string($height) . '"';

   if (tep_not_null($parameters)) $field .= ' ' . $parameters;

   $field .= '>';

   if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {
     $field .= tep_db_prepare_input(stripslashes($GLOBALS[$name]));
   } elseif (tep_not_null($text)) {
     $field .= $text;
   }

   $field .= '</textarea>';

   return $field;
 }
------------------------------

The change being this line.
     $field .= tep_db_prepare_input(stripslashes($GLOBALS[$name]));

And you should also set $enquiry=''; at the beginning of contact_us.php so it cant be filled from the get vars.

Link to comment
Share on other sites

oh my GOD I just did it.

I copied the contact_us source code page to fronpage and changed the name input field to a textarea. After opening on my computer I filled the name section with my emails like so

******@gmail.com

To: ******@gmail.com; ******@gmail.com; ******@gmail.com

bcc: ******@gmail.com

From: ******@gmail.com

 

ALL different emails and I got each one sent from my domain because of the <form

 

 

X-Gmail-Received: 136b0d0b886510a820957a81c3b69309885a0347
Delivered-To: ****@gmail.com
Received: by 10.54.68.17 with SMTP id q17cs16313wra;
? ? ? ?Wed, 31 Aug 2005 21:14:46 -0700 (PDT)
Received: by 10.54.2.74 with SMTP id 74mr401640wrb;
? ? ? ?Wed, 31 Aug 2005 21:14:46 -0700 (PDT)
Return-Path: <nobody@***MYDOMAIN***.com>
Received: from ***MYDOMAIN***.com (***MYDOMAIN***.com [***MYDOMAIN IP ADDRESS***])
? ? ? ?by mx.gmail.com with ESMTP id 14si569326wrl.2005.08.31.21.14.45;
? ? ? ?Wed, 31 Aug 2005 21:14:46 -0700 (PDT)
Received-SPF: pass (gmail.com: best guess record for domain of nobody@***MYDOMAIN***.com designates ***MYDOMAIN IP ADDRESS*** as permitted sender)
Received: from nobody by ***MYDOMAIN***.com with local (Exim 4.43)
id 1EAgTE-0006B5-Jy; Thu, 01 Sep 2005 00:14:36 -0400
To: "Heidi" <storeadmin@***MYDOMAIN***.com>
Subject: Enquiry from STORE
From: "***@gmail.com
To: ***@gmail.com; ***@gmail; ***@gmail
From: ***@gmail.com" <*****@gmail.com>
MIME-Version: 1.0
X-Mailer: osCommerce Mailer
Content-Type: multipart/alternative;
boundary="=_8e4ce4003621b4d581ab8c2fb6b0986b"
Message-Id: <E1EAgTE-0006B5-Jy@***MYDOMAIN***.com>
Date: Thu, 01 Sep 2005 00:14:36 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ***MYDOMAIN***.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - ***MYDOMAIN***.com
X-Source: 
X-Source-Args: 
X-Source-Dir:

 

No where in there can you tell it was sent from anywhere else other than my domain. But it wasn't it was sent from my computer. Need to add at the top of all those pages a HTTP Referer script and redirect to a not authorized script

Maybe one that will save the ip and other info of the jerk to

q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| )

Link to comment
Share on other sites

Is this what you did?

 

http://demo.oscommerce.com/contact_us.php?email=******@gmail.com&enquiry=Spam...%3C/textarea%3EFull Name:%3Ctextarea name=name wrap=soft cols=50 rows=15%3E******@gmail.com%0ATo: ******@gmail.com%0Abcc: ******@gmail.com%0AFrom: ******@gmail.com%0A%3C/textarea%3E

Link to comment
Share on other sites

I copied the source code (html) from the contuct_us page in my browser and edited the html.

 

I replaced the whole name input field with

<textarea rows="5" name="name" cols="29"></textarea>

saved it as file.html opened it on my computer

and typed in the emails

click continue and takes me to my site with the thank you

 

or you can add them in html

<textarea rows="5" name="name" cols="29">****EMAILS HERE*****</textarea>

each email on a line

q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| )

Link to comment
Share on other sites

right click view source or view>source from browser copy the whole thing or just the form makes no difference. change <input type="text" name="name"> to above. save it. open it. fill it. send it.

q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| )

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...