awisdoms Posted July 30, 2005 Share Posted July 30, 2005 Hi, Well last few days have been awful as I have been working with my host to figure out what was going on with my email account. This what they found out for me. On closer examination of the logs it was found that spam mails were being send from your file contact_us.php with your email address.This might be due a flaw in the contact_us.php file through which your email address might have been compromised.It was also found that this email address was banned by the aol for spamming.We have blocked the contact_us.php script in your domain and hence it will prevent further spoofing of your email id.Please contact your webdesigner to code the contact_us.php file better and protect it against being compromised. Can someone please help me to do this... Thanks Dia Link to comment Share on other sites More sharing options...
Schmoe Posted July 30, 2005 Share Posted July 30, 2005 Are they sure it came from the Oscommerce contact_us.php? I can't imagine HOW someone could use contact_us.php to send spam. The email address that mail is sent to is pulled straight from the database via PHP. The file should already be secure. Open your contact_us.php file in a text editor. Does line 24 look like this? tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address); Or has it been altered? Link to comment Share on other sites More sharing options...
awisdoms Posted July 30, 2005 Author Share Posted July 30, 2005 Yes it does...I dont know what to do as everything was working fine till a few days ago... tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address); Link to comment Share on other sites More sharing options...
user99999999 Posted July 30, 2005 Share Posted July 30, 2005 I doubt it came from contact us page unless its been changed but there is some css fixes. http://www.oscommerce.com/community/contributions,2976 Link to comment Share on other sites More sharing options...
awisdoms Posted July 30, 2005 Author Share Posted July 30, 2005 Well my hosting company took a few days to come up with that answer... and has now somehow closed off my contact us page. I dont know how it happened and they could be wrong which is why I came here hoping to find some answers. Is there a secure way of stopping this from happening again...and thanks for all the help...and I will try that contribution.. Dia Link to comment Share on other sites More sharing options...
awisdoms Posted July 30, 2005 Author Share Posted July 30, 2005 Well I tried that and it did not work. I went back to my hosting company and asked if they could help me again, and they said once again that it has to do with the scripting of my contact_us.php file........I dont know how as I went over everything and it seems fine... I have been up all night searching for answers in this forum and it seems no one has been spamed or had the problem I do. Does anyone have any ideas for me to stop this from happening? Thanks, Dia Link to comment Share on other sites More sharing options...
WiseWombat Posted July 30, 2005 Share Posted July 30, 2005 Well I tried that and it did not work. I went back to my hosting company and asked if they could help me again, and they said once again that it has to do with the scripting of my contact_us.php file........I dont know how as I went over everything and it seems fine... I have been up all night searching for answers in this forum and it seems no one has been spamed or had the problem I do. Does anyone have any ideas for me to stop this from happening? Thanks, Dia <{POST_SNAPBACK}> Ask you webhost to also install and add this to there robots text file if they have one. Your site could be hacked through search engine cache if you havent installed the contact_us fix Disallow: catalog/contact_us.php ( WARNING ) I think I know what Im talking about. BACK UP BACK UP BACK UP BACK UP Link to comment Share on other sites More sharing options...
♥Vger Posted July 30, 2005 Share Posted July 30, 2005 It was also found that this email address was banned by the aol for spamming AOL routinely bans entirely innocent e-mail addresses, because they make no check to see if headers have been forged on spam mail. I get god knows how many MAILER_DAEMON 'Returned Mail' messages from AOL - for e-mail addresses that don't even exist on the domain in question. On closer examination of the logs it was found that spam mails were being send from your file contact_us.php with your email address Get your web hosting company to verify to you (send sample of logs to you) that the spam was actually passing through your mail service. My guess is that it wasn't. Vger Link to comment Share on other sites More sharing options...
awisdoms Posted July 30, 2005 Author Share Posted July 30, 2005 Your site could be hacked through search engine cache if you havent installed the contact_us fixDisallow: catalog/contact_us.php What do you mean disallow? And my hosting company sent me another email and told me to upload a new version of contact_us.pho file from OS. So i will try that. Link to comment Share on other sites More sharing options...
WiseWombat Posted July 30, 2005 Share Posted July 30, 2005 Your site could be hacked through search engine cache if you havent installed the contact_us fixDisallow: catalog/contact_us.php What do you mean disallow? And my hosting company sent me another email and told me to upload a new version of contact_us.pho file from OS. So i will try that. <{POST_SNAPBACK}> With out a robots text file spider will index all your files including the ones you dont want indexed. login, accounts,create_account,password_forgotten,checkout_shipping,login.php Then these pages will be publicly displayed on the net for any one to enter. This is a Sample robots text file # Sample robots.txt file (make sure the filename is ALL LOWERCASE on Linux/Unix systems) # This file should go in your web site's ROOT directory # The root directory is where your site's main /index.html file would be found # It is usually found in /yourhomedir/public_html/ or /yourhomedir/httpdocs # Where "yourhomedir" is your user account's name # # We invite you to also check out our popular contribution: Simple Template System (STS) # It lets you layout or change your OSC look-and-feel by modifying a single HTML file # http://www.oscommerce.com/community/contributions,1524 or SimpleTemplateSystem.com # Enjoy! - Brian Gallagher @ DiamondSea.com # This says to apply these settings to ALL search engine spiders/crawlers User-agent: * # These settings will keep spiders from indexing your unwanted pages # This assumes that your OSC install is in your web site's ROOT directory # ie: http://www.yoursite.com/index.php <- Use if this brings up your OSC main page Disallow: /admin Disallow: /account.php Disallow: /advanced_search.php Disallow: /checkout_shipping.php Disallow: /create_account.php Disallow: /login.php Disallow: /login.php Disallow: /password_forgotten.php Disallow: /popup_image.php Disallow: /shopping_cart.php Disallow: /product_reviews_write.php Disallow: /cookie_usage.php # Feel free to add any other pages on your site that you don't want to be indexed by # the search engines. # PLEASE NOTE: Any pages that you list here should be secured by other means if you # don't want people to be able to view them, as some malicious users will look at a # robots.txt file to try to find "hidden" or "secret" areas of web sites to find # confidential information. # Just Uncomment a line or add new ones as you see fit. # Disallow: /private # Disallow: /hidden # IF YOU DO NOT WISH TO HAVE THE GOOGLE IMAGE BOT SCAN YOUR DOMAIN FOR IMAGES # THEN YOU CAN INCLUDE THE FOLLOWING IN YOUR ROBOTS FILE. # I FOUND THAT MY BANDWIDTH USAGE DROPPED BY A MASSIVE AMOUNT AFTER I GOT RID # OF THE GOOGLE IMAGE BOT. ALL I HAD WAS IMAGE HUNTERS STEALING PRODUCT SHOTS # AND NOT EVEN BROWSING THE SITE. #User-agent: Googlebot-Image #Disallow: / ( WARNING ) I think I know what Im talking about. BACK UP BACK UP BACK UP BACK UP Link to comment Share on other sites More sharing options...
FalseDawn Posted July 30, 2005 Share Posted July 30, 2005 Firstly, you _have_ properly secured your admin area, yes? If this has been compromised, and someone has uploaded scripts to your webspace, all bets are off. Apart from that, there's no way anyone can use your contact_us page for sending spam. Your host seems a bit clueless. I would carefully check your raw access logs for anything that looks suspicious, and also check your entire web space for any suspicious looking files. Link to comment Share on other sites More sharing options...
awisdoms Posted July 30, 2005 Author Share Posted July 30, 2005 Yes I am and have been secured... which is why I dont understand how all this happened...usually my host company is very good and they have helped me with a lot but now it seems they act as if they have no clue how to help me. All I can say is Thank all of you for your help. Dia Link to comment Share on other sites More sharing options...
♥Vger Posted July 30, 2005 Share Posted July 30, 2005 There is a setting in the servers httpd.conf file which sets whether .htaccess files are invisible or not. They should be set to be invisible. You can check this by FTP'ing to your website. If you can see the .htaccess files then they're not set to be invisible, in which case it's just possible that someone penetrated them (password protection is controlled by these files). If they are visible get back to your hosting company - they control the httpd.conf file! Vger Link to comment Share on other sites More sharing options...
FalseDawn Posted July 30, 2005 Share Posted July 30, 2005 The passwords themselves are actually stored encrypted in the .htpasswds directory, above web root, so allowing access to .htaccess files, while not desireable, is not such a big security risk. Anything above your web root is usually fairly safe from unwanted access (as long as your scripts are secure) You can easily prevent access to .htaccess files by adding this to a .htaccess file in your public_html directory: <Files .htaccess> order allow,deny deny from all </Files> Link to comment Share on other sites More sharing options...
awisdoms Posted July 30, 2005 Author Share Posted July 30, 2005 I went to my site through my ftp and I do see a file called .htaccess and I cant open because it states cant find a valid editor for this file extension. I will also contact my host company angain and post what you have written to have it set to invisible. Thanks Link to comment Share on other sites More sharing options...
♥Vger Posted July 30, 2005 Share Posted July 30, 2005 Whilst Dawn is right about .htpasswd files, the .htaccess file does give the user name associated with the protection - and once a hacker has the user name they only need to run a password cracker and they're in. It's a bad setup that allows .htaccess files to be visible. Vger Link to comment Share on other sites More sharing options...
souzadavi Posted August 2, 2005 Share Posted August 2, 2005 hello, I saw this topic here, because the something happened to me, some body else sent a lot of emails from my server in the logs wich were the emails was this: MIME-Version: 1.0 X-Mailer: osCommerce Mailer so how do i fix this problem? i?m waiting thanks.... davi souza Davi S Souza Link to comment Share on other sites More sharing options...
Guest Posted August 2, 2005 Share Posted August 2, 2005 tried the robots text file ammendment suggestions? There's some good info in the above posts, do u read thru them all? Link to comment Share on other sites More sharing options...
user99999999 Posted August 31, 2005 Share Posted August 31, 2005 This is how it was done. The name field is not checked for newlines this allows someone to inject more headers into the mail and turn your form into a spambot. A quick test can be done by creating $name like so with some of your email addresses before the tep_mail function in contact_us.php and you will see mail can be sent to alternate addresses. $name = '[email protected] To: [email protected] bcc: [email protected] From: [email protected] '; tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address); Here is a fix for tep_mail() function in general.php. function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { if (SEND_EMAILS != 'true') return false; //Remove any newline and anything after it on the header fields of the mail. //$to_email_address and $from_email_address are checked with tep_validate_email(). $to_name = preg_replace('/[\n|\r].*/', '', $to_name); $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); $from_name = preg_replace('/[\n|\r].*/', '', $from_name); Here is more info. http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay http://securephp.damonkohler.com/index.php/Email_Injection Link to comment Share on other sites More sharing options...
Guest Posted August 31, 2005 Share Posted August 31, 2005 hi dave, I was thinking filtering the subject part would have problems if you send html newsletters to customers. And I did use the oscommerce bug fix. http://www.oscommerce.com/community/bugs,2434 so the tep_draw_textarea_field strips the tags; do you see another way the subject part may pose this threat? Link to comment Share on other sites More sharing options...
user99999999 Posted September 1, 2005 Share Posted September 1, 2005 The newsletter is an admin function so you dont have to worry about it, the fix above and the XSS fix is for the catalog side. You can find several XSS fixes here. http://www.oscommerce.com/community/contributions,2976 I did it this way to fix all textareas. // Output a form textarea field function tep_draw_textarea_field($name, $wrap, $width, $height, $text = '', $parameters = '', $reinsert_value = true) { $field = '<textarea name="' . tep_output_string($name) . '" wrap="' . tep_output_string($wrap) . '" cols="' . tep_output_string($width) . '" rows="' . tep_output_string($height) . '"'; if (tep_not_null($parameters)) $field .= ' ' . $parameters; $field .= '>'; if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) { $field .= tep_db_prepare_input(stripslashes($GLOBALS[$name])); } elseif (tep_not_null($text)) { $field .= $text; } $field .= '</textarea>'; return $field; } ------------------------------ The change being this line. $field .= tep_db_prepare_input(stripslashes($GLOBALS[$name])); And you should also set $enquiry=''; at the beginning of contact_us.php so it cant be filled from the get vars. Link to comment Share on other sites More sharing options...
crashwave Posted September 1, 2005 Share Posted September 1, 2005 oh my GOD I just did it. I copied the contact_us source code page to fronpage and changed the name input field to a textarea. After opening on my computer I filled the name section with my emails like so ******@gmail.com To: ******@gmail.com; ******@gmail.com; ******@gmail.com bcc: ******@gmail.com From: ******@gmail.com ALL different emails and I got each one sent from my domain because of the <form X-Gmail-Received: 136b0d0b886510a820957a81c3b69309885a0347 Delivered-To: ****@gmail.com Received: by 10.54.68.17 with SMTP id q17cs16313wra; ? ? ? ?Wed, 31 Aug 2005 21:14:46 -0700 (PDT) Received: by 10.54.2.74 with SMTP id 74mr401640wrb; ? ? ? ?Wed, 31 Aug 2005 21:14:46 -0700 (PDT) Return-Path: <nobody@***MYDOMAIN***.com> Received: from ***MYDOMAIN***.com (***MYDOMAIN***.com [***MYDOMAIN IP ADDRESS***]) ? ? ? ?by mx.gmail.com with ESMTP id 14si569326wrl.2005.08.31.21.14.45; ? ? ? ?Wed, 31 Aug 2005 21:14:46 -0700 (PDT) Received-SPF: pass (gmail.com: best guess record for domain of nobody@***MYDOMAIN***.com designates ***MYDOMAIN IP ADDRESS*** as permitted sender) Received: from nobody by ***MYDOMAIN***.com with local (Exim 4.43) id 1EAgTE-0006B5-Jy; Thu, 01 Sep 2005 00:14:36 -0400 To: "Heidi" <storeadmin@***MYDOMAIN***.com> Subject: Enquiry from STORE From: "***@gmail.com To: ***@gmail.com; ***@gmail; ***@gmail From: ***@gmail.com" <*****@gmail.com> MIME-Version: 1.0 X-Mailer: osCommerce Mailer Content-Type: multipart/alternative; boundary="=_8e4ce4003621b4d581ab8c2fb6b0986b" Message-Id: <E1EAgTE-0006B5-Jy@***MYDOMAIN***.com> Date: Thu, 01 Sep 2005 00:14:36 -0400 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ***MYDOMAIN***.com X-AntiAbuse: Original Domain - gmail.com X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12] X-AntiAbuse: Sender Address Domain - ***MYDOMAIN***.com X-Source: X-Source-Args: X-Source-Dir: No where in there can you tell it was sent from anywhere else other than my domain. But it wasn't it was sent from my computer. Need to add at the top of all those pages a HTTP Referer script and redirect to a not authorized script Maybe one that will save the ip and other info of the jerk to q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| ) Link to comment Share on other sites More sharing options...
user99999999 Posted September 1, 2005 Share Posted September 1, 2005 Is this what you did? http://demo.oscommerce.com/contact_us.php?email=******@gmail.com&enquiry=Spam...%3C/textarea%3EFull Name:%3Ctextarea name=name wrap=soft cols=50 rows=15%3E******@gmail.com%0ATo: ******@gmail.com%0Abcc: ******@gmail.com%0AFrom: ******@gmail.com%0A%3C/textarea%3E Link to comment Share on other sites More sharing options...
crashwave Posted September 1, 2005 Share Posted September 1, 2005 I copied the source code (html) from the contuct_us page in my browser and edited the html. I replaced the whole name input field with <textarea rows="5" name="name" cols="29"></textarea> saved it as file.html opened it on my computer and typed in the emails click continue and takes me to my site with the thank you or you can add them in html <textarea rows="5" name="name" cols="29">****EMAILS HERE*****</textarea> each email on a line q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| ) Link to comment Share on other sites More sharing options...
crashwave Posted September 1, 2005 Share Posted September 1, 2005 right click view source or view>source from browser copy the whole thing or just the form makes no difference. change <input type="text" name="name"> to above. save it. open it. fill it. send it. q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| ) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.