gecko Posted October 9, 2005 Posted October 9, 2005 Ok after getting tons of emails sent from [email protected] with added cc & Bcc via the contact_us.php i edited code as advised here in this thread. catalog/includes/functions/general.php // comment outEDIT TO STOP SPAMMERS function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { // comment out EDIT TO STOP SPAMMERS if (SEND_EMAILS != 'true') return false; //##### ADDED FOLLOWING FROM DAVE USER9999999 function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { if (SEND_EMAILS != 'true') return false; //Dont send any injection type mails. if (eregi('Content-Type:', $to_name)) return false; if (eregi('Content-Type:', $email_subject)) return false; if (eregi('Content-Type:', $from_email_name)) return false; if (eregi('Content-Type:', $email_text)) return false; //Remove any newline and anything after it on the header fields of the mail. //$to_email_address and $from_email_address are checked with tep_validate_email(). $to_name = preg_replace('/[\n|\r].*/', '', $to_name); $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name); //###### END OF DAVES CODE TO STOP SPAMMERS This seemed to work fine the spammer stopped. But now i have a problem. when someone makes an order the email is not sent to the owner of the site owner@their domain.com i get a copy sent to me@my other seperate domain.com. Under store configuration you can set where order emails are sent to and can add more than one email address to send it to. It now appears that those order emails cannot be sent to the domain name the same as the store. Can any one help with this problem? thanks Gecko this time it'll go :-)
user99999999 Posted October 14, 2005 Posted October 14, 2005 Nothing there even looks at the $to_email_address so if the first one worked then the second one should work and you must have some other problem. tep_mail($order->customer['firstname'] . ' ' . $order->customer['lastname'], $order->customer['email_address'], EMAIL_TEXT_SUBJECT, $email_order, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS); if (SEND_EXTRA_ORDER_EMAILS_TO != '') { tep_mail('', SEND_EXTRA_ORDER_EMAILS_TO, EMAIL_TEXT_SUBJECT, $email_order, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS); }
sila Posted November 23, 2005 Posted November 23, 2005 Yes, one of my sites is now also being used for spam. I've tried some of the contributions. I can't really tell if I stopped it or not, and the spammer is still at work. Unitl i can be sure i have the problem under control, I need to do something quick. If I understand it correctly, disabling the contact_us page will not stop the spam - is that correct? If so, what is the quickest way to disable all email - prevent spam at all cost even if it (temporarily) disables contact enquiries and possibly other OSC email functions?
AlanR Posted November 23, 2005 Posted November 23, 2005 The 051113 update addresses the contact form vulnerability. http://www.oscommerce.com/solutions/downloads http://www.oscommerce.com/ext/update-20051113.html Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
sila Posted November 24, 2005 Posted November 24, 2005 Alan, thanks for trying to help. But i am in a bind here and do not have time to start at looking at general tables of contents. I said I already tried to fix it to no avail - I probably made a mistake in implementing the fixes and need more time to do it properly. In the meantime the spammer goes on... Please give me a tip on how to temporarlily and immediately DISABLE ALL EMAIL so that the spammer can be immediately stopped from using osc to SEND spam !!!
gecko Posted November 24, 2005 Posted November 24, 2005 sila use the code posted by me (gecko) at the top of the page that should get you most of the way there. That stopped my spammer dead this time it'll go :-)
Guest Posted November 24, 2005 Posted November 24, 2005 Alan, thanks for trying to help. But i am in a bind here and do not have time to start at looking at general tables of contents. I said I already tried to fix it to no avail - I probably made a mistake in implementing the fixes and need more time to do it properly. In the meantime the spammer goes on... Please give me a tip on how to temporarlily and immediately DISABLE ALL EMAIL so that the spammer can be immediately stopped from using osc to SEND spam !!! Assuming you're only getting the contact_us form hack then try renaming contact_us.php to summat else or download a copy to your pc then delete it from your catalog folder. This gives errors whenever someone tries to click on the link from the front page but means that the spammer can't find it and use it. This really is only a stopgap and you should do as Alan said as soon as you get time. I've just finished patching my store, had to do a bit by hand 'cause of mod's and contributions but so far so good (touch wood). Good luck
will32 Posted November 27, 2005 Posted November 27, 2005 Assuming you're only getting the contact_us form hack then try renaming contact_us.php to summat else or download a copy to your pc then delete it from your catalog folder. This gives errors whenever someone tries to click on the link from the front page but means that the spammer can't find it and use it. This really is only a stopgap and you should do as Alan said as soon as you get time. I've just finished patching my store, had to do a bit by hand 'cause of mod's and contributions but so far so good (touch wood). Good luck Hi, How do i install this contribution. I have followed the code that requires for general.php but where shall i add this Then anywhere when you need to validate the text like in contact_us $name add if(valid_str($name, '20'))//or what ever length you want { <<<ok to send mail and confirm>>>>> } else {<<<send to "you messed up" page>>>} ********************************* $validmask can be changed to any characters you want Thanks
AlanR Posted November 27, 2005 Posted November 27, 2005 Read this: http://www.oscommerce.com/ext/update-20051113.html There's a new version of osC on the Downloads page with all the files and fixes you need. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
Enzo_UK Posted November 28, 2005 Posted November 28, 2005 There's a new version of osC on the Downloads page with all the files and fixes you need. I have had a bit of a spam problem, and my ISP have blocked my contact_us.php page. Instead of having to do a full upgrade to the new version of osc, can I just upload the new versions of the general.php and email.php files?
Guest Posted November 29, 2005 Posted November 29, 2005 My ISP pulled our site due to spamming, had to pull teeth to get it back up without the contact page. Anyway, is there is a fix to this problem, sounds like others have encountered it?? We have a used the Contact_us choice contrib and also have the site skinned with graphics so it would be difficult to upgrade to the latest version of OSC, we are (2.2ms2). So can anybody help me to fix this problem so I can get our page up and running again?
Guest Posted November 29, 2005 Posted November 29, 2005 Hi All, I am having the same problem; Here is the info from Lunarpages support that they are sending out to users Does anyone know an easy way to fix this for someone who is NOT php literate? " The following security alert is for anyone who uses a form mail script on their web site. Form mail scripts are generally used to allow browsers to submit an email from your website. This may include feedback forms or contact forms. If you do not have any such feature on your site, you may disregard this notice. Recently we have seen a lot of exploit (hacker) activity on PHP and CGI form mail scripts. The majority of exploited scripts are hand coded form mail scripts. The exploits will use the form mail to automatically send spam from the account. (An "exploit" is a term used for a piece of code written by a malicious person to abuse a customer?s account. This is not a server vulnerability but an issue specific to the coding found in particular scripts.) The result of this is that we will receive spam warnings from AOL, Spamcop and other reporting agencies. If we receive too many complaints, our servers are at risk of being black listed which will affect email on all servers. It is very important to check your scripts to ensure they are secure. At this time, the only form mail script we are recommending is the one found here: http://nms-cgi.sourceforge.net/scripts.shtml. If you are using a hand coded form mail script, it is highly recommended that you change to the NMS form mail script. Regardless of which form mail script you use, it is very important you name it something random. Please DO NOT USE the following words when naming your form mail scripts: form, mail, contact or feedback. People exploiting these forms search for these commonly used words on search engines to more easily identify vulnerable scripts. We are currently scanning all servers to find scripts using those names as well as replying to all spam complaints. If a script is found that was exploited or has the potential to be exploited, the script will be renamed. This may cause your script to stop functioning so it is imperative you change your naming as soon as possible. We apologize for the inconvenience but it is necessary to take swift action in order to preserve the integrity of the servers so email is not disrupted for anyone. If you have any questions or concerns, please contact [email protected]. Please also see the following Lunarforums link: [here] Thank you, Lunarpages Support" Thanks for any help you can provide.
Enzo_UK Posted November 29, 2005 Posted November 29, 2005 We have a used the Contact_us choice contrib and also have the site skinned with graphics so it would be difficult to upgrade to the latest version of OSC I have looked at the new release, and the files that they have changed to do with the contact_us problems are: /includes/functions/general.php /includes/functions/html_output.php /includes/classes/email.php and... admin/includes/functions/general.php admin/includes/functions/html_output.php admin/includes/classes/email.php So you should just be able to upload those new versions of the files, and as they are just files that sort of run in the background, wont actually change the look of your modified pages.
Guest Posted November 29, 2005 Posted November 29, 2005 OK I will try them out, I tried to hand code those pages with the corrections from http://www.oscommerce.com/ext/update-20051113.html but had no luck. I got Parse errors so I will try the pre coded pages from the update and see if they work. Thanks I have looked at the new release, and the files that they have changed to do with the contact_us problems are: /includes/functions/general.php /includes/functions/html_output.php /includes/classes/email.php and... admin/includes/functions/general.php admin/includes/functions/html_output.php admin/includes/classes/email.php So you should just be able to upload those new versions of the files, and as they are just files that sort of run in the background, wont actually change the look of your modified pages.
awisdoms Posted February 17, 2006 Author Posted February 17, 2006 For the longest time I have had my contact_us page disabled as nothing would stop the spam, until the day came with the new Milestone 2 Updates and yes that was working great no spam until NOW... Yes people I am getting spamed again even with all those updates and yes I have checked many many times to make sure all was loaded and working properly. So now what to do - anyone else has any other suggestions? Here is one of the many I get now... Return-path: <[email protected]> Envelope-to: [email protected] Delivery-date: Thu, 16 Feb 2006 19:00:13 -0500 Received: from es by aquarius.addaction.net with local-bsmtp (Exim 4.52) id 1F9t2j-0001f6-L1 for [email protected]; Thu, 16 Feb 2006 19:00:13 -0500 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on aquarius.addaction.net X-Spam-Level: X-Spam-Status: No, score=0.3 required=5.0 tests=MAILTO_TO_SPAM_ADDR,NO_RELAYS autolearn=no version=3.1.0 Received: from es by aquarius.addaction.net with local (Exim 4.52) id 1F9t2j-0001dT-Gs for [email protected]; Thu, 16 Feb 2006 19:00:13 -0500 To: "A-W" <[email protected]> Subject: Enquiry from A-W From: "away multipart/mixed; boundary=8207c09e9e6eb7e90fb3276b311d8864 MIME-Version: 1.0 Subject: the room. va said ilhelm, and seized her hand, you bcc: [email protected] This is a multi-part message in MIME format. --8207c09e9e6eb7e90fb3276b311d8864 text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit without saying a word does not appertain to --8207c09e9e6eb7e90fb3276b311d8864-- ." <[email protected]> MIME-Version: 1.0 X-Mailer: osCommerce Mailer Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <[email protected]> Date: Thu, 16 Feb 2006 19:00:13 -0500 [email protected] IP: 70.21.119.6
bumbarash Posted February 21, 2006 Posted February 21, 2006 awisdoms, did you apply any changes? My contact_us page was hacked in a same way last Saturday. Solution recommended by user99999999 seems to fix thing
dimka2000 Posted February 24, 2006 Posted February 24, 2006 Got the same spamming problem. As a quick measure - deleted the contact_us.php Still getting spam e-mails!!! Log shows a lot of hits on the module, but it doesn't exist any more, so all attempts are getting 'page not found': /thestore/contact_us.php?action=send&osCsid=b8a6ed104aa0983a3708196933c75dc9 Http Code: 404 Date: Feb 24 14:41:41 Http Version: HTTP/1.1 Size in Bytes: - doesn't look like any other moduls are being exploited, so how is this happening?
ozEworks Posted March 4, 2006 Posted March 4, 2006 you could rename contact_us.php to something else. it is the program name they are looking for from what I have read.
albert Posted December 12, 2006 Posted December 12, 2006 This is how it was done. The name field is not checked for newlines this allows someone to inject more headers into the mail and turn your form into a spambot. A quick test can be done by creating $name like so with some of your email addresses before the tep_mail function in contact_us.php and you will see mail can be sent to alternate addresses. $name = '[email protected] To: [email protected] bcc: [email protected] From: [email protected] '; tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address); Here is a fix for tep_mail() function in general.php. function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { if (SEND_EMAILS != 'true') return false; //Remove any newline and anything after it on the header fields of the mail. //$to_email_address and $from_email_address are checked with tep_validate_email(). $to_name = preg_replace('/[\n|\r].*/', '', $to_name); $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); $from_name = preg_replace('/[\n|\r].*/', '', $from_name); Here is more info. http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay http://securephp.damonkohler.com/index.php/Email_Injection Hi Dave or others if Dave is not here, I have the same spam problem. But I have the snap of February 2003 and in it is NOT the preg_replace function. Would it work also for my snap? And could then someone offer me this function? Would be great. Thanks. Albert
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.