Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

WANTED CONTRIBUTION! Site is hacked!


Zuncan

Recommended Posts

Hi!

 

Saw this morning that someone is using my site to send spamemails. I also noticed that Im not alone.. But it seem like there is many different solutions to fix this. Can someone pls tell me to fix this the proper way? Maybe a proper contribution for this issue?

 

The spammail I got looks like this:

 

[email protected]

Content-Type: multipart/mixed; boundary="===============0302808415=="

MIME-Version: 1.0

Subject: fc78ab94

To: [email protected]

bcc: [email protected]

From: [email protected]

 

This is a multi-part message in MIME format.

 

--===============0302808415==

Content-Type: text/plain; charset="us-ascii"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

 

egbmzocuww

--===============0302808415==--

So what?! Who care in a hundred years anyway?

Link to comment
Share on other sites

I dont know actually. My admin is password and SSL protected. I guess there is some kinda harvesting hackerprogram in action here since there are more that me that has exactly the same problem.

 

bcc: [email protected] has been seen from others with a osC site as well

So what?! Who care in a hundred years anyway?

Link to comment
Share on other sites

They are maybe using some kinda way to send mails from my domain, but not straight from my site. Im a kinda noobie with php and so on so a proper contribution for this issue would be more that appriciated..

So what?! Who care in a hundred years anyway?

Link to comment
Share on other sites

Yeah that seems to be what Im after, but as I said.. dont really know what it means.

 

"adding strip_tags in front of the stripslashes on line 222, and also adding strip_tags to line 224 just for the heck of it, the problem is solved"

 

What is strip_tags?

What is stripslashes?

 

Not so good with english you see..

So what?! Who care in a hundred years anyway?

Link to comment
Share on other sites

Are you sure the emails are actually coming from your site? Do you have a way of tracking it? Lots of people out there know how to send emails that look like they are coming from someone else. Heck, one day I even got spam mail coming from my own personal email address. All they need to know is a domain name really. Guesswork does the rest.

Wendy James

 

Creativity is allowing yourself to make mistakes. Art is knowing which ones to keep.

Link to comment
Share on other sites

Are you sure the emails are actually coming from your site? Do you have a way of tracking it? Lots of people out there know how to send emails that look like they are coming from someone else. Heck, one day I even got spam mail coming from my own personal email address. All they need to know is a domain name really. Guesswork does the rest.

 

They are send by the contact_us page - check this topic: http://www.oscommerce.com/forums/index.php?showtopic=167860

 

Kind regards

Tom

Even in this dark place, yes, I am afraid of my own shadow.

 

 

 

Contributions | KnowledgeBase | osCommerce 2.2 pdf

Link to comment
Share on other sites

At some point on the contact us page, in one of the fields, the person attempting to abuse the Contus Us page will insert code into the fields which are intended to be used for the senders email address.

 

Instead they are inserting the code for new lines into those fields, where they can insert more recipients (the people they are spamming)

 

The problem seems to be that OScommerce doesn't (as far as I know) check that those fields don't have any malicious code in it before it unwittingly sends out the spam emails, which in turn look like they have come from the victims domain

Link to comment
Share on other sites

I would be great with a contribution that contains all the needed updates to secure osC 2.2. A contribution that tells what code to replace with what and so on. It seems like a needed thing since there seems to be 30 different suggestions in how to protect myself from spam.

So what?! Who care in a hundred years anyway?

Link to comment
Share on other sites

I regularly get e-mails which are spam - allegedly sent by either bogus e-mail addresses on domains I manage, or else from real e-mail addresses on domains I manage. Not one of them actually is routed through any of those domains.

 

When you get the e-mail you need to right-click, select Options, and view the Header File (Message Source Code), and in particular the IP addresses listed there. More likely than not your e-mail addresses are being spoofed, and this is made worse by stupid automated MAILER_DAEMONS set up by system administrators returning mail to addresses which never sent the mail in the first place, or which do not even exist.

 

So, before everyone here gets their knickers in a twist it would be a wise move to know how to read Full Headers from e-mails and to use the various registrars to track down IP addresses to their source.

 

Vger

Link to comment
Share on other sites

HI,

 

I have applied 2 of the fixes suggested in this thread and this morning I received yet another pair of mysterious e-mails, coming from my site. I had fixed both the contact_us.php and html_output.php pages. Here is what I got this morning. Any further advice?

 

[email protected]

Content-Type: multipart/mixed; boundary="===============0026077618=="

MIME-Version: 1.0

Subject: eab2c571

To: [email protected]

bcc: [email protected]

From: [email protected]

 

This is a multi-part message in MIME format.

 

--===============0026077618==

Content-Type: text/plain; charset="us-ascii"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

 

hubknpdod

--===============0026077618==--

 

and...

 

lroqhymmuv

--===============2058851822==--" <[email protected]>

To: <[email protected]>

MIME-Version: 1.0

X-Mailer: osCommerce Mailer

Content-Type: multipart/alternative;

boundary="=_2074c080490b80c3f2aec8b2bfb63e2b"

 

 

--=_2074c080490b80c3f2aec8b2bfb63e2b

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

 

[email protected]

--=_2074c080490b80c3f2aec8b2bfb63e2b

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

 

[email protected]

--=_2074c080490b80c3f2aec8b2bfb63e2b--

Link to comment
Share on other sites

I had it to after the fixes - but the fact all that info is in your email (instead of in the header) points out it succeeded.

 

If my guesses are right - i would say - there are progrems out there scanning sites for this error... they just keep trying, (thats why i get ip's on my 'visitor stats contrib in admin' with only one click, directly to the contact_us.php page) and send a bbc to the hackers 'fake' email (a free one set up at aol) then he/she knows your site has a bug.

As long as all ends up in the body - theres no 'real' problem.. besides you getting spammed by automated programs trying...

 

Only thing to prevent this is using a visual verify code contributie... (search in contribs.)

 

 

Kind Regards,

tom

Even in this dark place, yes, I am afraid of my own shadow.

 

 

 

Contributions | KnowledgeBase | osCommerce 2.2 pdf

Link to comment
Share on other sites

These bots are posting every field on any form not just the name field and not just OSC. The contact_us will get three posts trying the injection code in all three fields.

 

$name <-injection posible

$email_address <- invalid email address

$enquiry <- raw injection code to site admin

 

The mail like this is the injection

 

[email protected]
Content-Type: multipart/mixed; boundary="===============0026077618=="
MIME-Version: 1.0
Subject: eab2c571
To: [email protected]
bcc: [email protected]
From: [email protected]

This is a multi-part message in MIME format.

--===============0026077618==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

hubknpdod
--===============0026077618==--

 

If you also receive a mail in your catch all account [email protected]

then you need to fix it because these below were injected and sent.

 

To: [email protected]

bcc: [email protected]

 

The successful mail looks like this the MIME headers were broke but it did send the mail.

 

lroqhymmuv  <--- junk here on top instead of in the content
--===============2058851822==--" <[email protected]>
To: <[email protected]>
MIME-Version: 1.0
X-Mailer: osCommerce Mailer
Content-Type: multipart/alternative;
boundary="=_2074c080490b80c3f2aec8b2bfb63e2b"


--=_2074c080490b80c3f2aec8b2bfb63e2b
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

[email protected]
--=_2074c080490b80c3f2aec8b2bfb63e2b
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

[email protected]
--=_2074c080490b80c3f2aec8b2bfb63e2b--

 

contact_us.php and tell_a_friend.php are most vulnerable but all mail sending new accounts, orders, etc could be attacked.

 

A method to fix it. This fix doesnt send any mail with 'Content-Type:' in any field as well as remove newlines from the three header fields that can be supplied by the user.

 

catalog/includes/functions/general.php

 

   function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
   if (SEND_EMAILS != 'true') return false;

   //Dont send any injection type mails.
   if (eregi('Content-Type:', $to_name)) return false;
   if (eregi('Content-Type:', $email_subject)) return false;
   if (eregi('Content-Type:', $from_email_name)) return false;
   if (eregi('Content-Type:', $email_text)) return false;

   //Remove any newline and anything after it on the header fields of the mail.
   //$to_email_address and $from_email_address are checked with tep_validate_email().
   $to_name = preg_replace('/[\n|\r].*/', '', $to_name);
   $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject);
   $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name);

 

Some of the bots doing it.

 

[email protected] 30,500

 

[email protected] 19,400

 

[email protected] 7,560

 

[email protected] 264

Link to comment
Share on other sites

Would be nice if someone that is really into this problem could post a list of changes that needs to be made to prevent this as good as posible.

 

Like:

in contact_us.php find code:

xxxx

 

Replace with:

xxxxxxxxx

 

and so on...

 

I and many others would appriciate it very much

So what?! Who care in a hundred years anyway?

Link to comment
Share on other sites

Would be nice if someone that is really into this problem could post a list of changes that needs to be made to prevent this as good as posible.

 

Like:

in contact_us.php find code:

xxxx

 

Replace with:

xxxxxxxxx

 

and so on...

 

I and many others would appriciate it very much

 

 

catalog/includes/functions/general.php

 

Find this

function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
  if (SEND_EMAILS != 'true') return false;

 

Change it this

 

function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
  if (SEND_EMAILS != 'true') return false;

  //Dont send any injection type mails.
  if (eregi('Content-Type:', $to_name)) return false;
  if (eregi('Content-Type:', $email_subject)) return false;
  if (eregi('Content-Type:', $from_email_name)) return false;
  if (eregi('Content-Type:', $email_text)) return false;

  //Remove any newline and anything after it on the header fields of the mail.
  //$to_email_address and $from_email_address are checked with tep_validate_email().
  $to_name = preg_replace('/[\n|\r].*/', '', $to_name);
  $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject);
  $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name);

Link to comment
Share on other sites

Added code, no problem. Thanks Dave!

catalog/includes/functions/general.php

 

Find this

function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
? if (SEND_EMAILS != 'true') return false;

 

Change it this

 

function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
? if (SEND_EMAILS != 'true') return false;

? //Dont send any injection type mails.
? if (eregi('Content-Type:', $to_name)) return false;
? if (eregi('Content-Type:', $email_subject)) return false;
? if (eregi('Content-Type:', $from_email_name)) return false;
? if (eregi('Content-Type:', $email_text)) return false;

? //Remove any newline and anything after it on the header fields of the mail.
? //$to_email_address and $from_email_address are checked with tep_validate_email().
? $to_name = preg_replace('/[\n|\r].*/', '', $to_name);
? $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject);
? $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name);

Link to comment
Share on other sites

This is unfortunately returning an error message as follows:

 

Parse error: parse error, unexpected T_IF in /home/anne001/public_html/includes/functions/general.php on line 963

 

My editor shows line 963 as being:

962 //Dont send any injection type mails

963 ? if (eregi('Content-Type:', $to_name)) return false;

964 ? if (eregi('Content-Type:', $email_subject)) return false;

965 ? if (eregi('Content-Type:', $from_email_name)) return false;

966 ? if (eregi('Content-Type:', $email_text)) return false;

967

 

Thanks for bearing with my ignorance.

 

catalog/includes/functions/general.php

 

Find this

function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
? if (SEND_EMAILS != 'true') return false;

 

Change it this

 

function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
? if (SEND_EMAILS != 'true') return false;

? //Dont send any injection type mails.
? if (eregi('Content-Type:', $to_name)) return false;
? if (eregi('Content-Type:', $email_subject)) return false;
? if (eregi('Content-Type:', $from_email_name)) return false;
? if (eregi('Content-Type:', $email_text)) return false;

? //Remove any newline and anything after it on the header fields of the mail.
? //$to_email_address and $from_email_address are checked with tep_validate_email().
? $to_name = preg_replace('/[\n|\r].*/', '', $to_name);
? $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject);
? $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name);

Link to comment
Share on other sites

  • 4 weeks later...

Sorry i posted this in the wrong thread earlier so it's a double post but this is where it is supposed to be.

 

Ok after getting tons of emails sent from [email protected] with added cc & Bcc via the contact_us.php i edited code as advised here in this thread.

catalog/includes/functions/general.php

// comment outEDIT TO STOP SPAMMERS   function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
// comment out EDIT TO STOP SPAMMERS	if (SEND_EMAILS != 'true') return false;


//##### ADDED FOLLOWING FROM DAVE USER9999999
function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
 if (SEND_EMAILS != 'true') return false;

 //Dont send any injection type mails.
 if (eregi('Content-Type:', $to_name)) return false;
 if (eregi('Content-Type:', $email_subject)) return false;
 if (eregi('Content-Type:', $from_email_name)) return false;
 if (eregi('Content-Type:', $email_text)) return false;

 //Remove any newline and anything after it on the header fields of the mail.
 //$to_email_address and $from_email_address are checked with tep_validate_email().
 $to_name = preg_replace('/[\n|\r].*/', '', $to_name);
 $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject);
 $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name);
//###### END OF DAVES CODE TO STOP SPAMMERS

 

This seemed to work fine the spammer stopped.

But now i have a problem.

when someone makes an order the email is not sent to the owner of the site owner@their domain.com i get a copy sent to me@my other seperate domain.com.

 

Under store configuration you can set where order emails are sent to and can add more than one email address to send it to.

 

It now appears that those order emails cannot be sent to the domain name the same as the store.

 

Can any one help with this problem?

 

thanks Gecko

this time it'll go :-)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...