Form Exploits


#1

How can I tell if my contact form(s) have been exploited and how many times sendmail has been activated? Wouldn’t I find the answers in my logs and in my resources report? Anywhere else?


#2

Thanks BobS. I’m not panicking so much as I am perturbed. I made that post after I found out that DH shut off my user’s sending capabilities and hadn’t notified us when it first happened. We have several sites and I could not get support to tell me which one they found the exploits at or any details at all about them. The logs for each of the sites show the forms only being used a few times. The resources for my user does not show sendmail at 200 counts let alone 200 times per hour (wouldn’t that be seen in the logs?). I understand DH’s reasoning in not wanting to tell me how they could see it and I could not (in case I’m the one doing the sending --which I wasn’t) but I don’t understand why they couldn’t offer more information or tell me why I can’t see anything reflecting this in my logs or my resources. Not to mention that we were not notified until I questioned why the forms were not working. I had one possible insecure form so I will be updating all (I have a great secure form I’m using on another user/site). It’s just unnerving that we can’t tell when the forms are being exploited and nothing is noted in the resources report.

Hope


#3

Hope,

Maybe sharing a recent experience I sufferred will share some light on your issue. I took over hosting a site another had produced, and “took the easy way out” by initially moving the site, as it stood, onto Dreamhost with only a brief look at the code. The site processed it’s form(s) using a common formmailer script “DynaForm v 1.4”. The code looked “safe” enough, and it worked, so I did not bother to “redo” the form to use the DH provided “formail.cgi”, which I have used sucessfully for years without incident.

First indication that there was a problem was a *bunch" of "bounce messages addressed to my DH user in the form of myid@server.dreamhost.com. Seems that someone, on one of my forms (I host lots of domains on DH) was attempting to exploit one of my forms, but was not being successfull. Close inspection of the bounce messages and the text of the messages that bounced indicated that the attacker could not properly form a message via his exploit, but could dispacth it via the form. Every word in the message he attempted to send via his script was read as a “to” address, and of course, they all “bounced”. Careful inspection of the bounced messages gave me a clue as to where to start looking for the offending script (which domain).

Worried about DH reaction, and all that, I dug into the access logs for that domain and saw the “strange” entries…identified by truncated log information and ip addresses that reverse-lookup could not find, (though some appeared to be comcast machines - zombied?). I was relieved to note that only 20-30 attempts were made in a 24 hour period, and came about once an hour, in groups of one or two accesses, (though they “produced” approximately 10 times that many of “failed” messages). Problem lasted about two days, then the “attack” subsided, presumably because the attacks did not succeed in generating mail that made it to the intended servers.

There had not been a repeat in the last several days. I think I need to dump DynaForm (though the code looks safe to me - I am not a PHP wizard), and go what what seems to work. Is DynaForm broken? I guess it “kinda” is, though it did not actually get any spam to any real addresses.

–rlparker


#4

Thanks rlparker. Unfortunately, your post proved my point. You found the exploit in your logs. Just as I had looked in my logs - I found a few of the forms accessed but not 200 in one hour. I counted the times my forms were accessed for this particular DH user account. They were not accessed 200 times. The logs nor the resources report showed me that the forms were accessed other than by me - TRYING to test that the forms as I found they weren’t working! If I could be given a reasonable explanation as to why my user was “flagged” for sending email over the 200 per hour limit, then I’d be MOST happy. But I have yet to hear one. If I’m uneducated in this matter - then help me out. I’m just as eager to stop people form exploiting my forms as DH is. Why should this be a secret?

DH - SHOW me where my forms were exploited OR by what IP. Hello??? Oh… no answer. Thanks.

Obviously, my frustration is at a boiling point. Not because DH is trying to limit spammers or help out with exploits but because DH is not telling/showing me just how their 200 limit was exceeded by my user account (not to mention they did not notify me that they had disabled the forms).


#5

I understand your frustration better now, and I realize my post probaly didn’t provide much help. I think what I was trying to empasize was that my logs did not show any obvious problems. I missed those “twice an hour” form accesses (and they were single accesses!) the first several times I looked for them; they just didn’t stand out! There were not “hundreds” of access in the log…Just a few that generated “hundreds” of “bad” email messages due to the exploit script not working as the author intended for it to. Again, there was no corresponding access in the logs to associate with a given instance of a spam message.

It was only after carefully dissecting the bounce announcements, and their attached emails (showing exactly what the contents of the message that bounced was) that I was able to identify the domain from which the form had been abused. Only after going to those logs, and specifically inspecting the entries near the time the “bounced” message was dispatched, was I able to track down the problem.

Does that make any sense at all? As a last resort, if you wish, you may contact me via PM and I can arrange for you to forward me a sampling of your bounce messages (I’ll need the attachments), and maybe I can help you more.

Other thoughts:

  1. Have you installed anything recently with a mail function? It might be “the new kid on the block” causing the problem, since you have not hap it before.

  2. Do you use the same form processing software on all your sites? If so, many sites may be involved; if not that will help you further isolate the offender.

  3. Are you 3rd Party Apps all “up to date”? There have been a rash of recent security related updates on almost all of the popular 3rd Party applications.

Please don’t be discouraged (do not let the net-vermin ruin you day!), and don’t give up. If I cannot help you figure it out, there are many others here that are a lot more knowledgable about these things than me; I’m sure we can find you an answer.

–rlparker


#6

Hi again rlparker,

Thanks for your thoughtful and helpful post. I only had one bounced email on the 14th. Which is when I set about trying to update that particular form with a more secure PHP form. And then the trouble started. My form wouldn’t send mail. I spent hours trying to determine if it was the form that was tweaked incorrectly, if mail was slow, if my other email I was sending test messages to via the form was somehow slow or rejecting it, if the mail forwarding wasn’t working properly, etc., all a waste of time. Had DH notified me when they should have, I wouldn’t have had to waste all that time killing myself over why my forms wheren’t working and why email was not forwarding or being sent.

I constantly view my logs. My .htaccess file is miles long with IPs I’ve denied for whatever reason (suspicious activity, scraping content, a bot fell into my bad bot trap, etc.). I am constantly trying to thwart the vermin but it does not help me when DH won’t show me how my user account exceeded it’s 200 per hour sendmail limit. It is, after all, my account. Why can’t I know who was “supposedly” trying to spam with my form?

Sorry, but the only thing I’m discouraged with is the lack of information on DH’s part. Please, forgive the rant…and thanks for trying to help.


#7

I understand. I’d have been furious had I spent the better part of a day “debugging” a script I thought was broken only to find out later that the script might/might not have worked…I’d never knopw because DH wasn’t processing the mail! Arguuughh!

Your point is well taken, and points out once again how DH seems to be changing. Back in 1998, when I began hosting with them, you would never have found them to be uncommunicative about the nature of the exploit. Even though they never supported “3rd Party Scripts”, they would have helped point you in the right direction.

Lately though, things are reported to be different. I’m concerned about all the troubles some have had with CPU usage constraints (I’m almost afraid for some of my sites to become “successful”); I know longer feel confident I can gracefully scale if I need to. I just hope some of this can be attributed to short-lived growing pains, and that stabilty of service (and confidence in DH) returns soon.

Please, when you find the source of your problem (and I’m sure, from reading your last post, that you will!) share with us what happened to help us protect ourselves.

Good luck, and feel free to PM if I can help you in any further way.

–rlparker


#8

Thanks, rlparker. I didn’t realize you’d been with DH so long. Wow! A DH veteran.

I completely understand about the usage contraints. That’s why I had the resource reports activated and purchased another account, moving a few sites onto the new user account. We have cgi scripts that could possibly go “wild” depending on which search engine or scraper is accessing the site. It was the right thing to do. Here I was worried about CPU usage and then our contact forms get turned off. I guess that’s how it goes. When it’s not one thing, it’s another.

I’ll let you know if I find out anything but my spidey-sense tells me I won’t…

Good luck and thanks for your kind offers to help!

Hope