NYCPHP Meetup

[Michael Southwell]

I polished this up a bit.

IMPORTANT:  Ken's original function did not work in my testing, 
because (1) the \ in \r and \n needed to be escaped, and (2) he had 
the letter O instead of the numeral 0 in the hex numbers.  Somebody 
smarter than I am, please check carefully the modified version included below.
===========================

Problem:
Bot-net scanning to locate php scripts which are vulnerable to a email
header injection exploit. All PHP scripts which send email based on
input data are vulnerable.

Discussion:
A large scale distributed network of machines is currently being
employed to scan php-based websites in search of scripts which are
vulnerable to an injection-style security exploit. The exploit permits
an attacker to send emails to arbitrary destinations. A common target
is the kind of web-based feedback form which submits an email to a
designated address, but any form which results in an email being sent
could be vulnerable. The bot-net script injects malicious email
headers into the form's fields, which are then passed to the mail server.
The mail server parses those headers and then sends email to the
address designated in the maliciously injected headers. We assume the
attacker is collecting a list of vulnerable sites which may be used
later as an open relay for spam or large scale deployment of
viruses/worms.

For more information about the attack, see
http://securephp.damonkohler.com/index.php/Email_Injection

(Thanks to Billy Reisinger for this link.)

A Google search for the injected email addresses reveals that scans have been
taking place since at least July 8, 2005

Detection and Solution:
The current bot-net probe is known to send its reply to one of several
known email addresses on the following list (current as of this writing:
jrubin3546 at aol.com
mkoch321 at aol.com
wnacyiplay at aol.com
kshmng at aol.com
Homeiragtime at aol.com
bergkoch8 at aol.com

Grep through your mail server logs for the list of emails, using a 
command something like this:

grep -f exploitaddresses.lst /var/log/maillog (or wherever your mail 
log is located)

If any are found, cross reference the time of the mailing to times in
your web server logs to help determine the exploitable script. Modify
any such scripts to properly filter input fields, with a function
something like this:

function safe( $name ) {
   return( str_replace(
     array( "\\r", "\\n", "%0A", "%0a", "%0D", "%0d", 
"Content-Type:", "BCC:", "bcc:" ),
     "", $name ) );
}

(Thanks to Ken Robinson for the original version of this function.)

To follow the mailing list thread on this topic, see
http://lists.nyphp.org/pipermail/talk/2005-September/thread.html#16123


Michael Southwell, Vice President for Education
New York PHP
http://www.nyphp.com/training - In-depth PHP Training Courses