NYCPHP Meetup

[Hans Zaunere]

This is great Rolan, many thanks - I'll get it online right away...

H


Rolan Yang scribbled on Monday, September 12, 2005 11:16 AM:
> Hans Zaunere wrote:
> 
> > Another address I've seen is mhkoch321 at aol.com
> > 
> > Rolan, and I think you're right about this problem not getting
> > enough exposure.  If you can write-up a couple of paragraphs about
> > it, I'll post it on nyphp.org's frontpage. 
> > 
> Ok, here's the bulletin. If anyone would like to polish it up, feel
> free to do so. I'm not good at writing this stuff.
> 
> Problem:
> Bot-net scanning underway to detect and log php scripts which are
> vulnerable to a email header injection exploit.
> 
> What is vulnerable:
> PHP scripts which send email based on cgi input data should be
> inspected for the vulnerability.
> 
> Discussion:
> A large scale distributed network of machines are currently being
> employed to scan php based websites in search of scripts which are
> vulnerable to a injection-style security exploit. The exploit permits
> an attacker to send emails to arbitrary destinations. A common target
> is the web based feedback form which submits an email to a designated
> address, but could be any form which results in an email being sent.
> The method used to exploit the vulnerability is by injection of email
> headers into cgi form fields which are passed to the mail server. The
> mail server then parses the headers and sends the email to the
> address(es) designated in the maliciously injected headers.
> 
> Exploit:
> The bot-net script currently probes vulnerable scripts by injecting
> malicious headers into cgi form fields. The headers forward an email
> response to one of several target email address to which the hacker
> has access. We assume the attacker is collecting a list of vulnerable
> sites which may be used later as an open relay for spam or  large
> scale deployment of viruses/worms.
> 
> For more information about the attack, please refer to:
> http://securephp.damonkohler.com/index.php/Email_Injection (thank's to
> Billy Reisinger for the link)
> 
> A google search for the target emails reveals that scans have been
> taking place since at least July 8, 2005
> 
> Detection and Solution:
> The current bot-net probe is known to send its reply to one of several
> known email addresses on the following list.
> 
> Grep through your mail server logs for the list of emails. If any are
> found, cross reference the time of the mailing to times in your web
> server logs to help determine the exploitable script.
> 
> grep -f exploitemails.txt /var/log/maillog (or wherever your mail log
> is located)
> 
> Vulnerable scripts should be modified to properly filter input fields.
> Ken Robinson has posted a
> php example at:
> http://lists.nyphp.org/pipermail/talk/2005-September/016124.html
> 
> To follow the mailing list thread on this topic, please visit:
> http://lists.nyphp.org/pipermail/talk/2005-September/thread.html#16123
> 
> (we should build a list of these emails and publish them along with
> this notification)
> 
> Current list:
> jrubin3546 at aol.com
> mkoch321 at aol.com
> wnacyiplay at aol.com
> kshmng at aol.com
> Homeiragtime at aol.com
> bergkoch8 at aol.com
> 
> ~Rolan Yang
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org