1,008 views

Hacker’s Exploitation Of A CGI Script On My Website To Send Massive Spam Emails – Hard Lessons Learnt!

Quick Take Away: This article was first published online in 2006. It is based on a true occurrence on my former primary domain – spontaneousdevelopment.com – which got taken over on 4th May 2014 by Aplus.net . Now that I’ve successfully relaunched my website on tayosolagbade.com, re-publishing this article on my new primary domain, I believe, will help those who read my writing understand that these things CAN – and do – happen. So we must simply learn from them and MOVE ON to better heights!

Preamble

On Tuesday 20th June 2006, I discovered that a hacker exploited a site recommendation script I installed 3 days earlier(!), to send out spam email from my website, causing my web host to take it offline for 7 days i.e. up till Wednesday 28th June 2006 a.m. If you own a website, and are trying to build online credibility towards doing legitimate business, you may (want to?) know how damaging this kind of attack can be – and what you can do to protect yourself.

Incidentally, no matter how big or small your website is, spam robots will come to it – and hackers will test your website for loopholes they can exploit to launch spam attacks – so you must learn latest security concerns and take preventive action to protect yourself.

If you think it can never happen to you, let me warn you: that’s exactly what I thought, UNTIL I made the slip which allowed a spam artist drive a massive “spam mail truck” through my website!

In this article, I offer you an insight into my personal experiences and learnings, plus provide URLs (some sent to me by the support department of my web host – others I found through my own subsequent research) leading to useful advice from experienced webmasters, and professionals with proven competence in this area.

Spam “Artists” Can Trick A Non-Spamming Website To Send Spam Emails

It was the evening of Friday 16th June 2006, and I was rounding up the updates on my websites, when I decided to search online for and install another site recommendation script on my website in place of the one that for some reason I could not fathom, continued to return a “500 – Internal Server Error”. The Google search results page threw up a slew of referral scripts offerings from various authors – some free, others for sale. At this time I was just keen to test and see if I could get one to work on the site.

Soon I settled for one called “The PCman Website Refer a Friend”. Within minutes, I had it installed and running. One thing I did not do, and which I would advise (based on the benefit of painful hindsight) ANYONE who uses third party scripts on his/her site to do, is to check and confirm the programmer has taken pains to secure the script code against exploitation (Specific details/links to URL resources on how to go about this provided further down).

Note: It was only after the event, and following prompts from my hosts, that I checked and found the PCManrefer script had inadequate security written into the code. The resulting “security hole” was what the hacker later exploited remotely to launch a massive spam attack.

On Tuesday 20th June 2006 a.m, I tried to log into my web hosting account to upload files, but noticed the ftp tool I was using kept returning an “incorrect password” message.

After trying repeatedly, and confirming I was using the correct password, I decided to try logging in to my webmail – so as to send an email to the support department for assistance.

This presented a problem as well. Each time, I tried, I got a message like “Dropped by ISMAP server”. Now quite alarmed, I decided to type the URL to my website – http://www.spontaneousdevelopment.com. My worst fears came to pass – The browser printed a “Page Not Found” message in bold! At this point, I promptly went to my host’s website and initiated a chat session with the operator.

The following chat conversation took place:

—–start of chat session——

: Hello! How may I help you?

: hi

Visitor42152: Hi

Visitor42152: I cannot login to my webmail or access my entire website

Visitor42152: MY reg no is

: We are writing to inform you that during the past 30 minutes your web hosting account (username = deleted) has sent 625 messages to the email subsystem of the hosting server. This is in violation of our terms of services, and as such, any websites

: belonging to that account have been taken offline.

: In order to reactivate your account you will need to contact our support department and agree not to abuse our servers again. Any further incidents like this will cause our system to remove your account completely and without warning

Visitor42152: I am working from a cyber cafe I normally do not use though it’s close to my home

Visitor42152: I am certain this is due to activities of email spammers who use the same ISP as these guys

: send an email to

Visitor42152: How long will it take to resolve this?

: 6 -12 hours

—End of chat session——

Well, I did not get it resolved in 12 hours. In fact, by the time I was finished exchanging emails with the support department, I learnt my account would be suspended for 7 days, with the warning that if it happened again, my account would be reconsidered for termination without notice.

How They Did It (i.e. Hijacking My Website Referral Script’s Form Post)

Below, I reproduce the exact text of the explanation given by my host’s Abuse Department, when I requested for details that could help me understand how the problem had occurred, and what I could do to prevent a re-occurrence. You will notice that the Perl script I installed (i.e “pcmanrefer.pl”) some days before the problem, was identified by the administrator as one of three found to have poor security built into their code.

— “Aplus.Net Abuse Department” wrote (I have re-arranged – but NOT edited – the text for readability):

> Hello,

> Basically the attack is performed on scripts that trust the information that the submitter enters and are therefore easily exploitable. You can refer to these two documents that describe in details this very specific attack:

> http://www.anders.com/projects/sysadmin/formPostHijacking/

> http://www.nyphp.org/phundamentals/email_header_injection.php

> I have reviewed the spam evidence sent to us and in the headers the subject is different every time which means the script used is taking the input data from the visitor and doesn’t edit it at all:

> Subject: Incredibly undervalued, you’ll not want to miss this opportunity the protracted I have found several such scripts in your FTP space:

> /cgi-bin/mailer/simplemail.pl

> /cgi-bin/mailer/mailer.pl

> /cgi-bin/pcmanrefer.pl

> There might be others that are compromiseable too but you know better the structure of your website and which exactly script is sending the data unchanged. The bottom line is to filter out all input data as suggested in the two articles above.

> Thank you,

>

Clues Left Behind By The Hacker In My Server Space

When I eventually gained access to my server space, I found confirmation that it was indeed the “pcmanrefer.pl” script that had been exploited: Its referral log file (refer-log.txt), had grown to a massive 11.1 Megabytes size(many million bytes up from its 0 bytes size when I uploaded it less than 9 days before)! Opening the file revealed huge volumes of email addresses and message contents, originating from bogus “addresses” at my sub domain e.g.InvestorsWeekly@spontaneousdevelopment.com; my@spontaneousdevelopment.com; stephannie@www.spontaneousdevelopment.com (“who is SHE??”, I said to myself) – and many, many more!

The Attack Had A Negative Multiplier Effect – Which Is Why You Would Be Wise To Prevent It Happening

When my hosting account was suspended, my websites could not be visited, nor could I access mails sent to my webmail account at my domain during that seven day period. But that was just one side of it. ALL the short URLs that I had created to point to various sub domains on my main website were put up for removal by the service provider, who placed a bookmark update link on a page leading to the respective home pages – with the following message:

Due to enormous phishing spam with our sub domains () we will close this short url re-direction. Please update your bookmarks

One example of a short URL that was affected by this problem is http://www.cbsolutions.v27.net, which I had set to point to cbsolutions.spontaneousdevelopment.com– the mini site for my Creative Business Solutions (CB Solutions) delivery service.

My mind raced back to all the articles I had published at the Ezine articles directory, in which I had used the short URL addresses in the resource box invitation to readers(at the end of the article). A number of those articles carrying the short URLs had been syndicated on other websites, where I would not have access to make changes to them. I realised that it would only be a matter of time before readers of some of my articles would find themselves confronted with a “Page Not Found” browser error, or a general advert page for domain names sales etc – instead of my site: Definitely not good for the image I was trying to build online!

I provide the above details to give you an idea of just how bad this can be – so you can really understand why it would be in your best interest to make sure you never leave yourself open to the extent that this type of problem can affect your website.

Taking Action To Prevent (Future) Attacks

I deleted the “pcmanrefer.pl” script, and the other two that were identified by the hosting provider’s administrator (see email above). I also removed another mailing list managment CGI script that I installed a month before.

In a way, I felt like I was taking medicine after death. :-) But at least by this time, I actually had a better idea of WHAT had happened, HOW, and WHY – and what I could do to protect myself for the future.

Next, I visited the URLs emailed to me by my web host. Out of curiosity, I also did a number of searches on Google, to see what else I could learn about “form post hijacking”, and spamming in general.

Below, I provide links to some useful resources I found. If you own a website, I think you will want to spend some time studying them.

IMPORTANT NOTES!

1. It would interest you to know that I no longer use a site referral script on my wesbsite. Instead I have developed a simple email recommendation template that anyone who is so keen to tell another about my site can use. Visit http://www.spontaneousdevelopment.com/referus.htm to see what I mean. There are many other effective ways to get marketing exposure for a website, and I am currently modifying my website design/marketing strategy to accommodate them. As time goes on, visitors to my website will see ample evidence of this.

2. Some of the resources whose URLs are listed below, were published as far back as 2002, so they might not exactly offer relevant or effective remedies that can be successfully applied today. However, the educational value they offer towards understanding the problem(s), in my opinion, would still make them worth a visit.

So, with that note of warning, I wish you happy reading and good luck in your fight to protect your website against exploitation. Back to top

Useful Learning/Problem-Solving Resources

1. Using Apache to stop bad robots | evolt.org – by Daniel Cody

http://www.evolt.org/article/Using_Apache_to_stop_bad_robots/18/15126/

2. Why Some Scripts are dangerous to use on your Website – http://webnet77.com/help/dangers.html

3. http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay – By Anders Brownworth

Interesting Crack Attempt to Relay Spam (Comment: this is actually a precursor to the full article referred to me by my web host titled “Form Post Hijacking – How to solve the problem.”)

4. By Anders Brownworth – Form Post Hijacking – How To Solve The Problem article author

http://www.anders.com/projects/sysadmin/formPostHijacking/

5. http://handsonhowto.com/cgi101.html – A Hands-On How-To(Securing the CGI script section – useful) – from Brass Cannon Consulting

6. WWW Security FAQ: CGI Scripts – http://www.w3.org/Security/Faq/wwwsf4.html -by Lincoln Stein (lstein@cshl.org) and John Stewart (jns@digitalisland.net) – hosted by the World Wide Web Consortium (W3C) as a service to the Web Community.

7. Stopping Spambots: A Spambot Trap – http://www.neilgunton.com/spambot_trap/

8. How to block spambots, ban spybots, and tell unwanted robots to go … Spamming of referer logs is a growing nuisance:

http://diveintomark.org/archives/2003/02/26/how_to block_spambots_ban_spybots_and_tell_unwanted_robots_to_go_to_hell

 

[IMPORTANT: This blog's contents are being updated following the transfer to www.tayosolagbade.com from my former domain - Spontaneousdevelopment.com. As a result, some parts of it may not work properly for now. Quick Tip: If a link contains "spontaneousdevelopment.com", simply change it to "tayosolagbade.com" - and it should work. This applies to article links as well as image links. Work continues to update the links(in over 500 articles). Tayo K. Solagbade.]

Practical Livestock Feed Formulation Handbook

Available as a PDF ebook, and also as a spiral bound print manual (from me). Click here for details.

You can also get it as an PDF ebook via my online store.

Screenshot of ebook in online store

$82.5 USD to buy it from my online store (PDF download)

N8,000.00 [Eight Thousand Naira] for persons who wish to send payment direct to my bank account.

Payment of N50,000.00 gets you the physical handbook and software on CD with videos etc, PLUS practical one-on-one, in person training with me at a feed mill in Lagos, Nigeria.

Click here to contact me about purchasing this product.

View Tayo Solagbade's video tutorials and demonstrations on Facebook Productivity Tips, Web Marketing, and for his Custom MS Excel-VB driven software applicationsJoin the SD Nuggets community on Facebook.comConnect with Tayo on Twitter.comConnect with Tayo on Google Plus

Your Gifts for Subscribing

When you signup, you'll receive:

Submit the form below to get a download link to the PDF version of my newly revised

Once you submit the form below, you will be taken directly to the downloads page, just as an auto-response message will be delivered to your inbox, with links to the promised gifts.

I look forward to meeting and/or working with you!


Signature image - Tayo K. Solagbade

Tayo K. Solagbade*
Performance Improvement Specialist & Multipreneur
*Best Practice Farm Business Support Specialist
& Founder of the MS Excel Heaven Visual Basic Automation Club & Competition(www.excelheaven.biz)

 

 

Excel-VB Driven Ration Formulator

Click to view larger screenshot

1. Click here to learn more about this app - watch demo videos etc

2. Click here to watch a 4 part video in which I demonstrate how to use this app to formulate rations using real life data sent to me by an Algerian PhD student.

Click here to contact me about purchasing this product.

EXCEL-VB DRIVEN POULTRY LAYER FARM MANAGER SOFTWARE

Click here to download a detailed PDF user guide and watch 15 screen shot user guide tutorials of the Monthly Poultry Farm Manager that I now offer Farm CEOs.

Click here to watch a screenshot demonstration of the Excel-VB Driven Poultry Farm Manager I built for a client farm business in Ekiti state, South West Nigeria.

Click here to contact me about purchasing this product.

Name:
Email:
 
Powered by Optin Form Adder

Leave a Comment Here's Your Chance to Be Heard!

You must be logged in to post a comment.

Facebook

Get the Facebook Likebox Slider Pro for WordPress