Hijacked PHP script?

NeoGeo

I have a PHP mail script on my server that appears to be... hijacked... i think... not really sure what is going on but here is the code for the script:

function sendEmail($send_to, $send_from, $send_from_email, $subject, $header, $result_array) {

$return = true;

$message = $header . $message . "<font face='Verdana, Arial' size=2>";
while (list ($key, $val) = each ($result_array)) {
				$message = $message . "<b>$key:</b> $val<br>";
}

if(!mail($send_to, $subject, $message, "From: ".$send_from." <".$send_from_email.">\nContent-Type: text/html; charset=iso-8859-1")) {

	$return = false;

}

return $return;

}

And these are the e-mail I'm getting (about 10 a day):

city: iza@DOMAIN.com
first_name: iza@DOMAIN.com
last_name: iza@DOMAIN.com
Submit: iza@DOMAIN.com
state: iza@DOMAIN.com
address: iza@DOMAIN.com
zip_code: iza@DOMAIN.com Content-Type: multipart/mixed; boundary=\"===============1827898287==\" MIME-Version: 1.0 Subject: c8a9679e To: iza@DOMAIN.com bcc: mhkoch321@aol.com From: iza@DOMAIN.com This is a multi-part message in MIME format. --===============1827898287== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit pszo --===============1827898287==--

DOMAIN is the domain of my site, the aol.com I left in there.

I've heard how insecure simple PHP scripts are so do I have to get some third party script or is there anyway I can fix mine?

Thanks,
Ben

devinemke

you could add some code to your form validation that blocks email addresses from your own domain. something like:

if (strstr($email, '@') == '@NeoGeo.com') {exit('nice try');}

execute

Thats probably a machine doing it, like a robot whatever... So what you do is, Make a security code. So he can't loop-send or whatever, only human can. A graphical random security number to appear randomly each time and the user must enter it.

Also maybe its inserting code or something to get your domain. So perhpas try strip_tags and stripslashes addslashes, etc in your validation.

NeoGeo

devinemke wrote:
you could add some code to your form validation that blocks email addresses from your own domain. something like:
if (strstr($email, '@') == '@NeoGeo.com') {exit('nice try');}

I like that alot! Is there a way I can capture the IP address while I'm at?

I still don't understand how this thing works... I tried doing exactly what he/it is doing, which is just filling all the fields with some random e-mail address at my domain like asdf@DOMAIN.com, but one of the fields is populated with this:

firsssnuu@sixlakesutah.com Content-Type: multipart/mixed; boundary=\"===============2007338296==\" MIME-Version: 1.0 Subject: 9bfa34a0 To: firsssnuu@sixlakesutah.com bcc: mhkoch321@aol.com From: firsssnuu@sixlakesutah.com This is a multi-part message in MIME format. --===============2007338296== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit ivza --===============2007338296==--

I tried that same thing just to see if somehow he could spam other people using my server by doing that. I replaced all the e-mail addresses with my own and I didn't get anything... should I be worried something more malicious is going on? For the moment I guess I'll just keep checking the e-mail logs to see if anything is still going on.

Thanks for your help!

NeoGeo

bump

Anyone?

dotty

Hi NeoGeo

I am experiencing the same problem with an asp form script - the code looks exactly the same but the bcc email address is different (jrubin3456@aol.com ). I did a search last week and found a discussion at:
http://forum.weblamp.net/index.php?topic=4492.0

There don't seem to be any answers there yet but the discussion is live so maybe the issue will be resolved soon.

execute

Just block the http_referer, they are using your script thru their own script.
All you do is

if($_SERVER['HTTP_REFERER'] != "mywebsite.com"){
die("Go away hacker.");
}

bakkufu___

I had something similar with a script I was working on, adding the graphical validation code section ( thanks KBurger ) stopped it immediately.

kona72

devinemke wrote:
you could add some code to your form validation that blocks email addresses from your own domain. something like:
if (strstr($email, '@') == '@NeoGeo.com') {exit('nice try');}

I tried this and it works to an extent. If I use emails with my domain extension I get the "nice try" message but I still get the emails. I don' t get it??

here is my code....

<?php

if(isset($Submit))
{
	if($name != "" && $email != "")
	{
		$message = "Referral Program from Trafick IMS:<br><br>
		Name: $name<br>
		Email: $email<br>
		Friends Name: $friend<br>
		Friends Email: $friendmail";

	$headers = "MIME-Version: 1.0\n"; 
	$headers .= "Content-Type: text/html; charset=iso-8859-1\n"; 
	$headers .= "From: <$email>\n"; 
	$headers .= "Reply-To: <$email>\n"; 

	mail("curtis@trafick.net,$email", "Referral Program Information", $message, $headers); 

	if (strstr($email, '@') == '@trafick.net') {exit('nice try');}  


	header("Location: referralthanks.htm");
}
else
{
	$error = "y";
}
}
?>

Any and all help would be greatly appreciated.....
THANKS!!!!

phpstuck

Try simpler.....Maybe

Move it ahead of the mail function

if (strstr($email, '@') == '@trafick.net') {
echo "Nice try!";
exit();
}

zoobie

I have the same bot doing the same thing and, to quote the Donald, "It's gonna be HUGE."

I've added a hidden form field for a bandaid which has stopped them temporarily but people are writing scripts for this like mad.

Long thread on this major mess with scripts here.

sitemaster

I have the same problem; in the past I have done forms with Perl, and always assumed the worst of people out there. By that I mean that there will always be someone who in intent on hacking my form etc, so I've got to design in the capability to stop them. In this instance I had used Dreamweaver to develop the form and processing script, I should have know better! :mad:

I was passing the form input fields straight through, no checking! I like the solutions proposed, I am going to add captcha - with an image, but as well in future I'm going back to my old standard of assuming the worst. So, if the field is expecting a name input, it will be cropped to say 20 or 30 characters, then parsed and anything that's not alphnumeric eliminated before anything else is done.

That's a lot of work I know, but we have to assume that someone is going to try and break it - that means designing for the worst case.

My brain is aching already

sys4dm1n

Okay, A: its a very good spam bot, or B: its a script kiddy-- or someone having a great time messing with you.

advice: grab their information always for security reasons. even if you dont know how to do this, say that their IP address has been logged for security before they submit the form. that scares them a little bit.

to capture the IP-- or have a secure script, this is what I use:

contact.php

<?php
		require_once('browser.php');
if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])>7 ||
         !strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']))
         die("Bad referer");
if ($_POST['submit'] == TRUE) {
	$receiverMail = "REMOVED@DOMAIN.COM";
	$name		= stripslashes(strip_tags($_POST['name']));
	$email		= stripslashes(strip_tags($_POST['email']));
	$subject	= stripslashes(strip_tags($_POST['subject']));
	$msg		= stripslashes(strip_tags($_POST['msg']));
	$ip			= $_SERVER['REMOTE_ADDR'];
	$referer	= $_SERVER['HTTP_REFERER'];
	$br 		= new Browser;
	$msgformat	= "From: $name ($ip)\n\nReferer: $referer\nOperating System: $br->Platform\nBrowser: $br->Name Build $br->Version\n\nEmail: $email\n\n$msg";

if(empty($name) || empty($email) || empty($subject) || empty($msg)) {
	echo "<h2>The message was not sent</h2><p>Please fill all the required fields</p>";
}
elseif(!ereg("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) {
	echo "<h2>The message was not sent</h2><p>The email address is invalid</p>";
}
elseif(mail($receiverMail, $subject, $msgformat, "From: $name <$email>")) {
	echo "<h2>The message has been sent!</h2><p>We will get back to you as soon as possible.</p>"; }
else {
	echo "<h2>The message was not sent</h2><p>Please try again... If the problem continues there's probably something wrong with the server.</p>";
}
}
else { ?>								  

				<form action="<?php $_SERVER['PHP_SELF'];?>" name="contact" id="contact" method="post">
	<table border="0" cellspacing="0" cellpadding="2">
		<tr>
			<td width="67" valign="top" class="headercell"><b>Name:</b></td>
	<td width="325"><input name="name" type="text" class="contact" id="name" size="20" maxlength="40" /></td>
		</tr>
	<tr>
			<td valign="top" class="headercell"><b>Email:</b></td>
	<td><input name="email" type="text" class="contact" id="email" size="20" maxlength="40" /></td>
	</tr>
	<tr>
				<td valign="top" class="headercell"><b>Subject:</b></td>
	<td><input name="subject" type="text" class="contact" id="subject" size="20" maxlength="40" /></td>
	</tr>
			<td valign="top" class="headercell"><b>Message:</b></td>
	<td><textarea name="msg" cols="40" rows="4" class="contactmsg" id="message"></textarea></td>
	</tr>	
				<td valign="top" class="headercell"></td>
	<td><input id="submit" class="contact" type="submit" name="submit" value="Send" /></td>
	</tr>
	</table>
</form>
<?php } ?>

browser.php

<?php
class browser{

var $Name = "Unknown";
var $Version = "Unknown";
var $Platform = "Unknown";
var $UserAgent = "Not reported";
var $AOL = false;

function browser(){
	$agent = $_SERVER['HTTP_USER_AGENT'];

	// initialize properties
	$bd['platform'] = "Unknown";
	$bd['browser'] = "Unknown";
	$bd['version'] = "Unknown";
	$this->UserAgent = $agent;

	// find operating system
	if (eregi("win", $agent))
		$bd['platform'] = "Windows";
	elseif (eregi("mac", $agent))
		$bd['platform'] = "MacIntosh";
	elseif (eregi("linux", $agent))
		$bd['platform'] = "Linux";
	elseif (eregi("OS/2", $agent))
		$bd['platform'] = "OS/2";
	elseif (eregi("BeOS", $agent))
		$bd['platform'] = "BeOS";

	// test for Opera		
	if (eregi("opera",$agent)){
		$val = stristr($agent, "opera");
		if (eregi("/", $val)){
			$val = explode("/",$val);
			$bd['browser'] = $val[0];
			$val = explode(" ",$val[1]);
			$bd['version'] = $val[0];
		}else{
			$val = explode(" ",stristr($val,"opera"));
			$bd['browser'] = $val[0];
			$bd['version'] = $val[1];
		}

	// test for WebTV
	}elseif(eregi("webtv",$agent)){
		$val = explode("/",stristr($agent,"webtv"));
		$bd['browser'] = $val[0];
		$bd['version'] = $val[1];

	// test for MS Internet Explorer version 1
	}elseif(eregi("microsoft internet explorer", $agent)){
		$bd['browser'] = "MSIE";
		$bd['version'] = "1.0";
		$var = stristr($agent, "/");
		if (ereg("308|425|426|474|0b1", $var)){
			$bd['version'] = "1.5";
		}

	// test for NetPositive
	}elseif(eregi("NetPositive", $agent)){
		$val = explode("/",stristr($agent,"NetPositive"));
		$bd['platform'] = "BeOS";
		$bd['browser'] = $val[0];
		$bd['version'] = $val[1];

	// test for MS Internet Explorer
	}elseif(eregi("msie",$agent) && !eregi("opera",$agent)){
		$val = explode(" ",stristr($agent,"msie"));
		$bd['browser'] = $val[0];
		$bd['version'] = $val[1];

	// test for MS Pocket Internet Explorer
	}elseif(eregi("mspie",$agent) || eregi('pocket', $agent)){
		$val = explode(" ",stristr($agent,"mspie"));
		$bd['browser'] = "MSPIE";
		$bd['platform'] = "WindowsCE";
		if (eregi("mspie", $agent))
			$bd['version'] = $val[1];
		else {
			$val = explode("/",$agent);
			$bd['version'] = $val[1];
		}

	// test for Galeon
	}elseif(eregi("galeon",$agent)){
		$val = explode(" ",stristr($agent,"galeon"));
		$val = explode("/",$val[0]);
		$bd['browser'] = $val[0];
		$bd['version'] = $val[1];

	// test for Konqueror
	}elseif(eregi("Konqueror",$agent)){
		$val = explode(" ",stristr($agent,"Konqueror"));
		$val = explode("/",$val[0]);
		$bd['browser'] = $val[0];
		$bd['version'] = $val[1];

	// test for iCab
	}elseif(eregi("icab",$agent)){
		$val = explode(" ",stristr($agent,"icab"));
		$bd['browser'] = $val[0];
		$bd['version'] = $val[1];

	// test for OmniWeb
	}elseif(eregi("omniweb",$agent)){
		$val = explode("/",stristr($agent,"omniweb"));
		$bd['browser'] = $val[0];
		$bd['version'] = $val[1];

	// test for Phoenix
	}elseif(eregi("Phoenix", $agent)){
		$bd['browser'] = "Phoenix";
		$val = explode("/", stristr($agent,"Phoenix/"));
		$bd['version'] = $val[1];

	// test for Firebird
	}elseif(eregi("firebird", $agent)){
		$bd['browser']="Firebird";
		$val = stristr($agent, "Firebird");
		$val = explode("/",$val);
		$bd['version'] = $val[1];

	// test for Firefox
	}elseif(eregi("Firefox", $agent)){
		$bd['browser']="Firefox";
		$val = stristr($agent, "Firefox");
		$val = explode("/",$val);
		$bd['version'] = $val[1];

  // test for Mozilla Alpha/Beta Versions
	}elseif(eregi("mozilla",$agent) && 
		eregi("rv:[0-9].[0-9][a-b]",$agent) && !eregi("netscape",$agent)){
		$bd['browser'] = "Mozilla";
		$val = explode(" ",stristr($agent,"rv:"));
		eregi("rv:[0-9].[0-9][a-b]",$agent,$val);
		$bd['version'] = str_replace("rv:","",$val[0]);

	// test for Mozilla Stable Versions
	}elseif(eregi("mozilla",$agent) &&
		eregi("rv:[0-9]\.[0-9]",$agent) && !eregi("netscape",$agent)){
		$bd['browser'] = "Mozilla";
		$val = explode(" ",stristr($agent,"rv:"));
		eregi("rv:[0-9]\.[0-9]\.[0-9]",$agent,$val);
		$bd['version'] = str_replace("rv:","",$val[0]);

	// test for Lynx & Amaya
	}elseif(eregi("libwww", $agent)){
		if (eregi("amaya", $agent)){
			$val = explode("/",stristr($agent,"amaya"));
			$bd['browser'] = "Amaya";
			$val = explode(" ", $val[1]);
			$bd['version'] = $val[0];
		} else {
			$val = explode("/",$agent);
			$bd['browser'] = "Lynx";
			$bd['version'] = $val[1];
		}

	// test for Safari
	}elseif(eregi("safari", $agent)){
		$bd['browser'] = "Safari";
		$bd['version'] = "";

	// remaining two tests are for Netscape
	}elseif(eregi("netscape",$agent)){
		$val = explode(" ",stristr($agent,"netscape"));
		$val = explode("/",$val[0]);
		$bd['browser'] = $val[0];
		$bd['version'] = $val[1];
	}elseif(eregi("mozilla",$agent) && !eregi("rv:[0-9]\.[0-9]\.[0-9]",$agent)){
		$val = explode(" ",stristr($agent,"mozilla"));
		$val = explode("/",$val[0]);
		$bd['browser'] = "Netscape";
		$bd['version'] = $val[1];
	}

	// clean up extraneous garbage that may be in the name
	$bd['browser'] = ereg_replace("[^a-z,A-Z]", "", $bd['browser']);
	// clean up extraneous garbage that may be in the version		
	$bd['version'] = ereg_replace("[^0-9,.,a-z,A-Z]", "", $bd['version']);

	// check for AOL
	if (eregi("AOL", $agent)){
		$var = stristr($agent, "AOL");
		$var = explode(" ", $var);
		$bd['aol'] = ereg_replace("[^0-9,.,a-z,A-Z]", "", $var[1]);
	}

	// finally assign our properties
	$this->Name = $bd['browser'];
	$this->Version = $bd['version'];
	$this->Platform = $bd['platform'];
	$this->AOL = $bd['aol'];
}
}
?>