Security...can anyone help?

heron

Someone did hijack my mailer using script file attached.
They put it in a cache directory.
Every five minutes or so a bot visits my site, even though I have taken site down for the time being.
I am inexperienced, so I don't know exactly what this is doing.
It seems to be sending mail and trying to collect information.
But I'm not sure exactly what.

Do any of you guys know what is going on?
Is there some other code I can put in place of the script to catch any detail of the bot activity / hacker ID?

Sorry if this thread is inappropriate, but I am worried about this and hope some experts could shine a light on what is going on.

NogDog

Any user-supplied value that is going to be used in any of the arguments to mail() other than the message (the 3rd argument) must be filtered for email header injections. At a minimum, you can filter out all carriage returns/newlines with something like:

$value = preg_replace('/[\r\n]+/', ' ', $value);

Or instead of replacing them you could instead search with preg_match() and then return an error if you find them instead of continuing to process the mail request.

MarkR

Rather than filtering out embedded newlines in those form fields, it would be preferable to log an error, return an error message and attempt to send no email.

As someone has compromised your site, you must do the following:

Shut the site down immediately, change your passwords to your hosting
Notify your hosting provider who will doubtless need to reinstall the box having moved all hosted sites off it.
On a test box, restore all your code and data from the last known good backup - go through it with a fine-tooth comb to check for unauthorised modifications. Ideally restore all your code from a known good version (the one you keep in your SCM system).

If your site uses passwords for end-users, they all need to be changed. If your site has administrative logins then they need to be checked carefully to make sure no new ones have appeared (ideally just disable them all and re-enable them on an as-needed basis).

Your site's been compromised - nothing less than a reinstall will clean it.

Bear in mind that your desktop (or one of your users' desktops) may have been compromised - you should check this too.

Mark