NYCPHP Meetup

[Rolan Yang]

Hans Zaunere wrote:

>Another address I've seen is mhkoch321 at aol.com
>
>Rolan, and I think you're right about this problem not getting enough
>exposure.  If you can write-up a couple of paragraphs about it, I'll post it
>on nyphp.org's frontpage.
>
Ok, here's the bulletin. If anyone would like to polish it up, feel free 
to do so. I'm not good at writing this stuff.

Problem:
Bot-net scanning underway to detect and log php scripts which are 
vulnerable to a email header injection exploit.

What is vulnerable:
PHP scripts which send email based on cgi input data should be inspected 
for the vulnerability.

Discussion:
A large scale distributed network of machines are currently being 
employed to scan php based websites in search of scripts which are 
vulnerable to a injection-style security exploit. The exploit permits an 
attacker to send emails to arbitrary destinations. A common target is 
the web based feedback form which submits an email to a designated 
address, but could be any form which results in an email being sent.  
The method used to exploit the vulnerability is by injection of email 
headers into cgi form fields which are passed to the mail server. The 
mail server then parses the headers and sends the email to the 
address(es) designated in the maliciously injected headers.

Exploit:
The bot-net script currently probes vulnerable scripts by injecting 
malicious headers into cgi form fields. The headers forward an email 
response to one of several target email address to which the hacker has 
access. We assume the attacker is collecting a list of vulnerable sites 
which may be used later as an open relay for spam or  large scale 
deployment of viruses/worms.

For more information about the attack, please refer to:
http://securephp.damonkohler.com/index.php/Email_Injection (thank's to 
Billy Reisinger for the link)

A google search for the target emails reveals that scans have been 
taking place since at least July 8, 2005

Detection and Solution:
The current bot-net probe is known to send its reply to one of several 
known email addresses on the following list.

Grep through your mail server logs for the list of emails. If any are 
found, cross reference the time of the mailing to times in your web 
server logs to help determine the exploitable script.

grep -f exploitemails.txt /var/log/maillog (or wherever your mail log is 
located)

Vulnerable scripts should be modified to properly filter input fields. 
Ken Robinson has posted a
php example at: 
http://lists.nyphp.org/pipermail/talk/2005-September/016124.html

To follow the mailing list thread on this topic, please visit:
http://lists.nyphp.org/pipermail/talk/2005-September/thread.html#16123

(we should build a list of these emails and publish them along with this 
notification)

Current list:
jrubin3546 at aol.com
mkoch321 at aol.com
wnacyiplay at aol.com
kshmng at aol.com
Homeiragtime at aol.com
bergkoch8 at aol.com

~Rolan Yang