Hacker's Exploitation Of A CGI Script On My Site To Send Massive Spam Emails - Hard Lessons Learnt!

I have reviewed the spam evidence sent to us and in the headers the subject is different every time which means the script used is taking the input data from the visitor and doesn't edit it at all:

Subject: Incredibly undervalued, you'll not want to miss this opportunity the protracted I have found several such scripts in your FTP space:

There might be others that are compromiseable too but you know better the structure of your website and which exactly script is sending the data unchanged. The bottom line is to filter out all input data as suggested in the two articles above.

Thank you,

Clues Left Behind By The Hacker In My Server Space

When I eventually gained access to my server space, I found confirmation that it was indeed the "pcmanrefer.pl" script that had been exploited: Its referral log file (refer-log.txt), had grown to a massive 11.1 Megabytes size(many million bytes up from its 0 bytes size when I uploaded it less than 9 days before)! Opening the file revealed huge volumes of email addresses and message contents, originating from bogus "addresses" at my sub domain e.g. InvestorsWeekly@spontaneousdevelopment.com; my@spontaneousdevelopment.com; stephannie@www.spontaneousdevelopment.com ("who is SHE??", I said to myself) - and many, many more!

The Attack Had A Negative Multiplier Effect - Which Is Why You Would Be Wise To Prevent It Happening

When my hosting account was suspended, my websites could not be visited, nor could I access mails sent to my webmail account at my domain during that seven day period. But that was just one side of it. ALL the short URLs that I had created to point to various sub domains on my main website were put up for removal by the service provider, who placed a bookmark update link on a page leading the to home page - with the following message:

"Due to enormous phishing spam with our sub domains () we will close this short url re-direction. Please update your bookmarks. "

One example of short URL that was affected by this problem is http://www.cbsolutions.v27.net, which points to cbsolutions.spontaneousdevelopment.com - the mini site for my Creative Business Solutions(CB Solutions) delivery service.

My mind raced back to all the articles I had published at the Ezine articles directory, in which I had used the short URL addresses in the resource boxes invitation to readers(at the end of the article). A number of those articles carrying the short URLs had been syndicated on other websites, where I would not have access to make changes to them. I realised that it would only be a matter of time before readers of some of my articles would find themselves confronted with a "Page Not Found" browser error, or a general advert page for domain names sales etc - instead of my site: Definitely not good for the image I was trying to build online!

I provide the above details to give you an idea of just how bad this can be - so you can really understand why it would be in your best interest to make sure you never leave yourself open to the extent that this type of problem can affect your website.

Taking Action To Prevent (Future) Attacks

I deleted the "pcmanrefer.pl" script and the other two that were identified by the hosting provider's administrator (see email above). I also removed another mailing list managment CGI script that I installed a month before. In a way, I felt like I was taking medicine after death. :-) But at least by this time, I actually had a better idea of WHAT had happened, HOW, and WHY - and what I could do to protect myself for the future. Next, I visited the URLs emailed to me by my web host. Out of curiosity, I also did a number of searches on Google, to see what else I could learn about "form post hijacking", and spamming in general. Below, I provide links to some useful resources I found. If you own a website, I think you will want to spend some time studying them.

IMPORTANT NOTE:

1. It would interest you to know that I no longer use a site referral script on my wesbsite. Instead I have developed a simple email recommendation template that anyone who is so keen to tell another about my site can use. Visit http://www.spontaneousdevelopment.com/referus.htm to see what i mean. There are many other effective ways to get marketing exposure for a website, and I am currently modifying my website design/marketing strategy to accommodate them. As time goes on, visitors to my website will see ample evidence of this.

2. Some of the resources whose URLs are listed below, were published as far back as 2002, so they might not exactly offer relevant or effective remedies that can be successfully applied today. However, the educational value they offer towards understanding the problem(s), in my opinion, would still make them worth a visit.

So, with that note of warning, I wish you happy reading and good luck in your fight to protect your website against exploitation.

Useful Learning/Problem-Solving Resources

1. Using Apache to stop bad robots | evolt.org - by Daniel Cody http://www.evolt.org/article/Using_Apache_to_stop_bad_robots/18/15126/

2. Why Some Scripts are dangerous to use on your Website - http://webnet77.com/help/dangers.html

3. http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay - By Anders Brownworth Interesting Crack Attempt to Relay Spam (Comment: this is actually a precursor to the full article referred to me by my web host titled "Form Post Hijacking - How to solve the problem.")

4. By Anders Brownworth - Form Post Hijacking - How To Solve The Problem article author

http://www.anders.com/projects/sysadmin/formPostHijacking/

5. http://handsonhowto.com/cgi101.html - A Hands-On How-To(Securing the CGI script section - useful) - from Brass Cannon Consulting

6. WWW Security FAQ: CGI Scripts - http://www.w3.org/Security/Faq/wwwsf4.html -by Lincoln Stein (lstein@cshl.org) and John Stewart (jns@digitalisland.net) - hosted by the World Wide Web Consortium (W3C) as a service to the Web Community.

7. Stopping Spambots: A Spambot Trap - http://www.neilgunton.com/spambot_trap/

8. How to block spambots, ban spybots, and tell unwanted robots to go ... Spamming of referer logs is a growing nuisance,

http://diveintomark.org/archives/2003/02/26/how_to_ block_spambots_ban_spybots_and_tell_unwanted_robots_to_go_to_hell

Self-Development/Performance Enhancement Specialist – Tayo Solagbade - devotes his time to exploring new frontiers of Self-Development Education, especially as it relates to showing people what they can do by themselves, for themselves to achieve their set goals - DESPITE the limitations of their circumstances or environment.

Download FREE demos of customisable Excel-VB driven spreadsheet application such as (1) an Automated Invoice, And Delivery Note Generator (2). a Personal Bank Deposits/Withdrawals Monitor™ (3) a Church Records Manager™ or (4) an Article Readers' Interest Index(RII)™ analyser from http://www.excelheaven.spontaneousdevelopment.com

Article source: Expert Articles