Dear All,
Lately I’m facing lot of hackers were upload their script via buggy Joomla or
Wordpress and run the script to sending thousands of spam mail, the sample of
script as below:
---------------------------------------------------------------------------------------------------------------------------------------------
(mail.php)
<?php
ini_set('mail.add_x_header','off');
$_testmail = $_REQUEST['TESTMAIL'];
$_testlink = $_REQUEST['TESTLINK'];
$_status = $_REQUEST['STATUS'];
$_snames = $_REQUEST['SNAMES'];
$_semails = $_REQUEST['SEMAILS'];
$_message = $_REQUEST['MESSAGE'];
$_subjects = $_REQUEST['SUBJECTS'];
$_ctype = $_REQUEST['CTYPE'];
$_spamdom = $_REQUEST['SPAMDOM'];
$_mlr = $_REQUEST['MAILER'];
$_SERVER['PHP_SELF'] = "/email.php";
$_SERVER['REMOTE_ADDR'] = $_SERVER['SERVER_ADDR'];
$SpamDom = explode(",", $_spamdom);
$Snames = explode(",", $_snames);
$Semails = explode(",", $_semails);
$Subjects = explode(",", $_subjects);
$rnx = chr(rand(97,122)) . chr(rand(97,122)) . chr(rand(97,122)) .
rand(100,999);
$rnx.= chr(rand(97,122)) . chr(rand(97,122)) . chr(rand(97,122)) .
rand(100,999);
$rnx.= "." . $SpamDom[array_rand($SpamDom)];
$smail = $Semails[array_rand($Semails)];
$_rmessage = str_replace("XXRANDOMXX", $rnx, $_message);
$_message = str_replace("\n", "\r\n", $_rmessage);
$_from = $Semails[array_rand($Semails)];
$_subject = $Subjects[array_rand($Subjects)];
$_ctype = stripslashes($_ctype);
$message = urlencode($_message);
$message = ereg_replace("%5C%22", "%22", $message);
$message = urldecode($message);
$_from = stripslashes($_from);
$_message = stripslashes($message);
$_subject = stripslashes($_subject);
$headers = array();
$headers[] = "From: $_from";
$headers[] = "X-Priority: 3";
$headers[] = "X-Mailer: $_mlr";
$headers[] = "MIME-Version: 1.0";
$headers[] = "Content-type: $_ctype; charset=\"UTF-8\"";
$headers[] = "Content-Transfer-Encoding: quoted-printable";
foreach ($headers as $key=>$value) {
$headers[$key] = stripslashes($value);
}
if($_status == "CHECK") {
if($_testmail == NULL) return 0;
if($_from == NULL) return 0;
if($_message == NULL) return 0;
if($_subject == NULL) return 0;
$_subject = $_subject . " " . $_testlink;
mail($_testmail, $_subject, $_message, implode("\r\n", $headers));
print "$_testmail\n\n$_message\n\n$_from\n\n$_subject";
}
elseif($_status == "MASS") {
$_maillist = $_REQUEST['MAILLIST'];
$emails = explode(",", $_maillist);
if($_from == NULL) return 0;
if($_message == NULL) return 0;
if($_subject == NULL) return 0;
foreach($emails as $email) {
if($email == NULL) $email = $_testmail;
mail($email, $_subject, $_message, implode("\r\n", $headers));
print "$email - SENT\r\n";
}
}
else {
print "SENDER UP";
}
?>
------------------------------------------------------------------------------------------------------------------------
Hopefully theres an idea how can I prevent the hackers to run that script by
mod security rules.
Please help and Thank you so much
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
