Hi Mark:
Thanks for your reply.
I see I have a lot of work to do. Unfortunately I'm not a web server
technical guy, JUST a programmer.
Maybe I shouldn't have assumed that qmail was where I should start looking
but it seemed reasonably to a non-technical person that qmail was sending my
PHP generated email to the outside world.
> That your system or script has been compromised almost
> certainly has nothing to do with qmail
So my question should have been,
"How can my system be tampered with to force qmail to send out 10,000 bogus
emails?"
Here is the PHP script. I have run similar scripts through the same web
server with no problems. I echoed each email correctly to my browser screen
and have a copy of the screen output from the offending occurance which
shows a single email being generated for each of the 15 recipients as
expected. Don't tell me the hacker bothered to fake that as well.
<?
// send email to these people
$tu[0] = "curious~[EMAIL PROTECTED]";
$tu[1] = "curious~[EMAIL PROTECTED]";
$tu[2] = "curious~[EMAIL PROTECTED]";
$tu[3] = "curious~[EMAIL PROTECTED]";
$tu[4] = "curious~[EMAIL PROTECTED]";
$tu[5] = "curious~[EMAIL PROTECTED]";
$tu[6] = "curious~[EMAIL PROTECTED]";
$tu[7] = "curious~[EMAIL PROTECTED]";
$tu[8] = "curious~[EMAIL PROTECTED]";
$tu[9] = "curious~[EMAIL PROTECTED]";
$tu[10] = "curious~[EMAIL PROTECTED]";
$tu[11] = "curious~[EMAIL PROTECTED]";
$tu[12] = "curious~[EMAIL PROTECTED]";
$tu[13] = "curious~[EMAIL PROTECTED]";
$tu[14] = "curious~[EMAIL PROTECTED]";
for ($j=0;$j<15;$j++) {
$NM = explode("~",$tu[$j]);
echo "$NM[0] ~ $NM[1]<p>";
$name = $NM[0];
$mail = $NM[1];
// ==============================================================
$message="
Hey $name!
Blah Blah Blah
Best regards,
Chris Gray
";
mail($mail,"GoldGame News",$message,"From: [EMAIL PROTECTED]");
// ==============================================================
echo "$message<p>";
} // end for j=1 to n
?>
Here are some of the headers:
The job was run in the early afternoon of Jan 7th. I remember being
surprised at the time that it took so long to execute. Maybe a couple of
minutes??
Return-Path: [EMAIL PROTECTED]
Received: from hedo5.netrover.com (hedo5.netrover.com [205.209.16.80]) by
river.netrover.com (8.9.3+Sun/8.7.3) with SMTP id TAA09543 for
<[EMAIL PROTECTED]>; Sun, 7 Jan 2001 19:29:24 -0500 (EST)
X-Envelope-From: [EMAIL PROTECTED]
X-Envelope-To: <[EMAIL PROTECTED]>
Received: (qmail 30238 invoked by uid 2526); 8 Jan 2001 01:26:14 -0000
Date: 8 Jan 2001 01:26:14 -0000
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: GoldGame News
From: [EMAIL PROTECTED]
X-UIDL: U'F!!;$W!!ae[!!\i["!
Return-Path: [EMAIL PROTECTED]
Received: from hedo5.netrover.com (hedo5.netrover.com [205.209.16.80]) by
river.netrover.com (8.9.3+Sun/8.7.3) with SMTP id NAA13581 for
<[EMAIL PROTECTED]>; Sun, 7 Jan 2001 13:55:26 -0500 (EST)
X-Envelope-From: [EMAIL PROTECTED]
X-Envelope-To: <[EMAIL PROTECTED]>
Received: (qmail 28606 invoked by uid 2526); 7 Jan 2001 19:52:18 -0000
Date: 7 Jan 2001 19:52:18 -0000
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: GoldGame News
From: [EMAIL PROTECTED]
X-UIDL: 9-J!!E3c"!'$N!!ICN"!
Return-Path: [EMAIL PROTECTED]
Received: from hedo5.netrover.com (hedo5.netrover.com [205.209.16.80]) by
river.netrover.com (8.9.3+Sun/8.7.3) with SMTP id OAA29607 for
<[EMAIL PROTECTED]>; Sun, 7 Jan 2001 14:58:27 -0500 (EST)
X-Envelope-From: [EMAIL PROTECTED]
X-Envelope-To: <[EMAIL PROTECTED]>
Received: (qmail 2256 invoked by uid 2526); 7 Jan 2001 20:55:18 -0000
Date: 7 Jan 2001 20:55:18 -0000
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: GoldGame News
From: [EMAIL PROTECTED]
X-UIDL: BFR"!B%1"!T+M!!<;d!!
Return-Path: [EMAIL PROTECTED]
Received: from hedo5.netrover.com (hedo5.netrover.com [205.209.16.80]) by
river.netrover.com (8.9.3+Sun/8.7.3) with SMTP id OAA29725 for
<[EMAIL PROTECTED]>; Sun, 7 Jan 2001 14:58:49 -0500 (EST)
X-Envelope-From: [EMAIL PROTECTED]
X-Envelope-To: <[EMAIL PROTECTED]>
Received: (qmail 2325 invoked by uid 2526); 7 Jan 2001 20:55:41 -0000
Date: 7 Jan 2001 20:55:41 -0000
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: GoldGame News
From: [EMAIL PROTECTED]
X-UIDL: K\_"!B?[!!T[J"!T`c"!
Return-Path: [EMAIL PROTECTED]
Received: from hedo5.netrover.com (hedo5.netrover.com [205.209.16.80]) by
river.netrover.com (8.9.3+Sun/8.7.3) with SMTP id PAA01609 for
<[EMAIL PROTECTED]>; Sun, 7 Jan 2001 15:02:56 -0500 (EST)
X-Envelope-From: [EMAIL PROTECTED]
X-Envelope-To: <[EMAIL PROTECTED]>
Received: (qmail 5604 invoked by uid 2526); 7 Jan 2001 20:59:37 -0000
Date: 7 Jan 2001 20:59:37 -0000
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: GoldGame News
From: [EMAIL PROTECTED]
X-UIDL: pBi!![JS!!i&E"!)=V!!
> What makes you think it's a
> problem with qmail rather than say, your OS, or your PHP scripts, or
> your database, or your users?
I never said it was a qmail problem. I asked how qmail could be hacked.
Anyway, simply by elimination.
Users?
Are you serious! Do I have to show you the snarly and occasionally humorous
messages I received from them? I received 100's of these bogus emails
myself. Would you like me to send them to you? heheheheheheh
Database?
This email application doesn't use one, yet. The recipients were hard-coded
for testing purposes.
PHP script?
How can PHP generate 10,000 emails from a simple 15 iteration FOR loop?
Maybe the 'explode' function exploded?
The PHP mail() function may have gone beserk but only on that single
occasion, but if it did why would the 10,000 emails get sent in 3 or 4
batches spread over 6 hours? Well it's possible... I know an NT box takes
several seconds to send out an email as I've often watched a batch job
scrolling in a DOS window.
Hmm... maybe I should go and bug the PHP people...
But wait a minute! Don't forget the hacked entries in my database the day
before. Just a coincidence?
The OS?
Well you've got me there <g>
All I know is it's a SUN Unix box with some PLESK software package that
handles the web-hosting.
I don't want to ask our techs for more information as I suspect one of them
is the culprit.
I know the PHP/mySQL versions but that shouldn't help too much.
This is commercial web-hosting from a successful fair-sized Canadian-wide
ISP with supposedly tight security, except for the inside techs.
Could the OS generate 10,000 different values in the email headers? I'm not
a headers guru.
I'm not suggesting that qmail is flakey. I just want to know if and how it
can be manipulated by a malicious user. I know nothing about email servers.
I assume it gets input from PHP then fires a data stream out through a port.
> You've given no relevant log entries showing the multiple delivery
> attempts to the addresses in question
I only have access to my own domain directory. I never thought of looking in
there. I'll try that.
Thanks,
Chris
----- Original Message -----
From: Mark Delany <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 10, 2001 3:58 PM
Subject: Re: Was my qmail hacked?
> On Wed, Jan 10, 2001 at 03:40:35PM -0500, Chris Gray wrote:
> > Hi. I'm generating emails through PHP scripts. Recently I sent a single
> > personalised message to 15 private list members. They each received
500-800
> > identical copies over a 4 to 5 hour period in 3 or 4 batches.
> >
> > Could anyone help me solve this? I suspect human intervention as the
> > previous day an email-related database received 3 identical records
> > containing the words, MORONS, LOOSERS (spelling!) and ANOTHER_SCHEME,
> > together with my own email address.
> >
> > Yes, I had previously tested that script and later ran the same script
with
> > myself as each of the 15 recipients. There were no problems. The email
> > headers don't show anything unusual.
> >
> > Any help or pointers much appreciated.
>
> Well, lemme see...
>
> You've given no examples of the "identical emails" so we can't help by
> looking at those.
>
> You've given no relevant log entries showing the multiple delivery
> attempts to the addresses in question, so we can't help by looking at
> these.
>
> You haven't shown us the headers that "don't show anything unusual" so
> we can't confirm that your guess is correct.
>
>
> You've given no information about:
>
> o your operating system
> o your qmail install
> o what sort of access other people have to these scripts
> o what your php scripts look like
> o who has access to those scripts - can a web server get at them?
>
>
> Come to think of it, all you really said is "something went wrong, can
> you help?". Surely you don't think that's enough information, do you?
> If you do, I highly recommend that you pay someone to look into the
> problem for you.
>
> Furthermore, you've posted what appears to be a general security
> problem. That your system or script has been compromised almost
> certainly has nothing to do with qmail. What makes you think it's a
> problem with qmail rather than say, your OS, or your PHP scripts, or
> your database, or your users?
>
>
>
> Regards.
>
