PDA

View Full Version : CGIEmail abuse??



ajparker
05-26-2004, 08:02 PM
I've been away for the forum, but have come back with a question....

Today I've had LITERALLY 1000+ messages that exhibit the following characteristics....

All are from the maildeliverysubsystem (mailerdaemon@mydomain.com) and the failure was of a delivery to root@mydomain.com.... (I get postmasters mail, so I get these bounces) in digging deeper, the message that was to be delivered to root@mydomain.com was itself a delivery failure of a messages SENT FROM a script called cgiemail according to the info... what's more it apparently was sent through MY cgi-bin on my site...

Most of these apparently failed delivery for a number of reasons.... The most common explanation is this....

Your mail to the following recipients could not be delivered because they are not accepting mail from UnknownSender@UnknownDomain:
jereltrout
jerrybla12
jensencpa

Now at this point I start looking through my httpd access_logs and see TONS of hits on mydomain.com/cgi-bin/cgiemail/forms/order.txt and of course the returned headers (some bounces included headers, some didn't...) showed ...

X-Mailer: cgiemail 1.6
(form="http://mydomain.com/")
(action="/cgi-bin/cgiemail/forms/order.txt")

I start investigating cgiemail and don't recall installing it, beginning to suspect a hacking I check some of my other reseller sites, all of which have it, so now I assume it's a generic westhost script. To stem the tide this morning (actually most of the hits were yesterday, so maybe the flow of delivery failures will stop by tomorrow...) I've removed ALL permissions (rwx) from the script so it can't be executed at all.

What's ... well, impressive is the pulls to that script came from a NUMBER of different ip addresses.

Ultimately, I guess my question is - is it possible that this was a test run of an exploit against cgiemail? Perhaps a refining of HOW someone calls the script could allow them to correct the unkownsender@unkowndomain failures. Is there no http_referrer protection in this script to keep it from being called? I've never used the script myself, but a brief look doesn't seem to indicate any such setting.

Right now, I've done a count out of curiousity....

cat access_log | grep cgiemail |wc -l

on the server shows 629 (attempted) accesses of that script. (5 or so are me.) 42 of which have been since I disabled it (giving out 403 errors now.) It looks as though at about 10 after 10 this morning they realized they were getting 403 errors and probably removed the address from whatever zombie network is doing this... (there haven't been any hits on it in 10 hours (outside of me a few minutes ago...)

Something tells me I need to beat the rush and start disabling it on EVERY account I have before I get 8x as many failure messages....
any thoughts? comments?

anyone notice similar behavior?

Thanks,

Avery

wildjokerdesign
05-26-2004, 08:32 PM
WestHost used to offer cgiemail but don't think it is installed on accounts by default at least not on new resseller accounts that I create. I think maybe you are right that someone was trying to exploit it. If I recall when it was avaiable when it was set up an example was placed at cgi-bin/forms/order.txt It seems like there was a way to limit the script but I can't remember. I haven't heard of anyone else having a problem with it.

I think you made the right choice in disableing it. I think if you remove the order.txt file then they would not be able to exploite the script on other accounts. If my memory serves me to use the script it has to have that .txt file location or one similiar in the call to the script.

ajparker
05-27-2004, 08:01 AM
Thanks.... the order.txt is indeed something that is provided as a sample and so, short of there being a comprimise where they could write to disc, removing that would take out what they could send through messages.

At this point I'm still getting the delivery failures. Fortunately ages ago I set up a folder for delivery failures that my mail program autosorts.... otherwise it would be even more annoying. Looks like I'm up to messages that we're attempted to be sent around Tuesday afternoon. So... I'm thinking I may have another day of these. I'm already up to around 2000 total.

Most of my sites have been around for a while with westhost, so even if they've discontinued using it for new accounts, that explains why all of mine seem to have it.

I've grabbed a list out of the log of all ip's pulling the script before (and attempting to pull it after) it was disabled. Out of the first 18 entries, there are 17 unique addresses. That's why I'm suspecting these are probably zombied machines.

Thanks for the input,

Avery

ajparker
05-28-2004, 12:36 PM
I was fit to be tied last night.... about 36 hours after I disabled the offending script I got a TOS warning from Westhost's abuse department. I referred them to this thread in the forum, informed them that I had already disabled it sometime before hearing from them, and took offence at a TOS warning over a script that they installed to begin with. I also suggested they issue an advisory to those accounts that have the script. Just now I received an apology for the offensive subject line and they are starting to send out advisories on the cgiemail script.

Last night I spent some time deactivating it on all my other accounts. I would HIGHLY suggest that if you use this script, find a replacement. (It hasn't been maintained in several years.) If you've had a site from pre 2.0, you probably have the script in your webspace, you're best off either deactivating it (remove execute priviliges) or deleting it.

Avery

wildjokerdesign
05-28-2004, 01:13 PM
Yep got the warning on a couple accounts. I went ahead and deleted the program to make sure although I had not been using it and the order.txt file was long gone.

Thanks Avery for letting everyone know and bringing it to the attention of WH.