| Spam "Artists" Can Trick A Non-Spamming | | | | than 9 days before)! Opening the file revealed |
| Website To Send Spam EmailsIt was the evening | | | | huge volumes of email addresses and message |
| of Friday 16th June 2006, and I was rounding up | | | | contents, originating from bogus "addresses" at |
| the updates on my websites, when I decided to | | | | my sub domain e.g. ; ; stephannie@ ("who is |
| search online for and install another site | | | | SHE??", I said to myself) - and many, many |
| recommendation script on my website in place of | | | | more!The Attack Had A Negative Multiplier Effect |
| the one that for some reason I could not fathom, | | | | - Which Is Why You Would Be Wise To Prevent |
| continued to return a "500 - Internal Server Error" | | | | It HappeningWhen my hosting account was |
| error. The Google search results page threw up a | | | | suspended, my websites could not be visited, nor |
| slew of referral scripts offering from various | | | | could I access mails sent to my webmail account |
| authors - some free, others for sale.At this time I | | | | at my domain during that seven day period. But |
| was just keen to test and see if I could get one | | | | that was just one side of it. ALL the short URLs |
| to work on my site. Soon I settled for one called | | | | that I had created to point to various sub |
| "The PCman Website Refer a Friend" Within | | | | domains on my main website were put up for |
| minutes, I had it installed and running. One thing I | | | | removal by the service provider, who placed a |
| did not do, and which I would advise (based on | | | | bookmark update link on a page leading the to |
| the benefit of painful hindsight) ANYONE who uses | | | | home page - with the following message:"Due to |
| third party scripts on his/her site to do, is to | | | | enormous phishing spam with our sub domains () |
| check and confirm the programmer has taken | | | | we will close this short url re-direction. Please |
| pains to secure the script code against exploitation | | | | update your bookmarks. "One example of short |
| (Specific details/links to URL resources on how to | | | | URL that was affected by this problem is which |
| go about this provided further down).Note: It was | | | | points to - the mini site for my Creative Business |
| only after the event, and following prompts from | | | | Solutions(CB Solutions) delivery service.My mind |
| my hosts that I checked and found the | | | | raced back to all the articles I had published at the |
| PCManrefer script had inadequate security written | | | | Ezine articles directory, in which I had used the |
| into the code. The resulting "security hole" was | | | | short URL addresses in the resource boxes |
| what the hacker later exploited remotely to | | | | invitation to readers(at the end of the article). A |
| launch a massive spam attack.On Tuesday 20th | | | | number of those articles carrying the short URLs |
| June 2006 a.m, I tried to log into my web hosting | | | | had been syndicated on other websites, where I |
| account to upload files, but noticed the ftp tool I | | | | would not have access to make changes to them. |
| was using kept returning an "incorrect password" | | | | I realised that it would only be a matter of time |
| message. After trying repeatedly, and confirming | | | | before readers of some of my articles would find |
| I was using the correct password, I decided to | | | | themselves confronted with a "Page Not Found" |
| try logging in to my webmail - so as to send an | | | | browser error, or a general advert page for |
| email to the support department for assistance. | | | | domain names sales etc - instead of my site: |
| This presented a problem as well. Each time, I | | | | Definitely not good for the image I was trying to |
| tried, I got a message like "Dropped by ISMAP | | | | build online!I provide the above details to give you |
| server". Now quite alarmed, I decided to type the | | | | an idea of just how bad this can be - so you can |
| URL to my website - My worst fears came to | | | | really understand why it would be in your best |
| pass - The browser printed a "Page Not Found" | | | | interest to make sure you never leave yourself |
| message in bold!At this point, I promptly went to | | | | open to the extent that this type of problem can |
| my host's website and initiated a chat session | | | | affect your website.Taking Action To Prevent |
| with the operator. The following chat conversation | | | | (Future) AttacksI deleted the "pcmanrefer.pl" |
| took place:-----start of chat session------: Hello! | | | | script and the other two that were identified by |
| How may I help you?: hiVisitor42152: | | | | the hosting provider's administrator (see email |
| HiVisitor42152: I cannot login to my webmail or | | | | above). I also removed another mailing list |
| access my entire websiteVisitor42152: MY reg no | | | | managment CGI script that I installed a month |
| is : We are writing to inform you that during the | | | | before. In a way, I felt like I was taking medicine |
| past 30 minutes your web hosting account | | | | after death. :-) But at least by this time, I actually |
| (username = deleted) has sent 625 messages to | | | | had a better idea of WHAT had happened, HOW, |
| the email subsystem of the hosting server. This is | | | | and WHY - and what I could do to protect myself |
| in violation of our terms of services, and as such, | | | | for the future. Next, I visited the URLs emailed to |
| any websites: belonging to that account have | | | | me by my web host. Out of curiosity, I also did a |
| been taken offline.: In order to reactivate your | | | | number of searches on Google, to see what else |
| account you will need to contact our support | | | | I could learn about "form post hijacking", and |
| department and agree not to abuse our servers | | | | spamming in general. Below, I provide links to |
| again. Any further incidents like this will cause our | | | | some useful resources I found. If you own a |
| system to remove your account completely and | | | | website, I think you will want to spend some time |
| without warningVisitor42152: I am working from a | | | | studying them.IMPORTANT NOTE:1. It would |
| cyber cafe I normally do not use though it's close | | | | interest you to know that I no longer use a site |
| to my homeVisitor42152: I am certain this is due | | | | referral script on my wesbsite. Instead I have |
| to activities of email hackers who use the same | | | | developed a simple email recommendation |
| ISP as these guys: send an email to Visitor42152: | | | | template that anyone who is so keen to tell |
| How long will it take to resolve this?: 6 -12 | | | | another about my site can use. Visit to see what i |
| hours---End of chat session------Well, I did not get | | | | mean. There are many other effective ways to |
| it resolved in 12 hours. In fact, by the time I was | | | | get marketing exposure for a website, and I am |
| finished exchanging emails with the support | | | | currently modifying my website design/marketing |
| department, I learnt my account would be | | | | strategy to accommodate them. As time goes |
| suspended for 7 days, with the warning that if it | | | | on, visitors to my website will see ample evidence |
| happened again, my account would be | | | | of this.2. Some of the resources whose URLs are |
| reconsidered for termination without notice.How | | | | listed below, were published as far back as 2002, |
| They Did It (i.e. Hijacking My Website Referral | | | | so they might not exactly offer relevant or |
| Script's Form Post)Below, I reproduce the exact | | | | effective remedies that can be successfully |
| text of the explanation given by my host's Abuse | | | | applied today. However, the educational value |
| Department, when I requested for details that | | | | they offer towards understanding the problem(s), |
| could help me understand how the problem had | | | | in my opinion, would still make them worth a |
| occurred, and what I could do to prevent a | | | | visit.So, with that note of warning, I wish you |
| re-occurrence. You will notice that the Perl script I | | | | happy reading and good luck in your fight to |
| installed (i.e "pcmanrefer.pl") some days before | | | | protect your website against exploitation.Useful |
| the problem, was identified by the administrator | | | | Learning/Problem-Solving Resources1. Using |
| as one of three found to have poor security built | | | | Apache to stop bad robots | evolt.org - by Daniel |
| into their code.--- "Aplus.Net Abuse Department" | | | | Cody |
| wrote (I have re-arranged - but NOT edited - the | | | | Why Some Scripts are dangerous to use on |
| text for readability): | | | | your Website - - By Anders Brownworth |
| > Hello,> Basically the attack is performed on | | | | Interesting Crack Attempt to Relay Spam |
| scripts that trust the information that the | | | | (Comment: this is actually a precursor to the full |
| submitter enters and are therefore easily | | | | article referred to me by my web host titled |
| exploitable. You can refer to these two | | | | "Form Post Hijacking - How to solve the |
| documents that describe in details this very | | | | problem.")4. By Anders Brownworth - Form Post |
| specific attack: | | | | Hijacking - How To Solve The Problem article |
| have reviewed the spam evidence sent to us | | | | author - A Hands-On How-To(Securing the CGI |
| and in the headers the subject is different every | | | | script section - useful) - from Brass Cannon |
| time which means the script used is taking the | | | | Consulting6. WWW Security FAQ: CGI Scripts - |
| input data from the visitor and doesn't edit it at | | | | -by Lincoln Stein () and John Stewart () - hosted |
| all:Subject: Incredibly undervalued, you'll not want | | | | by the World Wide Web Consortium (W3C) as a |
| to miss this opportunity the protracted I have | | | | service to the Web Community.7. Stopping |
| found several such scripts in your FTP space: | | | | Spambots: A Spambot Trap - How to block |
| cgi-bin/mailer/simplemail.pl | | | | spambots, ban spybots, and tell unwanted robots |
| /cgi-bin/mailer/mailer.pl | | | | to go ... Spamming of referer logs is a growing |
| /cgi-bin/pcmanrefer.plThere might be others that | | | | nuisance, |
| are compromiseable too but you know better the | | | | _robots_to_go_to_hellSelf-Development |
| structure of your website and which exactly | | | | Performance Enhancement Specialist - Tayo |
| script is sending the data unchanged. The bottom | | | | Solagbade - devotes his time to exploring new |
| line is to filter out all input data as suggested in | | | | frontiers of Self-Development Education, especially |
| the two articles above.Thank you,Clues Left | | | | as it relates to showing people what they can do |
| Behind By The Hacker In My Server SpaceWhen | | | | by themselves, for themselves to achieve their |
| I eventually gained access to my server space, I | | | | set goals - DESPITE the limitations of their |
| found confirmation that it was indeed the | | | | circumstances or environment.Download FREE |
| "pcmanrefer.pl" script that had been exploited: Its | | | | demos of customisable Excel-VB driven |
| referral log file (refer-log.txt), had grown to a | | | | spreadsheet application such as (1) an Automated |
| massive 11.1 Megabytes size(many million bytes | | | | Invoice, And Delivery Note Generator (2). |
| up from its 0 bytes size when I uploaded it less | | | | |