hall_of_famer — 2013-09-06T06:08:58-04:00 — #1
Well I received an email from my webhost saying that they've received complaints about my dedicated server sending spammails. Its weird as I'd never do such thing myself, it also would not benefit me at all. As I've investigated further, I was able to track down the spammer's info from this:
X-Mailer: vBulletin Mail via PHP
Date: Tue, 3 Sep 2013 13:02:12 -0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - srv1.******.com
X-AntiAbuse: Original Domain - lycos.com
X-AntiAbuse: Originator/Caller UID/GID - [500 32007] / [47 12]
X-AntiAbuse: Sender Address Domain - srv1.******.com
X-Get-Message-Sender-Via: srv1.******.com: authenticated_id: ******/from_h
X-Source-Args: /usr/bin/php /home/******/forum/showthread.php
This is a message from Ann Curtis ( mailto: ) from the ****** Forum ( http://www.******.com/forum/ ).
The message is as follows:
Dearest Energy User,
A POWERFUL invention from 1927 that secretly powered the famous Col. Charle=
s Lindbergh's aircraft on his voyage to be the first to cross the atlantic =
by airplane without stopping.
The same invention has already helped thousands of energy users by SLASHING=
their Electric Bill up to almost 100 percent.
See this page to see the video: http://payspree.com/12855/ann
Have a good one.
So apparently this 'Ann Curtis' from payspree.com(actually techville,net) was able to send spammails by impersonating my server through Vbulletin's showthread.php page. I've heard that in the earliest days of VB3 there was a XSS security flaw within VB3.0.7, but this is VB3.8.7(patch lv.3) already and I doubt if such XSS vulnerability still exists. It could also be session hijacking, I have no idea what it is.
This problem caught my attention since I had a similar experience back in July, and I was able to persuade my webhost to continue to run my forum as the spammer left after the webhost suspended my account for about 2-3 days. So its technically the second time that my vbulletin forum's showthread page vulnerability is being abused, I wonder if anyone else is experiencing an issue similar to this? If so, how do you fix it? Please lemme know if you know anything about it. Thx.
cpradio — 2013-09-06T19:21:11-04:00 — #2
I did a few searches and came across this (not sure if it helps you or not)
hall_of_famer — 2013-09-06T22:47:48-04:00 — #3
Oh thats a very helpful clue, thank you so much. I will see if I can confirm that its indeed the same issue as the user Smitty was encountering. Thx.
hall_of_famer — 2013-09-11T21:41:04-04:00 — #4
And it just happened again, my webhost is so annoying that it threatens to suspend my account if I cant resolve the issue. The problem is, it is NOT my fault...
Anyway I find that the email always contain url address 'http://payspree.com/12855/ann'. Is there a way to modify the showthread.php such that it rejects the email from being sent whenever it detects this specific url from user-submitted data? VB 3.8 is a third party script with thousands of lines of code, it's all procedural code and takes forever for me to even read through the script file. sigh
spacephoenix — 2013-09-12T02:27:01-04:00 — #5
You might want to consider either upgrading to version 4 (version 3 is probably not supported any more) or migrate over to another forum software. What sort of size is the forum (number of users, number of threads and number of posts)? What sort of weekly traffic levels does it get?
You should run anti-virus and anti-malware/spyware scans on both the server (if you have the rights/permissions to) and on any PC you use to use ftp to access the file structure. If they come up clean, change your ftp password (making sure the new one is a very strong one) just in case anyone has guessed your ftp password
hall_of_famer — 2013-09-12T10:26:15-04:00 — #6
Nope, not a single chance. VB3.8 >>> VB4, its a downgrade if I choose to 'upgrade' my VB. After all, Sitepoint, DevShed, Theadminzone , Webhostingtalk all use VB3, theres a good reason for that. You dont upgrade for the sake of increasing the version number, when VB4 has never ever been better than VB3 in terms of functionality and quality.
Its not a very active forum, it has 10-20 registered users every day but thats about it. I do receive a lot more guests though, but the forum is able to block most of the spammers trying to register. This spammail issue apparently was sent by an un-registered user, showthread.php seems to be the script with XSS vulnerability. I have disabled every usergroup to send email to friend option, except for the admins/mods. Not sure how this is gonna help.
cpradio — 2013-09-12T10:31:26-04:00 — #7
That's definitely true, except for Sitepoint. Sitepoint is not using VB3
hall_of_famer — 2013-09-12T10:57:18-04:00 — #8
I see, but whatever... I'd use VB3 unless I decide to move to another platform like IPB or Xenforo. I will try anything possible to fix this XSS issue, except for this so-called upgrading which is in fact a downgrade considering VB 3.8.7 is still by far the best version of VB ever produced.
cpradio — 2013-09-12T10:59:05-04:00 — #9
I can't speak to that as I've been out of the vBulletin world for years. So I'll just politely respect your decision to stay away from VB4/5.
cpradio — 2013-09-12T11:08:40-04:00 — #10
Just curious, have you tried denying the IP address that is sending the spam in an .htaccess file? At least so they have to either change their IP to make use of the attack again?