Security Incidents mailing list archives
Re: How to determine which PHP-script allows spamming?
From: Kari Asikainen <kari.asikainen () protacon fi>
Date: Fri, 14 Apr 2006 15:39:30 +0300
Kurt Seifried wrote:
The culprit turned out to be some guy who, instead of creating links to his web-pages decided to include them.This happened in the form of http://domain/index.php?p=/bla/data.htmlOf course, "p" could be overwritten and some guy was loading a php-mailer from various geocities and yahoo pages, which our server dutifully parsed... We could only shake our heads in disbelieve. This had cost us countless hours of (until now) fruitless work.One relatively easy way to prevent this type of problem is to disallow your web server from making outgoing connections to port 80 TCP (i.e. do not allow it to request things). If you want to be really anal simply disallow any outgoing connection attempts for TCP SYN, this will prevent all sorts of naughtiness from your webserver. Plus when you do see blocked outgoing connections you will know something is up and can correlate it with web logs/etc.
That is a nice and clean global solution.With PHP you can also turn off fopen-wrappers which will disallow including remote content. IMHO that should be the default, and allowing it would be strictly per-virtualhost basis after auditing the security of the code in question...
-ka
Current thread:
- Re: How to determine which PHP-script allows spamming? Rainer Duffner (Apr 13)
- Re: How to determine which PHP-script allows spamming? Kurt Seifried (Apr 13)
- Re: How to determine which PHP-script allows spamming? ascii (Apr 14)
- Re: How to determine which PHP-script allows spamming? Kari Asikainen (Apr 14)
- Re: How to determine which PHP-script allows spamming? Rainer Duffner (Apr 15)
- Re: How to determine which PHP-script allows spamming? Ademar Gonzalez (Apr 15)
- Re: How to determine which PHP-script allows spamming? Kurt Seifried (Apr 13)