[rosbif]

I am suddenly receiving 50-60 emails bounced back to me per hour from my domain where I have DragonFly hosted. My host support (Site5) is telling me it is a script on my index.html page that has a security hole. They think it is the 'send to a friend' link being used.

Here is the reply from my host:

Quote:

X-PHP-Script: www.chantillyexpat.com/index.php for 200.177.228.4

I have checked this site and it looks like you have "send to a friend"
links on your articles. It appears that this is being abused to send out a large amount of messages. Are all of the bouncebacks trying to be sent to marketingexpert @ krim.ws or are they to random email addresses? Thanks. Here are the logs of the message being sent from the server:

2009-12-23 13:45:44 1NNX9O-00086Z-NN <= chantill @ milton.site5.com U=chantill P=local S=1064 id=0aebd4e2c99732724736ca7e14443728@www.chantillyexpat.com
2009-12-23 13:45:46 1NNX9O-00086Z-NN ** marketingexpert @ krim.ws R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<marketingexpert@krim.ws>: host mx1.hqhost.net
[88.214.192.192]: 550 5.1.1 <marketingexpert@krim.ws>... User unknown
2009-12-23 13:45:46 1NNX9W-000888-Eo <= <> R=1NNX9O-00086Z-NN U=mailnull P=local S=2052
2009-12-23 13:45:47 1NNX9O-00086Z-NN Completed

He also said:

Quote:

The spam is definitely originating from the script running on your site at index.php. It is possible that there is a security hole in the application that is allowing remote users to send spam. I would suggest updating the script and any plug-ins/modules to the latest versions.

Any ideas?

[Dizfunkshunal]

can you send me a copy of you index.php? pm it do not post it in the forums.


and i can see all your debug info which should only be seen by admin !!!
error in template.

[rosbif]

done

[Dizfunkshunal]

disable the Tell a friend module until you can put captcha in it or set it to registered users only. index.php is fine at least i didn't see anything out of sorts.

Send to a friend in news to

[rosbif]

My Tell a Friend has captcha already. I presume I need to remove the link to 'send to a friend' from the articles?

My host has blocked the IP address that was sending these emails and I've done the same in DF. Is there anything else I can do?

[Dizfunkshunal]

Send to a friend in the news

there not stupid spammers i mean they use proxy or zombies.

[Dizfunkshunal]

send me your_theme/templates/ footer.html to so i can fix the bottom.

[rosbif]

SO I need to edit some file to stop the send to a friend link?

[Dizfunkshunal]

or add captcha to it im not sure how to add the captcha but you could comment out the send a friend links

What theme are you using?

[rosbif]

I've removed the link from the template file for now. No idea how to add a captcha to it. This seems a pretty serious hole!

[rosbif]

I've pm'd you my footer too. What's up with that??

[Dizfunkshunal]

all the debug info at bottom should only be seen by admin not everyone
fixed and sent back
I think there is a thread running around here that shows how to add captcha.

[rosbif]

Thanks Diz.. I've removed the link to send a friend and renamed the friend.php file but I am still getting bounced back messages - 150 overnight so I dread to think how many got through...

What else can I do?

[Dizfunkshunal]

You removed the ability to tell a friend. All you really can do now is figure out how to add captcha. this thread might help you dragonflycms.org/Forum...t=captcha/

[NanoCaiordo]

PHP installed on your server its already patched with php mail headers but its not picking up the correct file.

Quote:

X-PHP-Script: www.chantillyexpat.com/index.php for 200.177.228.4

Try to use the attached includes/classes/phpmailer.php at least you will know which file is actually been abused.

This file will be included in 9.2 and 10.