We had some issues today, at work, with a PHP-based CMS (hello |*@#-?! joomla) being used as a spam gateway.
I fixed the issue by figuring out what was the broken PHP file using findbot.pl tool from abuseat.org. But my main concerns is that there’s no way to prevent this to happen again. PHP is broken by design, especially while being used for a CMS.
Abuseat’s script helped me to find suspicious code, then confirmed by the apache logs:
|
62.84.241.155 - - [10/Feb/2016:07:08:03 +0000] "POST /templates/_old2/session.php HTTP/1.1" 200 316 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" 62.84.241.155 - - [10/Feb/2016:07:08:51 +0000] "POST /templates/_old2/session.php HTTP/1.1" 200 316 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" 62.84.241.155 - - [10/Feb/2016:07:09:38 +0000] "POST /templates/_old2/session.php HTTP/1.1" 200 341 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" |
In the meanwhile, Joomla has been updated an hopefully the security issue has been fixed.
After removing the bad file, the owner of my turned-into-a-spambox-cms looks being annoyed and seemed to try break-in again:
|
195.206.253.146 - - [10/Feb/2016:08:18:21 +0000] "GET /administrator/index.php HTTP/1.0" 200 7778 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" 195.206.253.146 - - [10/Feb/2016:08:18:21 +0000] "POST /administrator/index.php HTTP/1.0" 303 228 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" 195.206.253.146 - - [10/Feb/2016:08:18:21 +0000] "GET /administrator/index.php HTTP/1.0" 200 7778 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" 195.206.253.146 - - [10/Feb/2016:08:18:21 +0000] "POST /administrator/index.php HTTP/1.0" 303 228 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" |
No thanks, really. It’s been a pleasure but it’s time for me to move on:
|
root@some.server.com:~# shorewall drop 195.206.253.146 195.206.253.146 Dropped |
- Preventing this from happening again ?
So how could you care about this ? First thing, be sure to not mess your main SMTP IP address with it. Be sure to relay the CMS emails throught a specific dedicated SMTP server that’s not hidden being the same NAT as your main SMTP server. Otherwise, you will get blacklisted as soon as any flows open in Joomla.
To ensure you’re fine, you can use one the multi-rbl checks online like anti-abuse.org or senderbase.org by Cisco. If you’re not listed here, you’re probably fine. Otherwise it’s time to ask for removal on any blacklist and be patient. Your SMTP server won’t be trusted again until at least a couple of hours, probably couple of days to be un-blacklisted on the whole Internet.
Of course, you may consider upgrading Joomla, changing password and avoid having thousands of useless plugins, but I guess you’re not in charge of this Joomla website, right ?
Another thing that may help is to enable some PHP hardening tool called “suhosin“. It wasn’t ready while Debian Jessie has been released, so we’ll use the official upstream repository to get it.
Here’s an extract of my docker file to enable this extension:
|
RUN echo 'deb http://repo.suhosin.org/ debian-jessie main' >> /etc/apt/sources.list RUN curl https://sektioneins.de/files/repository.asc | apt-key add - RUN apt-get update RUN DEBIAN_FRONTEND=noninteractive apt-get -y -o 'Dpkg::Options::=--force-confdef' -o 'Dpkg::Options::=--force-confold' --no-install-recommends --no-install-suggests install \ php5-suhosin-extension RUN php5enmod suhosin |
- Treat the symptoms, as well as the cause
So now, you’re using a different SMTP to relay emails coming from the insecure website… To avoid spaming the world and/or overloading the internet connection, we’ll setup rate-limiting on the postfix server.
We’ll use postfwd for this.
If using Debian Wheezy, make sure to get the one from backports, the default one is completly broken.
Then, we set-up a rule limiting enforcing each client_address (IP connecting this SMTP server) to not send more than 5 emails every 5 minutes.
Create new /etc/postfix/postfwd.cf configuration file containing the following:
|
id=RULE001 action=rate(client_address/5/300/450 4.7.1: $$client_address: only 5 messages per 5 minutes allowed) |
Then set STARTUP=1 in /etc/default/postfwd.
Then, edit your postfix configuration in /etc/postfix/main.cf to add a new smtpd_recipient_restrictions setting like this:
|
smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10040, permit_mynetworks, reject_unauth_destination, permit |
The check_policy_service will check postfwd running on port 10040 which will return either permit or deny. Postfwd will reply with a 450 temporary error if the rate has been exceeded.
Beware of the order, in this example, even hosts being allowed to relay emails with this SMTP server, listed in $mynetworks, have been rate-limited.
The reason is that this SMTP server is outside main corporate network and I don’t trust any of the hosts using it.
Here’s another snippet from a production server:
|
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10040, permit |
If you don’t have this setting yet, you can get the default value on your system by running
|
postconf smtpd_recipient_restrictions |
I suggest to always add “permit” as the last action, even if it’s implicit it’s way more easy to understand the workflow by adding it.
You can now restart both service and check the log files:
|
service postfwd restart service postfix restart |
|
Feb 10 08:27:10 server postfwd2/policy[14962]: [RULES] rule=0, id=RULE001, client=server.some.domain[123.123.123.123], sender=<edith_alford@some.domain>, recipient=<bukuballs@gmail.com>, helo=<server.some.domain>, proto=SMTP, state=RCPT, rate=rate/6/0.00s, delay=0.00s, hits=RULE001, action=450 4.7.1: 123.123.123.123: only 5 messages per 5 minutes allowed Feb 10 08:27:10 server postfix/smtpd[15881]: NOQUEUE: reject: RCPT from server.some.domain[123.123.123.123]: 450 4.7.1 <bukuballs@gmail.com>: Recipient address rejected: 4.7.1: 123.123.123.123: only 5 messages per 5 minutes allowed; from=<edith_alford@some.domain> to=<bukuballs@gmail.com> proto=SMTP helo=<server.some.domain> Feb 10 08:27:10 server postfix/smtpd[15881]: disconnect from server.some.domain[123.123.123.123] Feb 10 08:27:10 server postfix/smtpd[15881]: connect from server.some.domain[123.123.123.123] Feb 10 08:27:10 server postfwd2/policy[14962]: [RULES] rule=0, id=RULE001, client=server.some.domain[123.123.123.123], sender=<edith_alford@some.domain>, recipient=<bukucat311@charter.net>, helo=<server.some.domain>, proto=SMTP, state=RCPT, rate=rate/6/0.00s, delay=0.00s, hits=RULE001, action=450 4.7.1: 1123.123.123.123: only 5 messages per 5 minutes allowed |
Of course, postfwd has many more feature, check its online documentation !