Concern about my site

  • (2 Pages)
  • +
  • 1
  • 2

17 Replies - 3039 Views - Last Post: 24 September 2014 - 01:49 AM

#1 chris98  Icon User is offline

  • D.I.C Lover

Reputation: 40
  • View blog
  • Posts: 1,100
  • Joined: 06-July 13

Concern about my site

Posted 05 September 2014 - 12:18 PM

I'm a bit concerned about my site, for the last several weeks months now, I've been getting loads of spam and phishing emails. An example is shown below.

Quote

Your order #31244807386 will be shipped on 28-08-2014.

Date: August 27, 2014. 01:10pm
Price: £145.50
Payment method: Credit card
Transaction number: 7CBCE5054770

Please find the detailed information on your purchase in the attached file (sale_2014-08-27_12-25-35_31244807386.zip)

Best regards,
Sales Department
Bethel Duvall
07979-406751

{{Attachment}}


The issue is, I've now received an email from someone who appears to have got a phishing email from one of my site's email addresses and I'm really, really concerned about this, it seems like I'm sending out phishing emails when I'm not. Now I may just be extremely paranoid about this, but is this another scam or should I take it seriously this time?

And more importantly, what should I do about it?

Quote

Hi,
what is this product as I do not remember ordering anything

Thanks

Sent from my iPhone

On 2 Sep 2014, at 13:47, "Tomeka Keser" <[email protected]> wrote:

Thank you for using our services!
Your order #31184341648 will be shipped on 07.09.2014.

Date: September 02, 2014. 01:21pm
Price: £117.38
Payment method: Wire transfer
Transaction number: 08FD195248F850EAC4

Please find the detailed information on your purchase in the attached file (item_2014-09-02_12-46-32_31184341648.arj)

Best regards,
Sales Department
Tomeka Keser
07570195412

This post has been edited by chris98: 05 September 2014 - 12:19 PM


Is This A Good Question/Topic? 0
  • +

Replies To: Concern about my site

#2 no2pencil  Icon User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6549
  • View blog
  • Posts: 30,679
  • Joined: 10-May 07

Re: Concern about my site

Posted 05 September 2014 - 12:22 PM

View Postchris98, on 05 September 2014 - 03:18 PM, said:

it seems like I'm sending out phishing emails when I'm not.


1.) you should call your webhost, they can go over the logs & let you know for sure if the email was sent. As well, if you are just paying for hosting (& not a vps), there is nothing you can do to secure it.
2.) Research backscatter
3.) verify your mail server security with http://mxtoolbox.com/
Was This Post Helpful? 0
  • +
  • -

#3 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 13485
  • View blog
  • Posts: 53,847
  • Joined: 12-June 08

Re: Concern about my site

Posted 05 September 2014 - 12:22 PM

If they are spoofing your email address then there's not much you can do. If they wormed their way into your site and are actually sending out emails from it then I would advocate finding out where and shutting it down.
Was This Post Helpful? 0
  • +
  • -

#4 no2pencil  Icon User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6549
  • View blog
  • Posts: 30,679
  • Joined: 10-May 07

Re: Concern about my site

Posted 05 September 2014 - 12:24 PM

Also, just to follow up. There is nothing to be proven by posting the spam here. To, From, these fields mean nothing. You need to check the message headers.

One other thing to add, welcome to the internet. Life here is a constant battle. The more popular your site becomes, the more it's exposed to these types of attacks (if this even is one). If you have email addresses on your site, short of not having them, there is nothing you can do to stop spammers from sending to, or forging from them.

& this really has nothing to do with web development. Moving to web servers & hosting, as your questions are about security while hosting a website.
Was This Post Helpful? 0
  • +
  • -

#5 Sheepings  Icon User is offline

  • D.I.C Addict

Reputation: 73
  • View blog
  • Posts: 571
  • Joined: 05-December 13

Re: Concern about my site

Posted 05 September 2014 - 01:46 PM

Apart from telling you what was already said, I would be more concerned about how emails are allegedly leaving your server. What is your website built upon? A CMS, standard based php/html site? How on your website can you send mail and what mail scripts do you have on your website or do you know? What back-end control panel are you using? There are a variety of ways this can be done hence my questions. If I was you, I'd get my host to do the leg work and secure any files which are being manipulated on their networks. This is partially there obligation to help you.
Was This Post Helpful? 0
  • +
  • -

#6 chris98  Icon User is offline

  • D.I.C Lover

Reputation: 40
  • View blog
  • Posts: 1,100
  • Joined: 06-July 13

Re: Concern about my site

Posted 06 September 2014 - 01:28 AM

1.)

Quote

Hello Chris,

This is part of sent emails log related to Your account:

....
[2014-08-29 17:53:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 17:54:02] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 17:55:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 17:56:02] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 17:57:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 17:58:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 17:59:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:00:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:01:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:02:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:03:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:04:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:05:02] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:06:02] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:07:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:08:02] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:09:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:10:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:11:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:12:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:13:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:14:02] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:15:02] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:16:02] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:17:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:18:02] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:19:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:20:02] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:21:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:22:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-29 18:23:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-30 11:34:01] * Queue monitor * AuthID: USER have 1 recipients in queue..
[2014-08-30 12:08:01] * Queue monitor * AuthID: USER have 1 recipients in queue..

Thank you for the question and good luck.

Many Thanks,
Justin P.
Help Desk Staff


This seems very phishy to me. I'm positive that emails weren't sent out this quickly. This is practically one per minute.

2.) My server IP is listed zero times out of 87 backscatter blacklists from the link you provided above. So it's when the server bounces the email back rather than simply rejecting it?

3.) Errors:

Quote

https strongholdnation.co.uk The Certificate has a name mismatch
I don't have an SSL certificate so that will be why.

Warnings:

Quote

spf strongholdnation.co.uk No SPF records found

dns strongholdnation.co.uk Bad Glue Detected

dns strongholdnation.co.uk Name Servers are on the Same Subnet

dns strongholdnation.co.uk SOA Refresh Value is outside of the recommended range

dns strongholdnation.co.uk SOA Expire Value out of recommended range

smtp strongholdnation.co.uk 5.756 seconds - Warning on Transaction Time


The actual email account sale (at) strongholdnation (dot) co (dot) uk does not exist. And I use no-reply (at) strongholdnation (dot) co (dot) uk for sending out emails. So if they've managed to send an email from my account, then they've compromised my entire system, which is extremely worrying, especially since I use FluxBB for emails and configuration.

Quote

There is nothing to be proven by posting the spam here. To, From, these fields mean nothing. You need to check the message headers.


I deleted the messages yesterday basically straight away as I considered them to be more spam. But I have checked a similar one and these were the headers:

Quote

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 03 Jul 2014 09:30:17 -0400
Received: from 69-162-118-19.static.loomhosts.net ([69.162.118.19]:59251 helo=mail.seotigers.net)
by srv62.hosting24.com with esmtp (Exim 4.82)
(envelope-from <[email protected]>)
id 1X2h5c-004H2o-2B
for [email protected]; Thu, 03 Jul 2014 09:30:17 -0400
Date: Thu, 3 Jul 2014 13:27:46 +0000
To: [email protected]
From: Courteney Williams <[email protected]>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_1b501abe2081a8f3a2cad324f407d759"
X-Spam-Status: Yes, score=6.1
X-Spam-Score: 61
X-Spam-Bar: ++++++
X-Spam-Report: Spam detection software, running on the system "<myserver>", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
root\@localhost for details.


Quote

& this really has nothing to do with web development. Moving to web servers & hosting, as your questions are about security while hosting a website.


Sorry, I did look at the PHP and programming forums at first, but I didn't think of the web servers forum and thought the web development was the most appropriate out of those.

Quote

How on your website can you send mail and what mail scripts do you have on your website or do you know?


I use FluxBB's mailing functions:

<?php

/**
 * Copyright (C) 2008-2012 FluxBB
 * based on code by Rickard Andersson copyright (C) 2002-2008 PunBB
 * License: http://www.gnu.org/licenses/gpl.html GPL version 2 or higher
 */

// Make sure no one attempts to run this script "directly"
if (!defined('PUN'))
	exit;

require PUN_ROOT.'include/utf8/utils/ascii.php';

//
// Validate an email address
//
function is_valid_email($email)
{
	if (strlen($email) > 80)
		return false;

	return preg_match('%^(([^<>()[\]\\.,;:\[email protected]"]+(\.[^<>()[\]\\.,;:\[email protected]"]+)*)|("[^"]+"))@((\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\])|(([a-zA-Z\d\-]+\.)+[a-zA-Z]{2,}))$%', $email);
}


//
// Check if $email is banned
//
function is_banned_email($email)
{
	global $pun_bans;

	foreach ($pun_bans as $cur_ban)
	{
		if ($cur_ban['email'] != '' &&
			($email == $cur_ban['email'] ||
			(strpos($cur_ban['email'], '@') === false && stristr($email, '@'.$cur_ban['email']))))
			return true;
	}

	return false;
}


//
// Only encode with base64, if there is at least one unicode character in the string
//
function encode_mail_text($str)
{
	if (utf8_is_ascii($str))
		return $str;

	return '=?UTF-8?B?'.base64_encode($str).'?=';
}


//
// Make a post email safe
//
function bbcode2email($text, $wrap_length = 72)
{
	static $base_url;

	if (!isset($base_url))
		$base_url = get_base_url();

	$text = pun_trim($text, "\t\n ");

	$shortcut_urls = array(
		'topic' => '/viewtopic.php?id=$1',
		'post' => '/viewtopic.php?pid=$1#p$1',
		'forum' => '/viewforum.php?id=$1',
		'user' => '/profile.php?id=$1',
	);

	// Split code blocks and text so BBcode in codeblocks won't be touched
	list($code, $text) = extract_blocks($text, '[ code ]', '[/ code ]');

	// Strip all bbcodes, except the quote, url, img, email, code and list items bbcodes
	$text = preg_replace(array(
		'%\[/?(?!(?:quote|url|topic|post|user|forum|img|email|code|list|\*))[a-z]+(?:=[^\]]+)?\]%i',
		'%\n\[/?list(?:=[^\]]+)?\]%i' // A separate regex for the list tags to get rid of some whitespace
	), '', $text);

	// Match the deepest nested bbcode
	// An adapted example from Mastering Regular Expressions
	$match_quote_regex = '%
		\[(quote|\*|url|img|email|topic|post|user|forum)(?:=([^\]]+))?\]
		(
			(?>[^\[]*)
			(?>
				(?!\[/?\1(?:=[^\]]+)?\])
				\[
				[^\[]*
			)*
		)
		\[/\1\]
	%ix';

	$url_index = 1;
	$url_stack = array();
	while (preg_match($match_quote_regex, $text, $matches))
	{
		// Quotes
		if ($matches[1] == 'quote')
		{
			// Put '>' or '> ' at the start of a line
			$replacement = preg_replace(
				array('%^(?=\>)%m', '%^(?!\>)%m'),
				array('>', '> '),
				$matches[2]." said:\n".$matches[3]);
		}

		// List items
		elseif ($matches[1] == '*')
		{
			$replacement = ' * '.$matches[3];
		}

		// URLs and emails
		elseif (in_array($matches[1], array('url', 'email')))
		{
			if (!empty($matches[2]))
			{
				$replacement = '['.$matches[3].']['.$url_index.']';
				$url_stack[$url_index] = $matches[2];
				$url_index++;
			}
			else
				$replacement = '['.$matches[3].']';
		}

		// Images
		elseif ($matches[1] == 'img')
		{
			if (!empty($matches[2]))
				$replacement = '['.$matches[2].']['.$url_index.']';
			else
				$replacement = '['.basename($matches[3]).']['.$url_index.']';

			$url_stack[$url_index] = $matches[3];
			$url_index++;
		}

		// Topic, post, forum and user URLs
		elseif (in_array($matches[1], array('topic', 'post', 'forum', 'user')))
		{
			$url = isset($shortcut_urls[$matches[1]]) ? $base_url.$shortcut_urls[$matches[1]] : '';

			if (!empty($matches[2]))
			{
				$replacement = '['.$matches[3].']['.$url_index.']';
				$url_stack[$url_index] = str_replace('$1', $matches[2], $url);
				$url_index++;
			}
			else
				$replacement = '['.str_replace('$1', $matches[3], $url).']';
		}

		// Update the main text if there is a replacement
		if (!is_null($replacement))
		{
			$text = str_replace($matches[0], $replacement, $text);
			$replacement = null;
		}
	}

	// Put code blocks and text together
	if (isset($code))
	{
		$parts = explode("\1", $text);
		$text = '';
		foreach ($parts as $i => $part)
		{
			$text .= $part;
			if (isset($code[$i]))
				$text .= trim($code[$i], "\n\r");
		}
	}

	// Put URLs at the bottom
	if ($url_stack)
	{
		$text .= "\n\n";
		foreach ($url_stack as $i => $url)
			$text .= "\n".' ['.$i.']: '.$url;
	}

	// Wrap lines if $wrap_length is higher than -1
	if ($wrap_length > -1)
	{
		// Split all lines and wrap them individually
		$parts = explode("\n", $text);
		foreach ($parts as $k => $part)
		{
			preg_match('%^(>+ )?(.*)%', $part, $matches);
			$parts[$k] = wordwrap($matches[1].$matches[2], $wrap_length -
				strlen($matches[1]), "\n".$matches[1]);
		}

		return implode("\n", $parts);
	}
	else
		return $text;
}

//
// This function was originally a part of the phpBB Group forum software phpBB2 (http://www.phpbb.com)
// They deserve all the credit for writing it. I made small modifications for it to suit PunBB and its coding standards
//
function server_parse($socket, $expected_response)
{
	$server_response = '';
	while (substr($server_response, 3, 1) != ' ')
	{
		if (!($server_response = fgets($socket, 256)))
			error('Couldn\'t get mail server response codes. Please contact the forum administrator.', __FILE__, __LINE__);
	}

	if (!(substr($server_response, 0, 3) == $expected_response))
		error('Unable to send email. Please contact the forum administrator with the following error message reported by the SMTP server: "'.$server_response.'"', __FILE__, __LINE__);
}


//
// This function was originally a part of the phpBB Group forum software phpBB2 (http://www.phpbb.com)
// They deserve all the credit for writing it. I made small modifications for it to suit PunBB and its coding standards.
//
function smtp_mail($to, $subject, $message, $headers = '')
{
	global $pun_config;

	$recipients = explode(',', $to);

	// Sanitize the message
	$message = str_replace("\r\n.", "\r\n..", $message);
	$message = (substr($message, 0, 1) == '.' ? '.'.$message : $message);

	// Are we using port 25 or a custom port?
	if (strpos($pun_config['o_smtp_host'], ':') !== false)
		list($smtp_host, $smtp_port) = explode(':', $pun_config['o_smtp_host']);
	else
	{
		$smtp_host = $pun_config['o_smtp_host'];
		$smtp_port = 25;
	}

	if ($pun_config['o_smtp_ssl'] == '1')
		$smtp_host = 'ssl://'.$smtp_host;

	if (!($socket = fsockopen($smtp_host, $smtp_port, $errno, $errstr, 15)))
		error('Could not connect to smtp host "'.$pun_config['o_smtp_host'].'" ('.$errno.') ('.$errstr.')', __FILE__, __LINE__);

	server_parse($socket, '220');

	if ($pun_config['o_smtp_user'] != '' && $pun_config['o_smtp_pass'] != '')
	{
		// Here we try to determine the *real* hostname (reverse DNS entry preferably)
		$local_host = php_uname('n');

		// Able to resolve name to IP
		if (($local_addr = @gethostbyname($local_host)) !== $local_host)
		{
			// Able to resolve IP back to name
			if (($local_name = @gethostbyaddr($local_addr)) !== $local_addr)
			{
				$local_host = $local_name;
			}
		}

		fwrite($socket, 'EHLO '.$local_host."\r\n");
		server_parse($socket, '250');

		fwrite($socket, 'AUTH LOGIN'."\r\n");
		server_parse($socket, '334');

		fwrite($socket, base64_encode($pun_config['o_smtp_user'])."\r\n");
		server_parse($socket, '334');

		fwrite($socket, base64_encode($pun_config['o_smtp_pass'])."\r\n");
		server_parse($socket, '235');
	}
	else
	{
		fwrite($socket, 'HELO '.$smtp_host."\r\n");
		server_parse($socket, '250');
	}

	fwrite($socket, 'MAIL FROM: <'.$pun_config['o_webmaster_email'].'>'."\r\n");
	server_parse($socket, '250');

	foreach ($recipients as $email)
	{
		fwrite($socket, 'RCPT TO: <'.$email.'>'."\r\n");
		server_parse($socket, '250');
	}

	fwrite($socket, 'DATA'."\r\n");
	server_parse($socket, '354');

	fwrite($socket, 'Subject: '.$subject."\r\n".'To: <'.implode('>, <', $recipients).'>'."\r\n".$headers."\r\n\r\n".$message."\r\n");

	fwrite($socket, '.'."\r\n");
	server_parse($socket, '250');

	fwrite($socket, 'QUIT'."\r\n");
	fclose($socket);

	return true;
}



The actual mailing function:

//
// Wrapper for PHP's mail()
//
function pun_mail($to, $subject, $message, $reply_to_email = '', $reply_to_name = '')
{
	global $pun_config, $lang_common;
$shn = 'StrongholdNation';
	// Default sender/return address
	$from_name = sprintf($shn);
	$from_email = $pun_config['o_webmaster_email'];

	// Do a little spring cleaning
	$to = pun_trim(preg_replace('%[\n\r]+%s', '', $to));
	$subject = pun_trim(preg_replace('%[\n\r]+%s', '', $subject));
	$from_email = pun_trim(preg_replace('%[\n\r:]+%s', '', $from_email));
	$from_name = pun_trim(preg_replace('%[\n\r:]+%s', '', str_replace('"', '', $from_name)));
	$reply_to_email = pun_trim(preg_replace('%[\n\r:]+%s', '', $reply_to_email));
	$reply_to_name = pun_trim(preg_replace('%[\n\r:]+%s', '', str_replace('"', '', $reply_to_name)));

	// Set up some headers to take advantage of UTF-8
	$from = '"'.encode_mail_text($from_name).'" <'.$from_email.'>';
	$subject = encode_mail_text($subject);

	$headers = 'From: '.$from.PHP_EOL.'Date: '.gmdate('r').PHP_EOL.'MIME-Version: 1.0'.PHP_EOL.'Content-transfer-encoding: 8bit'.PHP_EOL.'Content-type: text/html; charset=utf-8'.PHP_EOL.'X-Mailer: FluxBB Mailer';

	// If we specified a reply-to email, we deal with it here
	if (!empty($reply_to_email))
	{
		$reply_to = '"'.encode_mail_text($reply_to_name).'" <'.$reply_to_email.'>';

		$headers .= PHP_EOL.'Reply-To: '.$reply_to;
	}

	// Make sure all linebreaks are LF in message (and strip out any NULL bytes)
	$message = str_replace("\0", '', pun_linebreaks($message));

	if ($pun_config['o_smtp_host'] != '')
	{
		// Headers should be \r\n
		// Message should be ??
		$message = str_replace("\n", "\r\n", $message);
		smtp_mail($to, $subject, $message, $headers);
	}
	else
	{
		// Headers should be \r\n
		// Message should be \n
		mail($to, $subject, $message, $headers);
	}
}



I would then send an email like the following:

$mail_tpl = trim(file_get_contents(PUN_ROOT.'lang/'.$pun_user['language'].'/mail_templates/banned_email_register.tpl'));

				// The first row contains the subject
				$first_crlf = strpos($mail_tpl, "\n");
				$mail_subject = trim(substr($mail_tpl, 8, $first_crlf-8));
				$mail_message = trim(substr($mail_tpl, $first_crlf));

				$mail_message = str_replace('<username>', $username, $mail_message);
				$mail_message = str_replace('<email>', $email1, $mail_message);
				$mail_message = str_replace('<profile_url>', get_base_url().'/profile.php?id='.$new_uid, $mail_message);
				$mail_message = str_replace('<board_mailer>', $pun_config['o_board_title'], $mail_message);

				pun_mail($pun_config['o_mailing_list'], $mail_subject, $mail_message);



EDIT:

I've added an error_log() command to the pun_mail function. If any phishing emails are actually sent out from my account, I'll find out now.

This post has been edited by chris98: 06 September 2014 - 01:35 AM

Was This Post Helpful? 0
  • +
  • -

#7 no2pencil  Icon User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6549
  • View blog
  • Posts: 30,679
  • Joined: 10-May 07

Re: Concern about my site

Posted 06 September 2014 - 08:22 AM

Looking up ip : 69.162.118.19

Quote

$ nslookup -a 69.162.118.19
*** Invalid option: a
Server: 4.2.2.1
Address: 4.2.2.1#53

Non-authoritative answer:
19.118.162.69.in-addr.arpa name = 69-162-118-19.static.loomhosts.net.


What is iseoexperts.net? Is this the 'from' address?

Quote

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 03 Jul 2014 09:30:17 -0400
Received: from 69-162-118-19.static.loomhosts.net ([69.162.118.19]:59251 helo=mail.seotigers.net)

Was This Post Helpful? 0
  • +
  • -

#8 chris98  Icon User is offline

  • D.I.C Lover

Reputation: 40
  • View blog
  • Posts: 1,100
  • Joined: 06-July 13

Re: Concern about my site

Posted 06 September 2014 - 09:50 AM

Yes, that's the from address. I've been checking more emails, and so far only the ones sent from my site have been sent out. I'm guessing it will probably not happen again for a while.

I did also email the person who claimed to get an email from my site's address and asked for the message they got to be forwarded, they have yet to reply but the account did exist that I received the email from.
Was This Post Helpful? 0
  • +
  • -

#9 Sheepings  Icon User is offline

  • D.I.C Addict

Reputation: 73
  • View blog
  • Posts: 571
  • Joined: 05-December 13

Re: Concern about my site

Posted 06 September 2014 - 10:25 AM

At a quick glance on Google, your software is riddled with problems, and upcoming problems. Like all popular products, comes with people trying to exploit them.

I recommend you convert to a commercial product for more security, except this time, do your homework on the software you choose. What made you use FluxBB over SMF or Invision Power Board? (Not that any of them are not exploitable) - they all are, but some offer more security than others.

If your mailing issue gets out of hand, you and your server/host may end-up on a blacklist. Something you should avoid. Have you been over to the Flux forums about this yet? Maybe they know more about it.
Was This Post Helpful? 0
  • +
  • -

#10 Sheepings  Icon User is offline

  • D.I.C Addict

Reputation: 73
  • View blog
  • Posts: 571
  • Joined: 05-December 13

Re: Concern about my site

Posted 06 September 2014 - 10:44 AM

One more thing, you said ' If any phishing emails are actually sent out from my account, I'll find out now. '

You don't actually require access to administrative back-end if there is a script externally exploitable. Secondly, if someone did get in to your account, they are not going to email just one user, they will email hundreds or the whole board. Which led me to think you have a hole in your software somewhere. My advice is to contact the creators of the board software for advice. (But they don't seem to like to hear that their software is being exploited from what I read.) Watch how you word it.

Does your host use Mod-Security by any chance? Just curious, and have you dug into the server logs? It would not be hard to pin-point an executing script at the specific time the message was sent. If you feel lazy, get your host to do that for you Chris. ;)
Was This Post Helpful? 0
  • +
  • -

#11 chris98  Icon User is offline

  • D.I.C Lover

Reputation: 40
  • View blog
  • Posts: 1,100
  • Joined: 06-July 13

Re: Concern about my site

Posted 06 September 2014 - 11:02 AM

When I chose FluxBB, I was very new - newer than I was when I first came here, and completely clueless. I had just started, found it all very confusing and just wanted something that would work. I tried loads of forum software and none of them seemed to work for me. (I know now it was probably due to the fact I was so new). I absolutely despise phpbb, because of several things:

1.) It's far too heavy and slow
2.) It has stupid variable names (i.e. in the URL of viewtopic.php it has a forum id and topic id, when even when you remove the forum id it still works, which is completely pointless it being there, and the GET indexes in my opinion are stupidly named - f=123&t=456. id is much better. Maybe it is OCD related, I do have a way for things being perfect so that could be why I don't like it.
3.) When I first started, it was complex, I though having to login to use administration was stupid (not so much now) and I thought it was also pretty stupid (and pointless) having two posting files - one for quickpost and one fro normal posting.

SMF:

When I first started, it was too big and complex for me to use. It does have rewritten URLs, but again I'm not really that fond of it.

IPS:

It's good, I have looked into it. But it does have things that I wouldn't necessarily want in my core. And as with all those kinds of software (correct me if I'm wrong) it has to connect to invision power to verify the license. It would be very hard to modify (as I have no understanding of classes) and most of the mods are commercial as well. It's certainly a lot better than phpbb (and Vbulletin for that matter) but out of all the software I looked at (I also had a look later down the line to see if I still though FluxBB was best) FluxBB was the one that really worked for me.

By chance, I came across a link to FluxBB, and it had everything I needed. It wasn't slow, it had no unnecessary junk and I was impressed with how flexible it was. Later, when I started to edit/view the source code, it was very easy to pick up, so I've made a couple of very successful mods based on the features other forum software have (i.e. IPS' user's position online).

I currently have FluxBB 1.5.3. I have updated & fixed the XSS issue, but the mailing functions have been updated since 1.5.3. However, I don't remember anything about security. Still, I'll update the mailing functions to the latest (1.5.6), let them know and report back as to what I find out. Thanks for all your help so far.

I've been in touch with my host and they do support mod_security by default. The only logs that I have had access to is the one I posted above (and I had to drag that out of them)
Was This Post Helpful? 0
  • +
  • -

#12 chris98  Icon User is offline

  • D.I.C Lover

Reputation: 40
  • View blog
  • Posts: 1,100
  • Joined: 06-July 13

Re: Concern about my site

Posted 08 September 2014 - 08:53 AM

Ok, I've received another one (stating about a phishing email being sent on September 2nd), and here are the message headers of it:

Quote

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 08 Sep 2014 07:06:23 -0400
Received: from mail-la0-f49.google.com ([209.85.215.49]:35685)
by srv62.hosting24.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.82)
(envelope-from <[email protected]>)
id 1XQwm6-002Vs2-3Z
for [email protected]; Mon, 08 Sep 2014 07:06:23 -0400
Received: by mail-la0-f49.google.com with SMTP id b17so17049457lan.22
for <[email protected]>; Mon, 08 Sep 2014 04:06:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type;
bh=i9eOafN3rGlurC9FM3dDye/rpZtTI0Ud12ekLpbG2uE=;
b=GzkKvd8vPQBQEcHLkmyOHa1qC/cyF0Q3w4XnCeLPzZvchSjMLwUQ6ILpdAUPn4WE8w
hfVBXlkcyTwytO8ysmzs3NHCx/29xUuO0i0bzxgbGNUs2m/pGeSGOlQYLsJQv1e10+vi
pxFhvJPadFyWi4JjJzh1SevDlyu1S1scl4pcoLt//eVzg0dPuBzdgZdDgCcrALPYzqAx
o22PXHig3DDbyVNS71eJN7z4QlF3uDy/B4nAumQ6li6drN6qdHZXIDwVpk8wQDfLitZY
aED1PidxOAo47v2G9IQ5QRYRlZD/nqcM0FzZSHBUakIQKZzvwd9JpqYp5/QuNfVvf23o
JtBw==
MIME-Version: 1.0
X-Received: by 10.112.150.106 with SMTP id uh10mr26703649lbb.11.1410174374066;
Mon, 08 Sep 2014 04:06:14 -0700 (PDT)
Received: by 10.114.183.228 with HTTP; Mon, 8 Sep 2014 04:06:13 -0700 (PDT)
Received: by 10.114.183.228 with HTTP; Mon, 8 Sep 2014 04:06:13 -0700 (PDT)
In-Reply-To: <{59D723DF-13FF-4CE0-96E1-4BA2E7687730}@mysite.whatever>
References: <{59D723DF-13FF-4CE0-96E1-4BA2E7687730}@mysite.whatever>
Date: Mon, 8 Sep 2014 12:06:13 +0100
Message-ID: <CAFgUEp53SQ6wbEr0k5XK_9_jNvFGuT4YEGHyDCuygw9jk=YC[email protected]>
Subject: Re: Order no. 31184341648
From: Latanya Bias <[email protected]>
To: Tomeka Keser <[email protected]>
Content-Type: multipart/alternative; boundary=047d7b34340ca3bac805028bce59
X-Spam-Status: No, score=-0.8
X-Spam-Score: -7
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "srv62.hosting24.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
root\@localhost for details.

Content preview: Every ordre is this ? On 2 Sep 2014 13:47, "Tomeka Keser"
wrote: > Thank you for using our services! > Your order #31184341648 will
be shipped on 07.09.2014. > > Date: September 02, 2014. 01:21pm > Price: £117.38
> Payment method: Wire transfer > Transaction number: 08FD195248F850EAC4
> > Please find the detailed information on your purchase in the attached
file > (item_2014-09-02_12-46-32_31184341648.arj) > > Best regards, > Sales
Department > Tomeka Keser > +07570195412 [...]

Content analysis details: (-0.8 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(latanyabias[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[209.85.215.49 listed in list.dnswl.org]
X-Spam-Flag: NO

--047d7b34340ca3bac805028bce59
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Every ordre is this ?
On 2 Sep 2014 13:47, "Tomeka Keser" <[email protected]> wrote:

> Thank you for using our services!
> Your order #31184341648 will be shipped on 07.09.2014.
>
> Date: September 02, 2014. 01:21pm
> Price: =C2=A3117.38
> Payment method: Wire transfer
> Transaction number: 08FD195248F850EAC4
>
> Please find the detailed information on your purchase in the attached fil=
e
> (item_2014-09-02_12-46-32_31184341648.arj)
>
> Best regards,
> Sales Department
> Tomeka Keser
> +07570195412

--047d7b34340ca3bac805028bce59
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">Every ordre is this ?</p>
<div class=3D"gmail_quote">On 2 Sep 2014 13:47, &quot;Tomeka Keser&quot; &l=
t;<a href=3D"mailto:[email protected]">[email protected]=
k</a>&gt; wrote:<br type=3D"attribution"><blockquote class=3D"gmail_quote" =
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Tha=
nk you for using our services!<br>
Your order #31184341648 will be shipped on 07.09.2014.<br>
<br>
Date: September 02, 2014. 01:21pm<br>
Price: =C2=A3117.38<br>
Payment method: Wire transfer<br>
Transaction number: 08FD195248F850EAC4<br>
<br>
Please find the detailed information on your purchase in the attached file =
(item_2014-09-02_12-46-32_31184341648.arj)<br>
<br>
Best regards,<br>
Sales Department<br>
Tomeka Keser<br>
+07570195412</blockquote></div>

--047d7b34340ca3bac805028bce59--


I've updated my PHP code to that of the latest version of FluxBB but all I can do now is wait and hope. How hopeful does this look that it's not a legit email sent to me?

EDIT: Here is the full log.

https://gist.github....34148ec4918bc2d

EDIT 2: Removed Domain name.

EDIT 3: Here are some logs from the link above - they are being sent, aren't they?

Quote

[email protected]
1XOnUX-001aSR-EX
Message accepted
View Details Read Mail Message
success
<>
Sep 2, 2014 3:47:15 PM


And:

[email protected]
1XOnix-001fCX-Ra
Message accepted
View Details Read Mail Message
success
[email protected]
Sep 2, 2014 4:02:16 PM

And:

[email protected]
1XOnU4-001aF9-Ei
Message accepted
View Details Read Mail Message
rejected
[email protected]sound-improvements.co.uk
Sep 2, 2014 3:46:15 PM


EDIT 4: As a security precaution, I've temporarily completely disabled all outgoing emails from my site.

This post has been edited by chris98: 08 September 2014 - 11:27 AM

Was This Post Helpful? 0
  • +
  • -

#13 Sheepings  Icon User is offline

  • D.I.C Addict

Reputation: 73
  • View blog
  • Posts: 571
  • Joined: 05-December 13

Re: Concern about my site

Posted 11 September 2014 - 06:05 PM

View PostSheepings, on 06 September 2014 - 05:44 PM, said:

It would not be hard to pin-point an executing script at the specific time the message was sent. If you feel lazy, get your host to do that for you Chris. ;)

All these messages are irreverent, if you are going to ignore my advice. As I said, a server records all executing scripts to a server log, Cpanel does this by default. If you match the time an email is sent, to that of an executing script, you will find which script is sending the emails, and then you can use a kill script to kill it anytime its executed... I can't give you more advice as I don't know what your server setup is. Contact your host to track this. :)
Was This Post Helpful? 1
  • +
  • -

#14 chris98  Icon User is offline

  • D.I.C Lover

Reputation: 40
  • View blog
  • Posts: 1,100
  • Joined: 06-July 13

Re: Concern about my site

Posted 14 September 2014 - 11:02 AM

Quote

As I said, a server records all executing scripts to a server log, Cpanel does this by default.


Does cPanel also clear this log on a regular basis? I asked my host about this but they just stated:

Quote

Hello Chris,

We regret to inform you that our email log was just cleaned by automated system. We kindly apologize for any inconveniences this may have caused to you.

Thank you for understanding.

I hope that I have addressed all of your concerns, but please feel free to reply this ticket if you require further assistance.

Regards,
Andrew G.
Help Desk Staff


I suspect that it was them trying to get rid of me as I'd been asking a couple of questions prior, but I'm not sure whether cPanel can or not. I've been in contact since and no more emails have been sent out so it's really just a matter of waiting for a few days for more emails to be sent out & check them against the list then. Sorry, I must have misread your post

My host has now enabled SPF to stop further backscatter, but I'll let you know the eventual outcome, thanks for your help so far :)
Was This Post Helpful? 0
  • +
  • -

#15 Sheepings  Icon User is offline

  • D.I.C Addict

Reputation: 73
  • View blog
  • Posts: 571
  • Joined: 05-December 13

Re: Concern about my site

Posted 14 September 2014 - 12:34 PM

Don't rely on Sender policy framework, that is not going to save you if you have a dodgy script in your CMS forum. That's a typical bullshit reply from a host who is meant to care for your websites security, don't you think?. Find yourself a new host, and preferably a VPS server where you can manage your own security and logs. They are also cheep, and I can recommend you one if you want.

I'd also recommend you to port your forum to another forum software which offers more security against XSS attacks which your forums lacks security against.

On the the positive side; if the attacker is only sending one mail at a time, mostly means that whatever methods is being using is limiting their ability to send bulk mail. And like all major spammers, they want to do it in bulk and not one at a time!

If you'd like me to suggest to you any security enhancements for your server and website, just shoot me a PM when you get your own VPS.

Take care for now.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2