php mail form compromised ?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
phatkodi
Forum Newbie
Posts: 1
Joined: Wed Nov 18, 2009 11:30 am

php mail form compromised ?

Post by phatkodi »

I have a pretty large site with a few different mail scripts. I am using modified versions of Jack's Formmail and also my own. I have been getting some spam recently and I believe it is coming from one of those scripts but I don't know which one. Is there a way to identify the script that is being used. I have checked the http access logs and haven't really seen anything that looks like it could be some one misusing any of the forms. Here are the headers of the spam.

V8
T1258513839
K1258513849
N1
P32355
Mreply: read error from [127.0.0.1]
F8bs
$_apache@localhost
${daemon_flags}c u
Sinfo@mydomain.com
MDeferred: Connection reset by [127.0.0.1]
C:paolino_74@libero.it
rRFC822; paolino_74@libero.it
RPFD:paolino_74@libero.it
H?P?Return-Path: <g>
H??Received: (from apache@localhost)
by mail.mydomain.com (8.13.8/8.13.8/Submit) id nAI3AdIP030555;
Tue, 17 Nov 2009 22:10:39 -0500
H?D?Date: Tue, 17 Nov 2009 22:10:39 -0500
H?M?Message-Id: <200911180310.nAI3AdIP030555@mail.mydomain.com>
H??X-Authentication-Warning: mail.mydomain.com: apache set sender to info@mydomain.com using -f
H??To: paolino_74@libero.it
H??Subject: Comunicazioni sicure da BancoPosta 17/11/09
H??From: Poste Italiane S.p.A. <session5060@posteitaliane.it>
H??MIME-Version: 1.0
H??Content-Type: text/html
H??Content-Transfer-Encoding: 8bit


So is this an injection, it defently seems as though it is a php hack because of this line

H??X-Authentication-Warning: mail.mydomain.com: apache set sender to info@mydomain.com using -f

but I haven't found any documentation that would lead me to believe it is the Jacks Formmail script. Anyone have any ideas or suggestions to point me in the right direction.

Thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: php mail form compromised ?

Post by kaisellgren »

Care to share the code?
Post Reply