The Hijacking of Master Form
On Friday, October 3, 2003, I noticed a lot of email bounces suddenly being returned from @aol.com addresses.
At first, I wasn't alarmed. Our email address is misused by a lot by spammers. We're known for our anti-spam stance and I believe it gives some spammers a perverted pleasure to put our email addresses into the From: line of spam they send out. So we get a lot of bounces as a result of such antics.
I opened one of the new set of bounces, like I usually do.
The bounced spam actually came from our server!
As soon as possible, I needed to disable the hijacked script. But, which script?
The @aol.com bounces provided only the headers. If they had bounced the entire email, I would immediately have known which script was being hijacked. Our Master Form and Master Form V3 email templates have characteristics that provide clues about which script was used. Except for demonstrations of other programs, those two are the only ones we use with forms that allow users to communicate to us from a web page.
As I studied the extensive header information of several of the bounces, I noticed the emails were being sent to a @bontragerconnection.com address. (The bouncing addresses were in a Bcc: header line.)
The @bontragerconnection.com address was a clue.
I FTP'd into the server and noticed that the Master Form submissions database was unusually large. (This database is a record of each "contact us" form submission from the bontragerconnection.com domain.)
That was the hijacked the script. So I quickly renamed it from MasterForm.cgi to MasterForm.disabled. With that kind of name, it wouldn't run no matter how much any spammer coaxed it.
I was lucky. From noticing the bounces to the script being disabled took less than 5 minutes.
It was time to relax a bit and determine what my options were.
First, I checked the server error logs to see if the script was still being used. It was.
This told me the spammer was using an automated method of some kind. A human using the actual contact form would have noticed the 404 immediately and quit using it.
So I renamed the script to MasterForm2.cgi and changed the contact form's action="_______" to the new script name.
The contact form was back on line if anybody wanted to use it. Everything was back to normal.
Except the spammer's software was still submitting to the non-existing script.
And Master Form had a security hole that needed to be looked into and plugged. Many people use Master Form. An upgrade needed to be made and tested, quickly.
I checked the error logs again. The spammer was still trying to use the script that was no longer there.
S/He was quite sophisticated. More sophisticated than the spamming software being used. The spamming software should have noticed the 404 immediately and quit running. But it didn't.
The spammer had set up the software to emulate human frequency. There was one submission about every minute for five minutes. Then nothing for three or four minutes. Then three submissions all within the same minute. Then nothing for a while.
Consecutive form submissions had different IP addresses, too, which means the software was spoofing those.
My job, now, was to find out how the spammer managed to hijack Master Form. The hole needed to be plugged.
Earlier, I mentioned that Master Form updated a database whenever the contact form at bontragerconnection.com was used. It was that database that showed me how the hijacking occurred.
On Sunday, September 28, 2003 at 4:32 PM (USA, Mountain Time) someone using hotdak1@aol.com as a return address tested the form and found the security hole. S/He used the hole three times.
Both Master Form and Master Form V3 were vulnerable to the same exploit.
I won't describe how the hijacking occurred. Spammers read our articles, and I don't want to let the rest of them in on the method. The more people who upgrade Master Form and Master Form V3 before the rest of spammers find out how to do it, the less they can exploit.
If you use Master Form or Master Form V3, and if any of your email templates have placeholders in the header section, you are vulnerable. Update your installation right away. The URLs are later in this article.
On Thursday, October 2, 2003 at 4:04 PM (USA, Mountain Time) someone using hotdak3@aol.com as a return address tested the security hole three times, again.
Notice the email address of this test is similar to the previous test. The IP address of both, however, are exactly the same: 66.114.203.114
That IP address might have been spoofed, too. I speculate that it wasn't, though, because both tests had the same IP address and that particular IP address was never used in the spamming that started October 3.
When I did a DNS lookup on 66.114.203.114, this is what I found:
"WHOIS results for 66.114.203.114
"Generated by www.DNSstuff.com
"Country: UNITED STATES
"NOTE: More information appears to be available at
NET-66-114-203-112-1.
"Using cached answer (or, you can get fresh results).
"Focal Communications FOCC-SPRBLK-3
(NET-66-114-192-0-1)
66.114.192.0 - 66.114.255.255
"Data Network Solutions FOCC-DNETIT-NJ-1
(NET-66-114-203-0-1)
66.114.203.0 - 66.114.203.255
"New Brunswick Board of Education NEWBRUNSWICKBOE
(NET-66-114-203-112-1)
66.114.203.112 - 66.114.203.127
"# ARIN WHOIS database, last updated 2003-09-28 19:15"
If the IP address used on September 28 and on October 2 when testing the script was not spoofed, then it appears the hijacking spammer did the testing from within the IP address range assigned to the New Brunswick Board of Education. (For those not familiar with USA geography, New Brunswick is a city in New Jersey, a State on the east side of the continent.)
But the IP address could have been spoofed.
I'm also assuming the September 28 and October 2 test hijackings were by the same person that hijacked the script for spamming on October 3. The assumption is valid, I believe, because there were no other such tests in the entire Master Form database.
I have no desire to chase this down more than I already have. Both Master Form and Master Form V3 have been updated to plug that security hole. And I need to get back to the projects already on my scheduling board.
It took several hours to plug the security hole in Master Form.
When I was ready to test the update, the spammer was still plugging away at the non-existent script. So I named the updated Master Form script the same name as the spammer was plugging away at. Thus s/he provided me with the means to test the update live, with the actual software the spammer was using for the exploit.
Master Form passed the test.
Then I updated Master Form V3. It passed the test, too.
Both Master Form and Master Form V3 received an additional feature. The [[SCRIPT_LOCATION]] placeholder can now be used to automatically insert the name and location of the script that's processing the form. Using this placeholder in a custom email header line can provide instant info should you need it.
The user's manual provides information on how to use the [[SCRIPT_LOCATION]] placeholder.
The spammer's software finally quit at 7:07 PM of the same day it started. It had been banging away for eleven hours.
I find it impossible to predict the devious methods spammers and crackers will employ. But I can respond. And I will let you know, dear reader, either in the Prelude of the WillMaster Possibilities ezine or in its Possibilities article, or both, if a crack happens again.
Now available:
Master Form V4
[NOTE ==>> New Service: Guaranteed hijack-proof forms. Easy to use. Monthly and yearly subscription. http://webform.flowto.info/ ]
Question:
Did you find this article interesting and understandable? How can it be improved?
Your response is anonymous.
When done typing, click anywhere outside the box. [more info]
Will Bontrager
©2003 Bontrager Connection, LLC
Please note:
Articles on this website are presented "as is". However -
If you have a question about a CGI script, HTML, CSS, PHP, or JavaScript
Ask one of our Experts and you'll have your answer!
Click here for details.
