Sending spam through my hosting

[luckylouie]

Hi;

 

I had an email from my hosting company which said that my account was hacked and one script in images folder is trying to send thousands of spams(file name : "/public_html/images/sm5vy7.php"). they blocked my account and asked me to check if there is any script or code that may cause this problem.

The only server side page I had was a contact.php file that has mail() function in it. the code is like this;

 

"if( isset($_POST['submit'])) {

$name=$_POST['name'];

$comment=$_POST['comment'];

$email=$_POST['email'];

$phone=$_POST['phone'];

$to = "sample@gmail.com";

$subject = "sample";

$message = "sample";

$from = "$email";

$headers = "Content-type:text;charset=utf-8" . "\r\n";

$headers .= "From: $from" . "\r\n";

mail($to,$subject,$message,$headers);

}"

 

My question is "can the code I used cause any security problem that someone be able to create a php file in my images folder or someone has accessed my account?"

 

Thank you in advance

I'm really in a big trouble

[scootstah]

Answer: Yes.

 

This is called mail header injection. You don't validate the $_POST['email'] field, so an attacker can modify it to use any headers that he wishes, altering the to path, adding cc/bcc, etc.

 

You need to validate that $_POST['email'] is a valid email, and that it is only one email. You can do this with regular expressions, and there are tons of articles around Google to do it. http://www.google.com/search?q=php+regex+valid+email&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

[PFMaBiSmAd]

The answer to your specific question is NO. If that's all the .php code you originally had on your site, it cannot be used to place a .php script file into a folder under your account.

 

The sm5vy7.php file got into that folder through some other means.

[scootstah]

The answer to your specific question is NO. If that's all the .php code you originally had on your site, it cannot be used to place a .php script file into a folder under your account.

 

The sm5vy7.php file got into that folder through some other means.

 

Whoops, guess I read that too fast. Indeed, this script cannot create a php file.

 

However, you still have a potential spam vulnerability in it.

[ManiacDan]

There are 2 problems with your site:

1)  This specific mail script can be abused to send spam.

 

2)  Somewhere else on your site is another script that also doesn't properly validate inputs, this other script is capable of creating a PHP file that was then used to spam.

 

Since you're on a shared host, it's a pretty good bet that it's another PHP script, but #2 can also be some other kind of vulnerability.  A compromised FTP password perhaps?

[luckylouie]

Thank you guys for your great answers. 

 

some points that I want to mention:

 

1. I put a JavaScript code that doesn't allow more than one "@" in email field.

 

2. there is no other script in my entire website.

 

3. I take a very good care of my account login information and my computer security is in a very good shape.

 

is there any way that the problem is caused by the server and their lack of security measures or this was a virus in their server?(it's not a famous or a big hosting company)

I mean how that file could be created there?

 

thank you all

your the best

 

[ManiacDan]

1. I put a JavaScript code that doesn't allow more than one "@" in email field.

Wrong.  Javascript is not a validation/sanitation language and cannot be used for this.  You have to use PHP, and you should be using filter_var() to validate the email.

 

2. there is no other script in my entire website.

Then the problem exists somewhere else and you should notify your host that there is only 1 PHP script on your whole site and it cannot create files.

 

3. I take a very good care of my account login information and my computer security is in a very good shape.

Change your passwords anyway.  If your security is in good shape you're changing them every couple months anyway.

 

is there any way that the problem is caused by the server and their lack of security measures or this was a virus in their server?(it's not a famous or a big hosting company)

I mean how that file could be created there?

If you honestly only have these 13 lines of executable code in your entire website, then it's either a hole in their system or your password has been compromised.  There's holes in every system, especially small shared hosts.  The hole could also be on someone else's site on the same host, it doesn't have to be anything related to your account.  Change your password, secure your inputs with filter_var, and then tell your host that you've secured the only piece of executable code you have on your site.

 

-Dan

[Pikachu2000]

EDIT: basically what ^^^ he ^^^ said . . .

 

Thank you guys for your great answers. 

 

some points that I want to mention:

 

1. I put a JavaScript code that doesn't allow more than one "@" in email field.

 

JavaScript is NOT validation. All a user has to do is disable JS in the browser, and any value under the sun can be sent through the form. Validation MUST be done server-side.

 

2. there is no other script in my entire website.

 

Your entire website consists of nothing more than a contact form?

 

3. I take a very good care of my account login information and my computer security is in a very good shape.

 

If you're using an FTP client without encrypting your login credentials, they can be sniffed off the wire at any point between you and your server.

 

is there any way that the problem is caused by the server and their lack of security measures or this was a virus in their server?(it's not a famous or a big hosting company)

I mean how that file could be created there?

 

thank you all

your the best

 

 

Yes, if it's shared hosting there's a possibility that someone could have put the script in your directory from another account if certain vulnerabilities exist.

 

Your first step should be to determine, if you can, when the file was created, and check your server logs for that time frame to see if there are any clues there.

[PFMaBiSmAd]

Edit: In case we haven't covered all the bases yet ...

 

I implemented a JavaScript code that doesn't allow more than one "@" in email field.

 

That doesn't matter. A bot script posts directly to your contact us .php script and doesn't care about anything you did in your form. Also, someone who simply disables javascript in their browser could post anything they wanted.

 

Some possible ways a .php script could be put onto your site, provide the .php code you posted is your only server-side script -

 

1) Your FTP/ssh or web hosting account username/password was guessed or intercepted (perhaps through an unsecured wifi network connection).

 

2) The web host has not secured the web/ftp servers so that your account is the only account that has access to your folders.

 

3) The web host's FTP/ssh or master hosting account username/password was guessed or intercepted (perhaps through an unsecured wifi network connection).

 

The server and/or web server access log should show when and provide more information about how that file got written to the server.

 

How do your real images normally get put into the /public_html/images/ folder? Is the images folder itself something that you created? It's also possible that if the method that the web host has used to secure account folder/files relies solely on permissions, that if you created the image folder yourself through FTP that it did not get the necessary ownership/permissions to prevent other accounts from placing files into it.

[luckylouie]

your forum is great. i have posted my question in 3 forums and non of them answer as fast and accurate as you.

 

Your entire website consists of nothing more than a contact form?

 

no my website has html and flash files.

 

I'm 100% agree with all you said and I'm going to fix all the errors as you said.

 

just one more question: can verification images like this one "http://www.white-hat-web-design.co.uk/articles/php-captcha.php" helps the security of my contact form?

 

by the way how can I use ssh in ftp connection. my ftp client gives "Connection refused"

[luckylouie]

in filezilla does "require explicit/implicit ftp over TLS" option help to protect my info?