For quite some time now, I'm hearing reports from all over the place where apparently someone is trying to exploit web forms by inserting additional lines in the hope that they will be used as part of the header of the email that the form sends out. I've seen the term "SMTP injection" used for that technique. It's not exactly new, though. In fact, we once suffered from it years ago.
However, all the current cases I'm seeing seem to be coming from the same person or group of persons, as they all use the same scheme. Specifically, for the email address, they all use the name of the site that the form is located on plus a bunch of random characters as the localpart.
A few reports in German newsgroups: [1], [2], [3]. I'm also seeing this on a few of my own sites as well as on geeklog.net. And one of our users even suspected a connection with a hacking attempt on his site (although I somehow doubt that - the person(s) behind these form injections are most likely only interested in sending spam or malware).
Let's have a closer look at some of those attempts.
Note that I replaced the '@' sign with a '#' in the following examples.
In our error.log file:
Fri Sep 9 17:41:04 2005 - Error, invalid username: 'tkfxlgzwz#geeklog.net
Content-Type: multipart/mixed'
Fri Sep 9 17:41:05 2005 - Error, invalid username: 'akxt#geeklog.net'69.26.220.15 - - [09/Sep/2005:17:41:04 -0400] "POST /users.php HTTP/1.1" 200 15606 "http://www.geeklog.net/" "-"
69.26.220.15 - - [09/Sep/2005:17:41:05 -0400] "POST /users.php HTTP/1.1" 200 15606 "http://www.geeklog.net/" "-"
So he tried that trick on our site's login form, for whatever reason. Note the Content-Type: multipart/mixed in the first example, which was injected by adding a linefeed after the email address. Of course, that attempt was completely useless, as our login form would then happily search for that strange user name in the database - and won't find it, of course. He must have tried something slightly different in the second example, as it did not include the "Content-type" line.
It looks like these attempts are automated and don't really care which form they're attacking. From another site:
212.50.185.147 - - [04/Sep/2005:09:55:49 +0200] "GET / HTTP/1.1" 200 51770 "-" "-"
212.50.185.147 - - [04/Sep/2005:09:55:56 +0200] "GET /search.php HTTP/1.1" 200 19675 "-" "-"
212.50.185.147 - - [04/Sep/2005:09:55:58 +0200] "POST /users.php HTTP/1.1" 200 18065 "http://www.haun.info/" "-"
212.50.185.147 - - [04/Sep/2005:09:56:03 +0200] "POST /users.php HTTP/1.1" 200 18064 "http://www.haun.info/" "-"
212.50.185.147 - - [04/Sep/2005:09:56:06 +0200] "GET /calendar.php HTTP/1.1" 200 42755 "-" "-"
212.50.185.147 - - [04/Sep/2005:09:56:12 +0200] "POST /calendar.php HTTP/1.1" 200 42755 "http://www.haun.info/" "-"
212.50.185.147 - - [04/Sep/2005:09:56:16 +0200] "POST /calendar.php HTTP/1.1" 200 42756 "http://www.haun.info/" "-"
212.50.185.147 - - [04/Sep/2005:09:56:20 +0200] "POST /calendar.php HTTP/1.1" 200 42756 "http://www.haun.info/" "-"
212.50.185.147 - - [04/Sep/2005:09:56:23 +0200] "POST /submit.php?type=event HTTP/1.1" 200 15620 "http://www.haun.info/" "-"
212.50.185.147 - - [04/Sep/2005:09:56:25 +0200] "POST /submit.php?type=event HTTP/1.1" 200 15621 "http://www.haun.info/" "-"
212.50.185.147 - - [04/Sep/2005:09:56:27 +0200] "POST /submit.php?type=event HTTP/1.1" 200 15621 "http://www.haun.info/" "-"
212.50.185.147 - - [04/Sep/2005:09:56:28 +0200] "POST /submit.php?type=event HTTP/1.1" 200 15620 "http://www.haun.info/" "-"
212.50.185.147 - - [04/Sep/2005:09:56:30 +0200] "GET /links.php HTTP/1.1" 200 16401 "-" "-"
212.50.185.147 - - [04/Sep/2005:09:56:33 +0200] "GET /index.php HTTP/1.1" 200 51770 "-" "-"
212.50.185.147 - - [04/Sep/2005:09:56:37 +0200] "POST /index.php HTTP/1.1" 200 52170 "http://www.haun.info/" "-"
212.50.185.147 - - [04/Sep/2005:09:56:40 +0200] "POST /index.php HTTP/1.1" 200 52652 "http://www.haun.info/" "-"
212.50.185.147 - - [04/Sep/2005:09:56:45 +0200] "POST /index.php HTTP/1.1" 200 52657 "http://www.haun.info/" "-"
212.50.185.147 - - [04/Sep/2005:09:56:50 +0200] "GET /profiles.php HTTP/1.1" 200 114 "-" "-"He just tries out each and every form he can find, no matter what it does, before moving on.
A quick check on the two IP addresses: 69.26.220.15 belongs to airBand Communications, an ISP in Dallas, Texas. 212.50.185.147 belongs to Kingston Communications, an ISP in the UK. So chances are the actual attacks came from hijacked PCs or open proxies.
So what can we do about these attempts? Not much, probably. Other than making sure our forms don't allow injections of this sort, of course.
Comments (0)
Damn Spam!
http://spam.tinyweb.net/article.php/form-hacking-attempts