Prevent php regex, someone using myphpfile.php maybe using they bot spammer script

Forum Moderators: coopster

Message Too Old, No Replies

Prevent php regex, someone using myphpfile.php maybe using they bot spammer script

basketmen

11:53 pm on Jul 13, 2011 (gmt 0)

Hi guys,

few days ago my host says in one of my website are sending large mail, that come from senegal country ip

here are my host says

There were another 16 mails in the queue this morning going to a very large number of recipients.

X-PHP-Script: www.domain.com/myphpfile.php for 111.222.333.444

That seems to be the source IP, they more than likely injecting headers into the mail() being used in PHP, there are a few regexes and methods on the Internet if you google on how to prevent it.

myphpfile.php are file for sending private message (member got email notification too for each private message) to another member in my site, you must be login to use that page

is there a way to prevent myphpfile.php page by accessing from other server, so only real user that can accessing the page? maybe like prevent hotlinking image

please share your knowledge guys

Leosghost

1:01 am on Jul 14, 2011 (gmt 0)

You would appear to have been hacked ( from what you describe ) and your server is ( it appears ) being used as a zombie mailer.

How to prevent this ?

To begin ..don't leave php files with their default names..because that is what hackers look for first ..and don't allow people to write whatever they want in php messages or forms ..it is normally called "sanitizing input" ..( in these fora look for posts by "rocknbil" about how to "sanitize"..it may also be written as "sanitise" ..but as the forum and "rocknbil" are in the USA it is more likely that you will find it using "z" )..follow his advice and that will help prevent this kind of "hack" in the future..

Next ..your hosts have told you what to look for and how they ( the hackers ) are probably doing it ..

Securing websites is complex ..and we can't possibly explain how to do it completely here ..

IIWY ( newbie to security ) ..I'd ask the host if they can "harden" your site ? ..how much they would charge you ..? ..and let them do it ..then follow exactly what they tell you to do about preventing this in the future...
Then read as much as you can about how to secure php on servers yourself..

Your server is probably being used to send what are called 419s ( email scams ) ..only in your case run from Senegalese IPs instead of the Nigerian IPs which gave them their name originally ..