Dealing with a hacker

[speedy33417]

I have a PHP/MySQL based website. It's fairly popular and has plenty of registered users. The website was built from scratch and the only third-party/open-source portion is a tinyMCE editor used on the Forum. The forum itself is also built from scratch.

 

The website is game related and provides game specific information, calculators, forum, etc.

 

Today I noticed that there are over 500 registrations from the same person. He uses different email addresses and even different IP addresses, but all IP addresses are originated for China and site behaviour indicates that it is the same person.

 

He never posted on the forum or sent messages to other members using the website's own message center. But I'm puzzled what he's doing on the site. I'm sure that he's up to no good, but for what purpose would he need this many user accounts?

 

I was thinking that maybe he's using the registration page to hijack the registration form and use the registration email generatad and piggyback that to send out Viagra emails or something. My website uses plain old mail() to send out those emails and I'm not sure what I could do to avoid it if that's what's happening.

 

Maybe he's doing cross site scripting or SQL injection, but that could be done with one account, so I'm puzzled why he's registering all these accounts.

 

Does anyone have any experience with these types of attacks? What is the most likely scenario here? What is he doing on my site?

 

Any help and/or advice would be great. Thanks!

[PFMaBiSmAd]

Some possibilities -

 

1) It's an automated registration script that found your site and is just registering because it can and the human behind it has not gotten around to try and use the accounts that have been created. Do you have a captcha of any kind as part of your registration process? Do you use a link sent through the registration email to activate the account?

 

2) Perhaps your registration email code allows email header injection and someone is using that to send out their emails to whomever they want through your mail server. I would log (to a file, see this link - error_log ) the to, subject, message, and header fields being put into the mail() function call so that you can see exactly what is being sent.

[speedy33417]

Thanks for taking the time to look at my problem.

 

No, I do not currently use a captcha of any kind.

 

Yes, the registration script generates an email that contains a hyperlink to activate the account.. And in fact, over 60% of the accounts he registered were activated and logged in more than 10 times.

 

Here is a section of the mail script I use:

 

$to = $email;
$subject = "Thanks for registering on xxxxxx.com";
$body = "Your username is: " . $username . "\n\n";
$body .= "blah blah click on the link to activate your account URL:\n\n";
$body .= "http://www.xxxxxx.com/validate.php?id=" . $user_id . "&v=" . $validate_code . "\n\n";
$body .= "blah blah blah";
$headers = "Reply-To: xxxxxx.com <admin@xxxxxx.com>\r\n"; 
$headers .= "Return-Path: xxxxxx.com <admin@xxxxxx.com>\r\n"; 
$headers .= "From: xxxxxxcom <admin@xxxxxxcom>\r\n"; 
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/plain; charset=iso-8859-1\r\n";
$headers .= "X-Priority: 1\r\n";
$headers .= "X-Mailer: PHP". phpversion() ."\r\n"; 
mail($to,$subject,$body,$headers);

 

The only form user entry used in the mail script is $email and I use the following script to vaidate it before using it:

 

function validate_email($email)
{

   // Create the syntactical validation regular expression
   $regexp = "^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$";

   // Presume that the email is invalid
   $valid = 0;

   // Validate the syntax
   if (eregi($regexp, $email))
   {
      list($username,$domaintld) = split("@",$email);
      // Validate the domain
      if (getmxrr($domaintld,$mxrecords))
         $valid = 1;
   } else {
      $valid = 0;
   }

   return $valid;

}

 

Hope it gives you a bit more idea of any possible vulnerabilities.

[Philip]

I've  found that sometimes the spam accounts sit format for a while (as PFM suggested) before they actually do anything.

 

I'd suggest adding a captcha, or a more user friendly question/answer

[PFMaBiSmAd]

How are you calling and testing the return value from the validate_email function (I only ask because we see every possible kind of good and bad code here)? Perhaps it is inside some conditional logic that is possible to bypass based on external values or something like register_globals being on or the return value isn't actually being tested or some of your code is in an include file that is possible to request directly, thereby bypassing some of the logic. These are just a few of the things I came up with off of the top of my head. A hacker with more time on his hands can come up with a lot more things to try. Perhaps the multiple registrations are just a hacker trying various things to see if he can bypass your logic, but perhaps he was successful on the 8th attempt and all the registrations after that was him sending out spam emails.

 

To be sure what your mail() function is doing, log the actual parameters being put into it.

 

Note: Even one version of the hardened php Suhosin patch introduced an email header injection hole by blindly adding a specifically named php variable into the header. All it would take is having that specific version of the patch installed and a way for a hacker to set that php variable and he could send his emails to whomever he wanted through your mail server.

 

In programming, it is possible to bypass just about anything if you are willing to spend the time to try.