Attacks through Messenger form fields
Posted: 22 Aug 2022, 22:48
csf: v14.17
MESSENGER config by default with MESSENGER v2 enabled
I'm receiving these mail alerts from the Messenger recaptcha:
At first I thought the attacks comes from /home/csf/public_html, although I wrote a die(); function inside /home/csf/public_html/index.php and the attacks persisted. Until I have deleted the <form..> codes inside /etc/csf/messenger: index.html and index.php pages
Not sure if they try to write the file /home/csf/unblock.txt which later is processed inside /etc/csf/lfd.pl. Alert messages were created, I'm not sure if there is enough sanitization inside lfd.pl or the related function checkip inside /usr/local/csf/lib/ConfigServer/CheckIP.pm.
Just by caution I have created one inotify script to replace the files inside /etc/csf/messenger as soon there is an update
Any experience with this type of attacks?
MESSENGER config by default with MESSENGER v2 enabled
I'm receiving these mail alerts from the Messenger recaptcha:
Code: Select all
Subject: lfd on server.domain.com: recaptcha ?ôЄÿê/¶7Ô³Æ">ßv¬£þlÄ ¡ƒÃƒà¤õ-qJ7L-°¤Úwyµ#w@/V{Õ[7ÀTÀKÕˆ=RN”¯c?‘æøË5Ô¬Œ•šñ+é>þGãïo&ŽÌÒoskäÊcìƒÙnePü[|š§AñÂDõ¯|¤ð¸£ãº7" (Unknown)
Time: Mon Aug 21 11:50:34 2022 +0200
IP: ?ôЄÿê/¶7Ô³Æ">ßv¬£þlÄ ¡ƒÃƒà¤õ-qJ7L-°¤Úwyµ#w@/V{Õ[7ÀTÀKÕˆ=RN”¯c?‘æøË5Ô¬Œ•šñ+é>þGãïo&ŽÌÒoskäÊcìƒÙnePü[|š§AñÂDõ¯|¤ð¸£ãº7" (Unknown)
Recaptcha unblock of ?ôЄÿê/¶7Ô³Æ">ßv¬£þlÄ ¡ƒÃƒà¤õ-qJ7L-°¤Úwyµ#w@/V{Õ[7ÀTÀKÕˆ=RN”¯c?‘æøË5Ô¬Œ•šñ+é>þGãïo&ŽÌÒoskäÊcìƒÙnePü[|š§AñÂDõ¯|¤ð¸£ãº7" (Unknown) on ÊæJåâã$á àrCóîFÉ‘È]¬xÉÈä!`ÜlS‰÷tað÷¼ «ú+Ê`8¶Æá)$™«Þx”÷}W ,ªw†ûI–D0’£‘y5Øœ I"ñ®zé^DÁª°~`9Ô¬·¶©fan³^èÂê:ÿïÔµ{}*qæ·ƒwŒ½•¨R@=Š –ôÓ†A(ím¿lºs¢Û€4§°+U·îàÝñOþ¿@q_r,ìΣÇà€ƒB_•Ú jé¨cbU{íöü}E0=Á«ÐŸ¨Šó)í,“"XÄÎzÿ]LS¹“n˜ÿÚR)À^Až£}¨¤“ðïv£VSɨy‰ËÇû!ˆä õ¾|V{ù4¿Î<,¶7}0…ÒøŠ¹¬1
¯‹©Ç‡U¼óΓûˆC¿ðÀ£¶W’6ðŸ`žQçphk´8(3ÀPQЧ«ùy~Žù’]až
¸dxë¹Íë”
úF wš}©%×Bi®ˆfíþ÷U'‹á€AtP¢Œ0ëËm–E‰Éás¦ì™1\mú»ÇÏJÉ1Mi•œaq
----
Subject: lfd on server.domain.com: recaptcha ¤‘‚ÁiÃÍÃÕqø—°¥±W†¡”jèÄ9¯tÅi (Unknown)
Time: Mon Aug 21 13:19:23 2022 +0200
IP: ¤‘‚ÁiÃÍÃÕqø—°¥±W†¡”jèÄ9¯tÅi (Unknown)
Recaptcha unblock of ¤‘‚ÁiÃÍÃÕqø—°¥±W†¡”jèÄ9¯tÅi (Unknown) on () requested
Not sure if they try to write the file /home/csf/unblock.txt which later is processed inside /etc/csf/lfd.pl. Alert messages were created, I'm not sure if there is enough sanitization inside lfd.pl or the related function checkip inside /usr/local/csf/lib/ConfigServer/CheckIP.pm.
Just by caution I have created one inotify script to replace the files inside /etc/csf/messenger as soon there is an update
Any experience with this type of attacks?