[triangle-zpug] zp hacked by spambot

Dimauro, Frank FDimauro at unch.unc.edu
Fri Mar 30 15:07:39 CEST 2007 

One of our python scripts that was sitting in our custom skins folder
(developed by Cignex to serve as the basis script that handles our email
forms) was exploited by a spammer and caused a whole mess of spam to be
generated from our Exchange email server. The script was not in use but
"someone somehow" knew it was there and exploited it. Here it is below.
We have since turned off smtp port 25 on the server and our email forms
are dormant. Can anyone suggest a fix that will prevent future hijack?
The spammer added a bcc: field to the form and bcc'd the spam to
thousands. The giveaway was the MIME header on one of the relayed emails
that listed the email l_mail_to
='mohammad_ismail at akebonosoft.com'...ismail was a cignex contract
employee who was one of the original developers of our site...

Frank DiMauro

"Our Age of Anxiety is, in great part, the result of trying to do
today's jobs with yesterday's tools."
-M.McLuhan

#######################################################################
## Script (Python) "zp_contactus"
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=traverse_subpath
##parameters=
##title=
##
#
------------------------------------------------------------------------
------------------------
#  Name:  zp_contactus
#
#  Purpose : Sends contact information 
#
#  Mandatory REQUEST parameters: None
#
#  Optional REQUEST parameters: None
#
#  Development History: 
#   Date          Author     Description
#   -----------   -------    --------------
#   04/24/2004    CIGNEX     Created
#
------------------------------------------------------------------------
------------------------

request = container.REQUEST
RESPONSE =  request.RESPONSE

# Determine - whom to send the mail
l_mail_to ='mohammad_ismail at akebonosoft.com'
l_email=request.get('email')


# Form the mail subject
l_mail_subject = "UNCH - Contact Us form"

# Form the mail body
l_body = '\n'
l_body = l_body + 'Name = ' + request.get('name') + '\n'
l_body = l_body + 'Address = ' + request.get('address') + '\n'
l_body = l_body + 'Phone Number = ' + request.get('phone') + '\n'
l_body = l_body + 'Email = ' + request.get('email') + '\n'
l_body = l_body + 'Comments = ' + request.get('comments') + '\n'

# Result page Object
l_resultPage = container['zpt_confirmation']

# send form in email
context.zm_sendMail(context,
           mail_from=l_email,
           mail_to=l_mail_to,
           mail_subject=l_mail_subject,
           mail_body=l_body)

# show result page
url = 'http' + context.absolute_url()[4:]

target= '%s/%s?p_message=%s&p_heading=%s' % (url, 'l_resultPage',
        'We will go through your feedback and get back to you soon.', 
        'Thanks for contacting us')

return context.REQUEST.RESPONSE.redirect(target)

More information about the TriZPUG mailing list