Bob Crabb Posted January 9, 2008 Share Posted January 9, 2008 For the past couple of days, I've noticed some interesting entries in the error log of one of my sites. It appears as though several people are trying to find scripts in: /pm/add_ons/mail_this_entry/mail_autocheck.php or /pm/add_ons/mail_this_entry/mailserver.php I don't have anything like this on the site, so it generates a "File does not exist" error. Is this a spammer looking for a commonly known vulnerable script? Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted January 9, 2008 Share Posted January 9, 2008 Most likely. Quote Link to comment Share on other sites More sharing options...
MikeJ Posted January 9, 2008 Share Posted January 9, 2008 I don't have anything like this on the site, so it generates a "File does not exist" error. Is this a spammer looking for a commonly known vulnerable script? They are looking for sites running a vulnerable Mail This Entry addon on their pMachine sites. The vulnerable version of the addon is a couple years old, but it's usually still pretty easy to find people who have not upgraded. Quote Link to comment Share on other sites More sharing options...
Bob Crabb Posted January 9, 2008 Author Share Posted January 9, 2008 Pmachine! I wondered what the pm stood for. Thanks for the info. Quote Link to comment Share on other sites More sharing options...
pagoda Posted January 9, 2008 Share Posted January 9, 2008 (edited) Greetings, (Whoops - this response has been sitting on my desktop while my train of thought was derailed (deranged? ) for a while, so it looks like I am duplicating some previous remarks...) Only posting this for posterity and people considering or already using this software. Worse - there are/have been known exploits for people using PMachine by EllisLab (formerly name PMachine - this product was their flagship product), an online publishing program which used to have both a free and purchasable version but was discontinued formally by EllisLab and released into the public domain and is now developed by the user community. There have been a number of exploits associated with this software with the potential for root access having been the most egregious. One of the more popular exploits allowed an attacker to execute commands with the same privilege level as the underlying web server (namely - the Apache process) - this is the attempt you were seeing in your log files. And as icing on the cake, there is an escalation of privilege that can occur in some instances allowing root access on a machine. Pretty serious hole for people using PMachine Pro and PMachine Free. Worse yet, variants of this problem first appeared in 2003 (if memory serves me correctly). The issue became even more serious sometime in 2005 when the root escalation issue was reported. Affected versions were/are PMachine Pro/Free versions up to and including 2.4. It should be noted that (AFAIK) the current version is 2.4.1. A good amount of additional information on this exploit is found on the SANS website at (http://www.sans.org/newsletters/risk/display.php?v=4&i=8). SANS is likely the best place to check when you see mysterious log entries such as this one. I've taken several SANS courses (as a "white hat" of course ); SANS is very likely one of the best resources for exploits as reported in near real time - of particular interest is the daily updated SANS Internet Storm Center at http://isc.sans.org. Additional information in case others come across this software and/or the same log entries or similar problems: When I see something like this (i.e. BS in my logfiles that shouldn't be there) and it is consistent and from either a single static IP, class C network or the like I'll just block the whole bloody lot of them. However, if one is running either a dedicated server or reseller account, then one needs to be vigilant but less likely to block IPs in case valid users might be trying to connect from that IP or block of IPs. On personal machines I am rather ruthless with this kind of crap. 9 times out of 10 it is spammers trying to hawk either drug "services", pornography or other common scams. This can ultimately, if successfully exploited, cause your IP(s), entire machine or even TCH to be blocked by others. But, given the age of this exploit my guess is that you are probably looking at script kiddies trying to have some "fun" with spam at your expense (literally - since bandwidth costs you should they actually achieve their goal - I've been victim to this prior to moving to TCH in 2003). If you are not running a dedicated server or a reseller account you can still block other's IPs, an IP range etc. using the IP Deny Manager in your cPanel. Be Virtually Safe , Pagoda P.S. My favorite (and most cynical) observation is that when a company with a particular name based on their flagship product ends up having a root escalation issue, what do you do? Simple: you change your business name! LOL!!! (This is clearly a glib remark, but still - it did make me laugh! - I found myself wondering how many times Microsoft would have changed their name if they had this policy... are there that many words in the dictionary? Bwaaaa Haaaa! ) Edited January 9, 2008 by pagoda Quote Link to comment Share on other sites More sharing options...
Bob Crabb Posted January 10, 2008 Author Share Posted January 10, 2008 Pagoda, Thanks for the additional information. Next time I need to research something like this, I'll try the SANS site. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.