You can delete all the contents
Yes
It will also affect any hard coded links that you may have on your site that are dependant on that particular script ID. It would also affect any external links in the same way.

Thanks for the reply.

Excuse my ignorance but what is a hard coded link and how does it differ from a link to a url?

Are any external back links likely to be hard coded? If so, I wouldn't want to lose these so I would want to find another way around the problem.

All external back links to that particular page will be hard coded, but it is unlikely you have a back link (at least that 's important) that is external to your contact us page.

A hard coded back link in Actinic is a link that may have been manually written into the code by yourself or your designer. Links in Actinic are usually independant of the script ID unless hard coded.

If you are still be bombarded with spam from the mail form then you could temporarily make the form fail by changing the name of the file in the cgi-bin directory. The file is mf000xxx.pl (where xxx is the script ID), change this to say safe_mf000xxx.pl. This won't eliminate the problem but it will probably go away after a short time if the form is not seen as sending the emails. It can be a temporary fix but will also stop anyone contacting you via the form so make sure you have other contact details available on the site in the meantime.

I understand a little better I think. Well I know that I haven't put any hard coded links into the site because I have avoided changing any of the html manually because I don't fully understand it (something I must learn).

Do I take it any external links affected will only be the ones to my contact page and links to other pages are unaffected?

All changes have now been made and so far, the spam has stopped. No doubt time will tell what happens. I'll update this thread later to let you know what the situation is. All your help is most appreciated.

Spam Through contact form

My web site (hosted by 1&1) has been disabled by 1&1's Abuse Department.

The message I received is :

========================================================
A security leak in the following file you installed has enabled third parties to
send a large amount of spam through your 1&1 webspace:
./UK/cgi-bin/*

Your contact-form.

As spam represents a major danger for 1&1 mail relays, we have disabled this
file.

In order to prevent further spam transmission and a lock of your 1&1 webspace,
please consider the following indications:

1. Check whether the script mentioned above is required for your website. If
it should be dispensable, please delete the script.

2. If the script should be a part of a contact form you provide on your site,
secure it from future abuse using a captcha. You will find further
information on http://en.wikipedia.org/wiki/CAPTCHA

IMPORTANT: Upgrading your PHP configuration to PHP 5 provides an important
security improvement and impedes attacks of this sort. Please therefor consider
an upgrade of your PHP version to PHP 5. You will find all required information
on: http://faq.1and1.com/scripting_langu.../php5_upgrade/


=========================================================

A few days ago someone was spoofing our email address (and then it suddenly stopped) . . . I guess it was 1&1 who closed the loophole?

I can't download orders etc.

I am at a complete loss as to what course of action to take to resolve this problem.

Any help would be truly appreciated.

Tony

I'm not particularly knowledgeable compared to may on this forum but at the weekend, I managed to implement the recommendations mentioned earlier in this topic. Prior to doing so, I was receiving about 3000 spam email per day and since I made the changes, I have had maybe 5 spam emails so I'm more than happy.

Ideally I would like to implement captcha but I need to improve my technical knowledge so as to work out how to put it into the code of my site but for now everything is fine.

In simple terms, I changed my script ID number, deleted the contents of the cgi-bin folder and changed the email address which was used to receive email from my contact form and this was all that I had to do.

Let me know if you need any guidance with this. Whilst I am not the best person to guide you on such matters, I am willing to help if I can.

Regards

Nigel

Thanks for the reply but none of the earlier replies deal with what is apparently an inherent weakness in the script itself.

Tony

Tony

Sorry but my knowledge doesn't extend to such technical detail. I'm sure other will be able to help.

Regards

Nigel

Whilst not the reply you really want, my suggestion is to use a 3rd party mailing script inc capchta and kick Actinic's mail form into touch.

I've done this for several sites and started to do this as long ago as 5 years or so.

Search the www for PHP forms and integrate this into your our contact us form.

update

I have spoken at length to the 1&1 Abuse Department in the USA and they tell me it is not limited to the one script. It's all a bit beyond me but from what they said it seems hackers can use older versions of Actinic Scripts by embedding their own scripts in the variables parsed by Actinic.

These embedded scripts effectively allows the Hacker admin rights to your web space and from there they have carte blanche to do what they want!

In my case they sent out tens of thousands of emails.

It does seem that this is a known problem and there are security alerts on Actinic's script vulnerabilities going back to version 4.07

As far as I can see an upgrade to v.10 seems to be the only solution (for me) rather than trying to fix v.7 (myself) as there is not an 'official fix'.

This vulnerability means users of v.7 etc. who start receiving large volumes of spam emails sent to their normal Actinic order notification address have also probably been hacked too!

Plus . . . as a general note . . . any users of v.7 or earlier should be aware that they have an open back-door to their web site.

Tony,
You are spot on.
We have identified this exploitation of V7 and earlier mailform scripts. It has affected a few of our earlier Actinic hosted sites.
We've seen several thousand emails with a variant on the text "PLIMUS" in the subject line flooding out from these sites. Some have been blacklisted (which we are trying to rectify).
It seems there may be some net wide search for Actinic V7 and earlier sites which are then being exploited.
I've notified Actinic of this issue (and this thread).

We are recommending an upgrade (which we do anyway) to resolve this issue. In the meantime we have had to disable some of the exploited mf000001.pl script files to block these attacks.

Warning: Posting to v.7 (and earlier) informs hackers your site is vulnerable!

Our site v.7 was closed by our ISP

We upgraded to v.10 (without too much hassle) put the site live and within a matter of hours there were two further attempt to run scripts through the 'contact us' form.

This time Actinic didn't parse the 'hacker's script' and merely sent the code as part of an email!

We have sent the code to our Abuse Department and Actininc so they can see how it is being done!

One BIG difference is a dramatic fall off in the amount of spam we are receiving!

A thought occurrs . . . if you post to this forum with a query about V.7 or earlier you are actually DECLARING the version you use for your site which will allow hackers to exploit its inherent vulnerability!

True, but the spamming is done by robots not humans so I doubt there's much added risk by posting here.

Robots reading the forum?

Well, surprise, surprise . . . we got hit with another attempt within four hours of posting here.

The forum is a good source . . . even for robots.

My signature gives the company name . . . one step away from the web site . . .

If you want to see what the 'email' hack looks like I'll forward it to you.

[I've notified Actinic and previously submitted samples.]