Exim – Block php exploited emails.

One of the most common attacks we see is exploited wordpress sites that then download or allow an upload of a php-shell and/or a mailer. Each time these files are encoded in base_64 or constructed via an array of letters in random order then in both cases used to pass the value on to an eval(). Which then executes it’s goal, to spam others or to use your site to take over other wordpress sites or a combination of the two.

This tutorial handles the spam aspect of that. However, this tutorial isn’t meant as an end-all-be-all but just another tool in your security toolbox. I have not run into any legitimate mail scripts that use eval() code for the mail() call, but if some do you can detect it and then whitelist and make an exception, you probably have examples already in your exim.conf file.

These are the steps of how to block such naughty things from sending email using a php option and exim.

First make sure php.ini has this:

mail.add_x_header = On

Restart whatever is running PHP, either PHP-FPM, Apache, etc.

Then when some php code runs and sends email it will add something like this when using eval()’ed code

X-PHP-Originating-Script: 601:.help.php(1490) : eval()’d code

Then in Exim what we will do is read those headers and look for that telling “eval()’ed code”.

In /etc/exim.conf add this towards the top with the ACL declerations (lines that start with acl_ towards the top. That are above (usually way above) begin acl)

acl_not_smtp = acl_check_php

then search for “begin acl” and put this below it:

acl_check_php:

#Drops mail sent using eval'ed code.
drop condition = ${if match{$h_X-PHP-Originating-Script:}{eval\\(\\)\'d code}{yes}{no}}
log_message = Dropped mail: eval()'ed code: ( {$h_X-PHP-Originating-Script:} ) Sender: $sender_address
message = Blocked due to PHP mail() in eval() block.

accept

Don’t forget that “accept” or all mail sent via a command (sendmail / php’s mail() ) will fail. This is one of the safest experiments with exim.conf because it won’t effect “normal” email usage so if you are going to mess up, this is the place to do it.

restart exim and you are done.

If you check back on your exim log you might find some entries for that. That is your invitation to go check for exploit code and update your sites code as well.

Leave a Reply

Your email address will not be published. Required fields are marked *