I noticed in my log some kind of nimda web attack to mydownload -> tell a friend link.

The attack file is long, I have added to my site. http://unixtime.net/nimda.txt

The attacker trying to use Tell a Friend link to spam. using the default template link.
Example:
https://xoops.org/modules/mydownloads/singlefile.php?cid=2&lid=1

I had to recompile my kernel to support iptables string and added the following statements

$IPTABLES -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --string .c+dir.
$IPTABLES -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --string .cmd.exe.
$IPTABLES -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --string .default.ida.


I am sure there are many sites using tell a friend links.

does anybody know if there is a patch for this problem?

Thank you.

I'm not really a genius, and that's maybe why I don't understand it completely. The "Tell a friend" in the mydownloads module is just a href anchor with a mailto commando.

So what is exactly the result of that "attack", since I'm not really sure...

I post it this before I drink my coffee... this code looking for mailto: [ string ] so as usual the spammers add the emailto:<email@whatever.xxx> to spamming list.

since there is no email address in "Tell a friend" href anchor. should not be a problem.

Thank you for your time.

"Tell A Friend" has to go through the sending person's own smtp server, NOT your web's smtp server or phpmailer, so there is nothing to worry about.

On a side note to this, I was wondering if there is a hole in the Contact Us module? I've got spam on two different e-mail accounts that I've used only in this module (didn't even give the addresses to friends, let alone posted them anywhere).

Thanks,