PHP mail spam

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

PHP mail spam

Unread post by biggles »

A small problem. A few days a week I get hit with spam, sent to my account

Code: Select all

Received: (qmail 16615 invoked by uid 10002); 17 Jun 2014 07:08:34 +0200
X-Qmail-Scanner-Diagnostics: from  by servername (envelope-from <coco888@msn.com>, uid 10001) with qmail-scanner-2.10st 
 (clamdscan: 0.98.3/19106. mhr: 1.0. spamassassin: 3.3.2. perlscan: 2.10st.  
 Clear:RC:1(127.0.0.1):. 
 Processed in 0.04716 secs); 17 Jun 2014 05:08:34 -0000
To: my_company_emailadress [i](used as admin account)[/i]
Subject: [[i]Name of website[/i]] coco888@msn.com
X-PHP-Originating-Script: 10001:class-phpmailer.php
Date: Tue, 17 Jun 2014 05:08:34 +0000
From: "coco888@msn.com" <coco888@msn.com>
Message-ID: <5158a682dd89d7cee80861eaed8aa5a9@[i]domain.se[/i]>
X-Priority: 3
X-Mailer: PHPMailer 5.2.7 (https://github.com/PHPMailer/PHPMailer/)
Reply-To: coco888@msn.com <coco888@msn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<Spam meesage removed>

I can see it originates from class-php-mailer.php. The problem is that that is the php-file is the one used for Wordpress mailing (this is a Wordpress website). The only one who receives mail is myself, to the account used as SuperAdmin in WP), at least according to the maillog. Anyone got any suggestions?

edit: tried to make the text italic to mark comments in the code, but it just got , but you'll probably understand anyway
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: PHP mail spam

Unread post by scott »

any chance that there is another class-phpmailer.php installed on the box? In another directory or tmp folder maybe?
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: PHP mail spam

Unread post by biggles »

Not that I can find. There are a few of them from all the different Wordpress-sites on the server, but all are in the correct location. The user 10001 is the user account in Linux for the "Name of website"
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: PHP mail spam

Unread post by prupert »

In that case the attacker is using a hole in the Wordpress installation to send mail via this script.
Lemonbit Internet Dedicated Server Management
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: PHP mail spam

Unread post by biggles »

That was my initial idea as well. It is an updated version of WP. I have changed the password for the users but it still keeps sending spam.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: PHP mail spam

Unread post by scott »

Could be compromising the legitimate users passwords through desktop malware or something. Thats certainly not an uncommon tactic.

Are you using postfix or qmail? You could do outbound spam scanning with qmail-scanner
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: PHP mail spam

Unread post by prupert »

biggles wrote:That was my initial idea as well. It is an updated version of WP. I have changed the password for the users but it still keeps sending spam.
Security hole in a plug-in perhaps?
Lemonbit Internet Dedicated Server Management
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: PHP mail spam

Unread post by biggles »

prupert wrote: Security hole in a plug-in perhaps?
Not unlikely. Then I just need to find which one...
paulie
Forum User
Forum User
Posts: 76
Joined: Tue Apr 20, 2010 2:49 am

Re: PHP mail spam

Unread post by paulie »

Hi,

Cross reference your web server access logs with the mailserver logs there will be entries for (almost) the same times. Voila!

However i think this will be the wp contact us form? As i recall we had a customer with mails sourced from his wp but he had no contact us form... this didn't matter to wordpress tho it still processed POST submissions for the contact us form (ie no form in frontend but back end parsing is not disabled). I could be and frequently am wrong though.

Btw is it deliberate that thereare 2 different uids?qmail is invoked by 10002 but script is owned by 10001?
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: PHP mail spam

Unread post by biggles »

Thanks paulie!

I'll try the log part again. I didn't see anything suspicious the last time, but I probably wasn't looking with enough attention.

They do not have a contact form, so it sounds likely that it is parsing requests. I must look into this.

10002 is qmail-scanner, qscand.
Post Reply