store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Thu Aug 22, 2019 2:26 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: PHP mail spam
Unread postPosted: Tue Jun 17, 2014 1:27 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 805
Location: Sweden
A small problem. A few days a week I get hit with spam, sent to my account

Code:
Received: (qmail 16615 invoked by uid 10002); 17 Jun 2014 07:08:34 +0200
X-Qmail-Scanner-Diagnostics: from  by servername (envelope-from <coco888@msn.com>, uid 10001) with qmail-scanner-2.10st
 (clamdscan: 0.98.3/19106. mhr: 1.0. spamassassin: 3.3.2. perlscan: 2.10st. 
 Clear:RC:1(127.0.0.1):.
 Processed in 0.04716 secs); 17 Jun 2014 05:08:34 -0000
To: my_company_emailadress [i](used as admin account)[/i]
Subject: [[i]Name of website[/i]] coco888@msn.com
X-PHP-Originating-Script: 10001:class-phpmailer.php
Date: Tue, 17 Jun 2014 05:08:34 +0000
From: "coco888@msn.com" <coco888@msn.com>
Message-ID: <5158a682dd89d7cee80861eaed8aa5a9@[i]domain.se[/i]>
X-Priority: 3
X-Mailer: PHPMailer 5.2.7 (https://github.com/PHPMailer/PHPMailer/)
Reply-To: coco888@msn.com <coco888@msn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<Spam meesage removed>



I can see it originates from class-php-mailer.php. The problem is that that is the php-file is the one used for Wordpress mailing (this is a Wordpress website). The only one who receives mail is myself, to the account used as SuperAdmin in WP), at least according to the maillog. Anyone got any suggestions?

edit: tried to make the text italic to mark comments in the code, but it just got [i], but you'll probably understand anyway


Top
 Profile  
Reply with quote  
 Post subject: Re: PHP mail spam
Unread postPosted: Tue Jun 17, 2014 9:17 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
any chance that there is another class-phpmailer.php installed on the box? In another directory or tmp folder maybe?


Top
 Profile  
Reply with quote  
 Post subject: Re: PHP mail spam
Unread postPosted: Tue Jun 17, 2014 3:57 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 805
Location: Sweden
Not that I can find. There are a few of them from all the different Wordpress-sites on the server, but all are in the correct location. The user 10001 is the user account in Linux for the "Name of website"


Top
 Profile  
Reply with quote  
 Post subject: Re: PHP mail spam
Unread postPosted: Tue Jun 17, 2014 5:13 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
In that case the attacker is using a hole in the Wordpress installation to send mail via this script.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: PHP mail spam
Unread postPosted: Wed Jun 18, 2014 3:48 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 805
Location: Sweden
That was my initial idea as well. It is an updated version of WP. I have changed the password for the users but it still keeps sending spam.


Top
 Profile  
Reply with quote  
 Post subject: Re: PHP mail spam
Unread postPosted: Wed Jun 18, 2014 9:49 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Could be compromising the legitimate users passwords through desktop malware or something. Thats certainly not an uncommon tactic.

Are you using postfix or qmail? You could do outbound spam scanning with qmail-scanner


Top
 Profile  
Reply with quote  
 Post subject: Re: PHP mail spam
Unread postPosted: Wed Jun 18, 2014 9:51 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
biggles wrote:
That was my initial idea as well. It is an updated version of WP. I have changed the password for the users but it still keeps sending spam.


Security hole in a plug-in perhaps?

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: PHP mail spam
Unread postPosted: Thu Jun 19, 2014 3:37 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 805
Location: Sweden
prupert wrote:
Security hole in a plug-in perhaps?


Not unlikely. Then I just need to find which one...


Top
 Profile  
Reply with quote  
 Post subject: Re: PHP mail spam
Unread postPosted: Thu Jun 19, 2014 10:54 am 
Offline
Forum User
Forum User

Joined: Tue Apr 20, 2010 2:49 am
Posts: 76
Hi,

Cross reference your web server access logs with the mailserver logs there will be entries for (almost) the same times. Voila!

However i think this will be the wp contact us form? As i recall we had a customer with mails sourced from his wp but he had no contact us form... this didn't matter to wordpress tho it still processed POST submissions for the contact us form (ie no form in frontend but back end parsing is not disabled). I could be and frequently am wrong though.

Btw is it deliberate that thereare 2 different uids?qmail is invoked by 10002 but script is owned by 10001?


Top
 Profile  
Reply with quote  
 Post subject: Re: PHP mail spam
Unread postPosted: Sun Jun 22, 2014 9:59 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 805
Location: Sweden
Thanks paulie!

I'll try the log part again. I didn't see anything suspicious the last time, but I probably wasn't looking with enough attention.

They do not have a contact form, so it sounds likely that it is parsing requests. I must look into this.

10002 is qmail-scanner, qscand.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group