Atomicorp

Posted: **Tue Jun 17, 2014 1:27 am**

A small problem. A few days a week I get hit with spam, sent to my account

To: my_company_emailadress [i](used as admin account)[/i]
Subject: [[i]Name of website[/i]] coco888@msn.com
Date: Tue, 17 Jun 2014 05:08:34 +0000
From: "coco888@msn.com" <coco888@msn.com>
Message-ID: <5158a682dd89d7cee80861eaed8aa5a9@[i]domain.se[/i]>
Reply-To: coco888@msn.com <coco888@msn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<Spam meesage removed>

I can see it originates from class-php-mailer.php. The problem is that that is the php-file is the one used for Wordpress mailing (this is a Wordpress website). The only one who receives mail is myself, to the account used as SuperAdmin in WP), at least according to the maillog. Anyone got any suggestions?

edit: tried to make the text italic to mark comments in the code, but it just got , but you'll probably understand anyway

Posted: **Tue Jun 17, 2014 9:17 am**

any chance that there is another class-phpmailer.php installed on the box? In another directory or tmp folder maybe?

Posted: **Tue Jun 17, 2014 3:57 pm**

Not that I can find. There are a few of them from all the different Wordpress-sites on the server, but all are in the correct location. The user 10001 is the user account in Linux for the "Name of website"

Posted: **Tue Jun 17, 2014 5:13 pm**

In that case the attacker is using a hole in the Wordpress installation to send mail via this script.

Posted: **Wed Jun 18, 2014 3:48 am**

That was my initial idea as well. It is an updated version of WP. I have changed the password for the users but it still keeps sending spam.

Posted: **Wed Jun 18, 2014 9:49 am**

Could be compromising the legitimate users passwords through desktop malware or something. Thats certainly not an uncommon tactic.

Are you using postfix or qmail? You could do outbound spam scanning with qmail-scanner

Posted: **Wed Jun 18, 2014 9:51 am**

biggles wrote:That was my initial idea as well. It is an updated version of WP. I have changed the password for the users but it still keeps sending spam.

Security hole in a plug-in perhaps?

Posted: **Thu Jun 19, 2014 3:37 am**

prupert wrote: Security hole in a plug-in perhaps?

Not unlikely. Then I just need to find which one...

Posted: **Thu Jun 19, 2014 10:54 am**

Hi,

Cross reference your web server access logs with the mailserver logs there will be entries for (almost) the same times. Voila!

However i think this will be the wp contact us form? As i recall we had a customer with mails sourced from his wp but he had no contact us form... this didn't matter to wordpress tho it still processed POST submissions for the contact us form (ie no form in frontend but back end parsing is not disabled). I could be and frequently am wrong though.

Btw is it deliberate that thereare 2 different uids?qmail is invoked by 10002 but script is owned by 10001?

Posted: **Sun Jun 22, 2014 9:59 am**

Thanks paulie!

I'll try the log part again. I didn't see anything suspicious the last time, but I probably wasn't looking with enough attention.

They do not have a contact form, so it sounds likely that it is parsing requests. I must look into this.

10002 is qmail-scanner, qscand.

Atomicorp

PHP mail spam

PHP mail spam

Re: PHP mail spam

Re: PHP mail spam

Re: PHP mail spam

Re: PHP mail spam

Re: PHP mail spam

Re: PHP mail spam

Re: PHP mail spam

Re: PHP mail spam

Re: PHP mail spam