Website Hacked. Sending spams. Help finding malicious code.
Discuss Website Hacked. Sending spams. Help finding malicious code. in the Mail Server Help forum on Dev Shed. Website Hacked. Sending spams. Help finding malicious code. Mail Server Help forum discussing tips, tricks, techniques and Spam containment solutions. Topics include mail servers such as Sendmail and Qmail, webmail interfaces such as Squirrelmail and Horde and spam solutions such as SpamAssassin and Bayesian
Receive the tools necessary to be the rock star of your field. Our 12-month program teaches you the evolving world of multi-channel marketing as well as the complex issues and opportunities found in the industry.
ASP Free and Iron Speed Designer are giving away $5,500+ in FREE licenses. Iron Speed's RAD CASE toolset can save up to 80% of your coding time. One free license per week, one perpetual license per month! Download and Activate to enter!
Web development can be a daunting task, even for specialists. There is a lot of information to absorb and a lot of technologies to learn in order to manage a superior website. When trying to learn the ropes, developers need a reliable source to introduce new ideas that can be easily implemented. When working on large projects, even web veterans may run into a technology or an aspect of a technology that they are unfamiliar with.
Posts: 4
Time spent in forums: 1 h 14 m 37 sec
Reputation Power: 0
Website Hacked. Sending spams. Help finding malicious code.
Hey guys,
New to the forum so I'll introduce myself. I'm Jugal, a freelance web developer from Mumbai, India.
Apart from making websites, I also offer web hosting to my clients.
I have a dedicated server running Windows Server 2008 with IIS 7 and Parallel Plesk installed.
I have more than 250 domains hosted here, most of which process PHP forms and thus, mail() function.
There has been an attack on my server where one of the php script containing mail() function is being exploited to send spams to random email id's. I have been getting bounceback emails from invalid id's this bot is sending spams to. So far, the count has been more than 12,000.
I suspect, the method described here is being used to carry out this operation: hxxp://wxw.astahost.c om/index.php?s=&showtopic=18363&view=findpost&p=121159 (Sorry, had to.)
So maybe one of my client used a weak php email code which hacker (bot) is enjoying to send spams to. (Or maybe not?)
Now, what I want to do is to hunt down the vulnerable mail() function responsible for this. Finding "mail()" by using Notepad++ seems unreasonable as from 250 domains, many of them are ecommerce scripts, form processors, wordpress blogs, etc. counting up to more than 1,000 search results and it'll be impossible to check the same manually.
Anyone, any idea how do I do this? Is there a tool for windows / apache to monitor all SMTP requests and to trace it to the responsible domain / .php file?
Or can we write a php program or anything to monitor the same?
Or just ANY solution to hunt the responsible domain at least, so that I can delete it.
I'm very much tensed. Hopefully, it's weekend so maybe I have 2 days to fix this else my clients are gonna call up and complain of those spams.
Posts: 13
Time spent in forums: 3 h 27 m 50 sec
Reputation Power: 0
Since this was posted back in October, I do hope you managed to get the problem under control, if not, or if someone else enters these forums with a similar issues, here are some pointers:
Quote:
Originally Posted by jjm0109
I have a dedicated server running Windows Server 2008 with IIS 7 and Parallel Plesk installed.
I have more than 250 domains hosted here, most of which process PHP forms and thus, mail() function.
Firstly why are you not using a cheaper Unix-like system? Are you also hosting .NET or windows specific applications? It might be an idea to separate the Apache hosted applications onto a Unix-like server and keep your Windows hosted applications on the Windows server. I refer to Apache here, as you note you are using Apache later in your message.
Quote:
Originally Posted by jjm0109
There has been an attack on my server where one of the php script containing mail() function is being exploited to send spams to random email id's. I have been getting bounceback emails from invalid id's this bot is sending spams to. So far, the count has been more than 12,000.
Have you checked the "From" address for these spam messages? If you have a secure SMTP server setup, it shouldn't allow relaying mail for domains which you do not personally host. The "From" address should tell you the exact domain, or at least the one which the spams know is on your server.
Quote:
Originally Posted by jjm0109
I suspect, the method described here is being used to carry out this operation: hxxp://wxw.astahost.c om/index.php?s=&showtopic=18363&view=findpost&p=121159 (Sorry, had to.)
So maybe one of my client used a weak php email code which hacker (bot) is enjoying to send spams to. (Or maybe not?)
I do believe Windows has a netstat program which can tell you which application is connecting to the SMTP port. If this doesn't help, you should check your mail server logs to see if there are any hints on where it is coming from.
Quote:
Originally Posted by jjm0109
Now, what I want to do is to hunt down the vulnerable mail() function responsible for this. Finding "mail()" by using Notepad++ seems unreasonable as from 250 domains, many of them are ecommerce scripts, form processors, wordpress blogs, etc. counting up to more than 1,000 search results and it'll be impossible to check the same manually.
PowerShell has a command very similar to the Unix GREP command which you can use to scan through files for say "mail(". You can create a PowerShell script to scan through multiple directory structures. I'll leave the scripting up to you. PHP also has a GREP-like command as well, and it can also go through directory structures.
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Website Hacked. Sending spams. Help finding malicious code.
Linear Mode
