| Linode Forum https://forum.linode.com/ |
|
| Spam Mail Via Qmail https://forum.linode.com/viewtopic.php?f=11&t=10948 |
Page 1 of 1 |
| Author: | kgrammer [ Wed Apr 16, 2014 1:22 am ] |
| Post subject: | Spam Mail Via Qmail |
I've been fighting this one for a few days, and tonight I located two files on one my Wordpress sites, 11.php and send.php, that had been placed in a wordpress plugin sub-directory. 11.php allows a remote user to input e-mail information into fields as a one-off e-mail sender. send.php allows e-mail information to be passed in as arguments, making it a script-based execution from the executing system. I also noticed that 11.php would also change the time zone of my sever, and I had noticed a 1 hour shift in time. Both files have been removed and I have executed find/locates on my server to see if any additional copies exist, and found none. What I find strange is that I can't seem to find anything through various google searches that describe either of these files. Anyway, if you are having issues with anonymous spam e-mails being sent, start with a find/locate of 11.php and send.php. |
|
| Author: | nicholasmark [ Wed Apr 16, 2014 7:36 am ] |
| Post subject: | Re: Spam Mail Via Qmail |
Were the files downloaded with the plugin? If so, which plugin? If they weren't downloaded with the plugin, I'd be concerned about how they got there. If your Linode's been compromised there's a likelihood there's more 'damage' elsewhere and/or it'll happen again. I use the Wordfence plugin to keep an eye on WordPress file changes etc - you can set it to periodically scan WordPress core files, themes and plugins against WordPress.org repository versions to check their integrity. http://wordpress.org/plugins/wordfence/ |
|
| Author: | kgrammer [ Wed Apr 16, 2014 8:18 am ] |
| Post subject: | Re: Spam Mail Via Qmail |
I'll check out the Wordfence plugin. I made a rookie mistake and left the default admin account active on this account for a few weeks when it was initially installed. I also found some code that had been to the wp-config file, so I closed that stupid hole and reinstalled. I'm confident that was the hole that let them get in. I am running fail2ban, have disabled ssh and basically followed many other recommendations to secure the server, so at this point I don't think anything else was compromised. Passwords have also been changed as a precaution. The files were in an Ajax Calendar manager plugin and that plugin is simple. I have the original distro for the plugin and those files are not present, so I don't think the problem is related to the plugin itself. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|