Cut corrupted wordpress script by blocking mail()

Discussion in 'Server Operation' started by jmw, May 31, 2015.

  1. jmw

    jmw New Member

    Hello, today I got info from my ISP that my server is sending toons of unwanted mails - i went right away to logs and discovered that mails are sent from blog.domain.com - this is subdomain that i attached to domain.com/blog/ (wordpress installation) Is it possible to block out all mails sent from this subdomain? Or block sending mail without use of SMTP?
     
  2. webguyz

    webguyz Member HowtoForge Supporter

    Might be easier to find which script is corrupted and rename it instead of stopping the smtp. We get hit with this occasionally and when you look in the access log for the affected domain you usually see a lot of POST's going to the same file over and over from different IP's. If you look at the php file you'll probably find some code like:
    $z26="[email protected]>J\r/u+RcHz3}g\nd{^8 ?eVwl_T\\\t|N5q)LobU]40!p%,rC-97k<'y=W:p\$1BI&S6\"E(K`Y~.Q;f[v2a#X*ZAGtM";

    I would rename that file. Often spammers will not hack an important file that's part of the wp site but will add some obscure file xxx.php which will have the infection. If there is one infected file there could be others. WP has been the biggest headache for us when it comes to hacked files and spammers being able to sent out spam using php.

    After 5.3 they added a way so you could add a log for any files sent out via php. If you do a phpinfo() of that site it will list things mentioned in the link below so that in the future you can tell which file is infected and deal with it immediately. Create a entry in php.ini for mail.log and call it something line phpmail.log or something like that and it will tell you the name of the php script sending the spam. Good Luck!

    http://php.net/manual/en/mail.configuration.php
     
  3. DDArt

    DDArt Member HowtoForge Supporter

    Another way to keep track is to "log" the mail. In your php.ini or multiple php.ini files there is a ';mail.log = syslog', enable that and point it to your /var/log/xyzmail.log or whatever name you give it.

    That gives you the file name sending out mail and the time, date, etc.
     
  4. jmw

    jmw New Member

    Actually i managed to set up maldet, and configured crone to scan my wordpress applications every hour - it got rid of every mail spam script at first run.
     
  5. DDArt

    DDArt Member HowtoForge Supporter

    You might want to pay close attention on what maldet quarantines and removes. I am almost certain you have some false positives in your script. If you are running Wordpress most certainly you have some base64 code with some addons to handle Image Magic to handle your PNG files and most likely they got flagged down as a "{SA}stat.strlength" in your reporting. Some in .css files and some in .js files. If you end up with a broken administrator panel or broken back end you'll know what caused it.

    Check your conf.maldet and change it appropriately if you want to be alerted via email when it finds stuff, not to delete stuff but report it and you can manually investigate or remove.

    I do think that WP is a bit of a drag up-keeping multiple sites esp. having premium themes that are not updated and that include plugins prepackaged in their theme that causes nightmares. Not even WordFence, BPS, or SUCURI will find rogue scripts or vulnerable plugins.

    I wonder if anyone is using TripWire on their /var/www/clients/* sites, this would clearly show any new changes, new files that pop up. This is even better on managed host where client doesn't upload files via ftp.
     

Share This Page