Hello,
I found a file in a wordpress site (base64 decoded). When i encode this file, i see that spammer is using some email address and passwords (which are not related with my server) and using fsockopen to send spam mail with my server's ip address.
So,
- Some infected website with this file
- Using some email address and passwords for authenticatin
- Spammer connecting my server with this php file and using my main ip address
- He is using my server like a relay or proxy pass.
I can see these connectios by tcpdump;
First i thought to disable some php functions like fsockopen, but there are lots of different ways to make connection.
Do you have any suggestion to stop this?
If you want to see file: http://pastebin.ca/3162557
P.s.: I know i can find this files and delete them but i want to block this method for further problems.
Thanks
I found a file in a wordpress site (base64 decoded). When i encode this file, i see that spammer is using some email address and passwords (which are not related with my server) and using fsockopen to send spam mail with my server's ip address.
So,
- Some infected website with this file
- Using some email address and passwords for authenticatin
- Spammer connecting my server with this php file and using my main ip address
- He is using my server like a relay or proxy pass.
I can see these connectios by tcpdump;
Code:
16:20:43.189411 IP X.X.X.X1.34543 > 65.55.37.104.smtp: tcp 0
16:20:43.272616 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 0
16:20:43.272709 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 31
16:20:43.441488 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 54
16:20:43.631498 IP X.X.X.X1.34543 > 65.55.37.104.smtp: tcp 0
16:20:43.631614 IP X.X.X.X1.34543 > 65.55.37.104.smtp: tcp 23
16:20:43.849555 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 54
16:20:44.043821 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 34
16:20:44.216208 IP X.X.X.X1.34543 > 65.55.37.104.smtp: tcp 44
16:20:44.320743 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 6
16:20:44.492226 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 39
16:20:44.511391 IP X.X.X.X1.34543 > 65.55.37.104.smtp: tcp 0
16:20:44.628693 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 1208
16:20:44.666593 IP X.X.X.X1.40587 > 67.231.152.47.smtp: tcp 0
16:20:44.817925 IP X.X.X.X1.40587 > 67.231.152.47.smtp: tcp 0
16:20:45.241665 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 6
16:20:45.408418 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 0
16:20:45.412143 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 0
First i thought to disable some php functions like fsockopen, but there are lots of different ways to make connection.
Do you have any suggestion to stop this?
If you want to see file: http://pastebin.ca/3162557
P.s.: I know i can find this files and delete them but i want to block this method for further problems.
Thanks