Spam problem (joomla/server prob?)

[Tweak]

I dont know if its allowed to ask here. but got a problem (kinda huge one) the webserver that is running DA is "trying" to send allot of spam. i know allot of domains are using Joomla.

Now i suspended the domains that are sending the spam, (before i renamed the files that are being abused) but now again it is sending spam again..

Example:

To: "Gerald Ranson" <[email protected]>
Subject: Heh Husband Wife at Home
X-PHP-Script: domain.nl/images/joomgallery/originals/file.php for 99.18.30.13


All the "spamming domains" are doing this with random file names and other dirs. i think the joomla version is not the latest but before that one. so i tried to look in the FTP log if there a files uploaded with that name.. but no.

as far is i know and see in the logs, the are using apache to make the php files send stuff..

maybe someone knows what is going on here? i already suspended 2 domains, now this is the 3rd.

see here apache log:

46.37.66.250 - - [15/May/2013:01:23:26 +0200] "POST /images/joomgallery/originals/file.php HTTP/1.1" 200 274 "-" "Mozilla/5.0"
46.37.66.250 - - [15/May/2013:01:23:28 +0200] "POST /images/joomgallery/originals/file.php HTTP/1.1" 200 274 "-" "Mozilla/5.0"
46.37.66.250 - - [15/May/2013:01:23:34 +0200] "POST /images/joomgallery/originals/file.php HTTP/1.1" 200 274 "-" "Mozilla/5.0"
46.37.66.250 - - [15/May/2013:01:23:35 +0200] "POST /images/joomgallery/originals/file.php HTTP/1.1" 200 274 "-" "Mozilla/5.0"
46.37.66.250 - - [15/May/2013:01:23:36 +0200] "POST /images/joomgallery/originals/file.php HTTP/1.1" 200 274 "-" "Mozilla/5.0"

 

[Tweak]

I think i already know the problem (if its with all the domains) outdated Extensions.. i found out joomgallery is a extension.. so that maybe the prob.

 

[Richard G]

That could well be the case. Joomla and it's addons and/or extensions should always be up2date, same with Wordpress.
Securityholes are spread fast and also abused fast.
You could update the extension you named on 1 site, unsuspend it and see if it's going to send mail again or of things stay quiet.

I would also suggest blocking the abusing ip addresses, which put the file.php there or abused it.

 

[Tweak]

Thnx, im going to try it on 1 domain. i noticed this:

X-PHP-Script: domain.nl/administrator/components/com_mad4joomla/language/traditional_chinese/dirs.php for 82..

mad4joomla.. that seems a extension for sending emais etc.

 

[Richard G]

That could be well the case. You can always check the content of the file and remove it if it has malicious coding in it.

 

[LawsHosting]

and secure your servers (eg. mod_security2, mod_ruid2), and use helpful tools (eg. maldetect).

CMS systems are good, but when clients do not update them, this is when the hackers win. I still see Wordpress v2 on our servers!

Personally, I try to stay away from CMS systems when running my own sites - I only use Wordpress if i really need to.

 

[Tweak]

i updated that extension and removed the strange file (dirs.php) site is running, still no spam.. but that mod_security2 looks nice, so it prevents attacks like: someone is sending info to the same php file all the time?

 

[LawsHosting]

but that mod_security2 looks nice, so it prevents attacks like: someone is sending info to the same php file all the time?

We use it for SQL attacks mainly, but it can prevent CD'ing to tmp (via the url though)

You could try fail2ban, to parse the logs for dubious files, then ban the IP... but this doesn't really fix the real issue.

Also, this might help http://forum.directadmin.com/showthread.php?t=46443&p=238289#post238289

 

[Tweak]

Its fixed i think, i removed the dirs.php file.. and it didint came back...

But the want dirs.php.. so i created one for them

<?php
while(1) {
print "Bye Bye!\n";
}
?>


2.38.208.150 - - [15/May/2013:21:59:06 +0200] "POST /administrator/components/com_mad4joomla/language/traditional_chinese/dirs.php HTTP/1.1" 200 11710660 "-" "Mozilla/5.0"

i hope the enjoy it thnx for help all.