Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Exploited Scripts in WordPress Sends Spam
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Exploited Scripts in WordPress Sends Spam

DumbledoreDumbledore Member

How to deal with spam sending cPanel accounts. I can't globally disable phpmail function as its important for many other users.

This is what I tried so far.

1) Tried to limit email with Max hourly emails per domain option: Somehow they are bypassing this limit and sending 1000's of mail.

2) Tried to disable phpmail for a specific account using custom php.ini: I'm using suphp but it's not disabling mail function.

I don't want to suspend them or use suspend_outgoing_email command. Just want to disable their phpmail functionality.

Comments

  • dwtbfdwtbf Member

    if(Wordpress) {

    Refund();

    }

  • ljsealsljseals Member

    If the account is sending out spam why not suspend the account, seems that this would be a normal practice. God bless you!

    Thanked by 1Aidan
  • I had an exploited Wordpress install and installed a malware detection software(maldetect), it identified impacted php files. It identified two files which were sending mails by the dozen. I deleted the files and things are back to normal.

    Shopping for a VPS? here are some affiliate links - VPSRUS SSDNODES

  • ljseals said: why not suspend the account

    ramesh_vish said: software(maldetect)

    I'm trying to find a way to restrict phpmail by either whitelisting or blacklisting.

  • rskrsk Member, Provider

    ramesh_vish said: I had an exploited Wordpress install and installed a malware detection software(maldetect), it identified impacted php files. It identified two files which were sending mails by the dozen. I deleted the files and things are back to normal.

    Remember, this is not a real solution. If they managed to upload a php script, then you should patch up that exploit. Deleting files is pointless when they can reupload them :)

    Thanked by 1netomx
  • rskrsk Member, Provider

    ljseals said: If the account is sending out spam why not suspend the account, seems that this would be a normal practice. God bless you!

    It could very well be that the client has no idea about wordpress, or security in general. This could be done behind his back. Not him intentionally sending out spam. Seen it with many shared hosting clients, especially the ones that add WP plugins by the dozen.

    Thanked by 2Dumbledore ljseals
  • rsk said: It could very well be that the client has no idea about wordpress, or security in general. This could be done behind his back. Not him intentionally sending out spam. Seen it with many shared hosting clients, especially the ones that add WP plugins by the dozen.

    This is the case.

  • FalzoFalzo Member

    @stolipeach said:

    rsk said: It could very well be that the client has no idea about wordpress, or security in general. This could be done behind his back. Not him intentionally sending out spam. Seen it with many shared hosting clients, especially the ones that add WP plugins by the dozen.

    This is the case.

    contact the client, tell him, make him care.
    it keeps being his responsibility to secure his website/software.

    if he does not react or care, get rid of him or make him pay for managed services.

    taking countermeasures behind the back of the client instead of solving the real cause and making him aware IMHO can't be the right solution anyways...

    Netcup DE KVM: 1vC 1GB - 18,88€ or 2 Core 3GB 240GB - 49,88€ yearly /w 5€ off: 36nc15113816460 - 36nc15113816469
    UltraVPS.eu KVM in US/NL/DE, BLACK FRIDAY: 1GB 20€ or 2GB 40€ yearly or cheap 750G / 2TB storage offers

  • Falzo said: contact the client, tell him, make him care.

    These are small business owners. They even don't know what Wordpress is. Sites are designed by novice designers at a small one time cost. I don't have any contact with them.

    I don't know why custom php.ini is not working for disabling phpmail function.

  • KuJoeKuJoe Member, Provider

    @stolipeach said:

    Falzo said: contact the client, tell him, make him care.

    These are small business owners. They even don't know what Wordpress is. Sites are designed by novice designers at a small one time cost. I don't have any contact with them.

    You have bigger problems than a hacked Wordpress if you have no way to get in contact with the people using your servers.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
    Need free hosting? Get AFreeCloud
  • KuJoe said: people using your servers

    They have no access to the server now.

  • joepie91joepie91 Member, Provider

    stolipeach said: These are small business owners. They even don't know what Wordpress is. Sites are designed by novice designers at a small one time cost.

    That is their problem. Their site, their hired designer, their responsibility. Not yours.

    Currently offering Node.js code review, tutoring and advice and custom Node.js module development!
    Appreciate my posts/software/guides? Donate (PayPal/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • joepie91 said: That is their problem. Their site, their hired designer, their responsibility. Not yours.

    I know. I'm trying to do the maximum help I can.

  • joepie91joepie91 Member, Provider
    edited July 14

    @stolipeach said:

    joepie91 said: That is their problem. Their site, their hired designer, their responsibility. Not yours.

    I know. I'm trying to do the maximum help I can.

    Please don't do that for people who are being actively negligent. All it does is rewarding negligent behaviour, because "somebody will be there to clean it up for me anyway". By all means give them an explanation about what went wrong, and how to go about getting it fixed, answering questions about things that are unclear - but don't take the job upon yourself to do the fixing yourself.

    In the end, your customers need to understand that they bear responsibility for the things they put online, and that they bear the responsibility for the people they hire, designers included. This is simply not your concern, nor is it beneficial to anybody to make it your concern - that way, the customer will never stop being negligent, and you'll have to keep cleaning up their mess.

    In other words: you'll help them the most by explaining their responsibilities to them in a way that they 1) can understand (with a non-technical background) and 2) can use to actually get the issue resolved quickly (by making concrete recommendations about who to hire to clean it up, for example). In the long run, that's the only viable solution - you want prevention, not remediation.

    Currently offering Node.js code review, tutoring and advice and custom Node.js module development!
    Appreciate my posts/software/guides? Donate (PayPal/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

    Thanked by 2Dumbledore Falzo
  • Can anyone tell me why php.ini / user.ini is not disabling mail function ?. Am I missing anything ?. I use suPHP.

  • joepie91 said: Please don't do that for people who are being actively negligent. All it does is rewarding negligent behaviour, because "somebody will be there to clean it up for me anyway". By all means give them an explanation about what went wrong, and how to go about getting it fixed, answering questions about things that are unclear - but don't take the job upon yourself to do the fixing yourself.

    In the end, your customers need to understand that they bear responsibility for the things they put online, and that they bear the responsibility for the people they hire, designers included. This is simply not your concern, nor is it beneficial to anybody to make it your concern - that way, the customer will never stop being negligent, and you'll have to keep cleaning up their mess.

    In other words: you'll help them the most by explaining their responsibilities to them in a way that they 1) can understand (with a non-technical background) and 2) can use to actually get the issue resolved quickly (by making concrete recommendations about who to hire to clean it up, for example). In the long run, that's the only viable solution.

    I know this won't help in the long run. I just wanted to give them some time instead of terminating the accounts directly. Anyway, I'm going to suspend the accounts and inform them about the issues.

    Thanked by 2joepie91 ljseals
  • OBHostOBHost Member, Provider

    @stolipeach said: How to deal with spam sending cPanel accounts. I can't globally disable phpmail function as its important for many other users.

    This is what I tried so far.

    1) Tried to limit email with Max hourly emails per domain option: Somehow they are bypassing this limit and sending 1000's of mail.

    2) Tried to disable phpmail for a specific account using custom php.ini: I'm using suphp but it's not disabling mail function.

    I don't want to suspend them or use suspend_outgoing_email command. Just want to disable their phpmail functionality.

    Same happen with our one of client, He change his (WORDPRESS) website template and update his theme and after 2 days 1000's of emails are sending from his account to .ru emails. Sending limit was 120, cPanel doesn't block it or stop emails.

    We enable spam block in csf and change the password of the user and didn't get that issue again on that account

    Shared Hosting | Reseller Hosting | OpenVZ Germany VPS | Storage VPS | Gaming Servers | Dedicated Servers

    Use Coupon "LETStuff" & Get 30% discount on any service for lifetime

    Thanked by 1Dumbledore
  • OBHost said: Same happen with our one of client,

    I have around 10+ exploited accounts. I just suspended them all. I'm done with this!.

    Moreover, i just found out ini directives can't disable mail function.

    http://php.net/manual/en/ini.list.php

  • FranciscoFrancisco Top Provider

    This is why we wrote out send mail script.

    Francisco

    BuyVM - Dedicated KVM Slices / Anycast Support! / Stallion Control Panel / Windows 2008, 2012, & 2016! / Unmetered Bandwidth!
    BuyShared - Shared & Reseller Hosting / cPanel + Softaculous + CloudLinux / Pure SSD! / Free Dedicated IP Address
    Thanked by 1Dumbledore
  • ljsealsljseals Member
    edited July 14

    @rsk said:

    ljseals said: If the account is sending out spam why not suspend the account, seems that this would be a normal practice. God bless you!

    It could very well be that the client has no idea about WordPress, or security in general. This could be done behind his back. Not him intentionally sending out spam. Seen it with many shared hosting clients, especially the ones that add WP plugins by the dozen.

    I would choose to suspend the account and inform the website owner of problems. A small business owner would not want to be responsible for sending out mass spam e-mail. If you relay the problem to the person and advised how to correct the issues; either by paying extra or by hiring outside development to fix the problem, it should not be a problem.

    I do not believe that it would be the responsibility of the web host to ensure that their WordPress site is totally secure unless that have some type of specialized WordPress hosting. I would not terminate the account but would word it in such a way that repeat violations would cause for the termination of the account.

    When you are talking spam mail you are talking massive fines and I would not prolong their site by looking for alternative "band-aid" solutions. Suspend the account... Nothing wrong with that... until contact is made but it should be the web owner's responsibility. If they do not take responsibility, I believe you are then within your right to terminate the account.

  • HxxxHxxx Member

    Follow @Francisco approach. Francisco tell the kids. thanks.

    Thanked by 1Francisco
  • ljsealsljseals Member
    edited July 14

    Also, when I started with my own servers I contacted someone off fiverr who stated that he could set up my server with Nginx and X-Cart. When I looked at the website, he had installed Wordpress so while it may not have been the case with the provider on fiverr, it may be a tactic or better a ruse to install Wordpress to send spam e-mail and claim being hacked on the backend to absolve themselves from criminal activity and continue with your services.

  • Francisco said: send mail script

    Yeah. I remember someone saying BuyShared limits phpmail long time ago. I didn't know you wrote your own script for that. I always thought it was some ini directive.

    ljseals said: I do not believe that it would be the responsibility of the web host to ensure that their WordPress site is totally secure unless that have some type of specialized WordPress hosting. I would not terminate the account but would word it in such a way that repeat violations would cause for the termination of the account.

    I'm hosting these accounts for more than two years, there was no issue. It started sending emails 1 week ago. I chmod the files but new files started popping up after two days.

    I have suspended all accounts now and notified them.

    Thanked by 1ljseals
  • FranciscoFrancisco Top Provider

    stolipeach said: Yeah. I remember someone saying BuyShared limits phpmail long time ago. I didn't know you wrote your own script for that. I always thought it was some ini directive.

    Nope, sorry!

    Francisco

    BuyVM - Dedicated KVM Slices / Anycast Support! / Stallion Control Panel / Windows 2008, 2012, & 2016! / Unmetered Bandwidth!
    BuyShared - Shared & Reseller Hosting / cPanel + Softaculous + CloudLinux / Pure SSD! / Free Dedicated IP Address
    Thanked by 1Hxxx
  • HxxxHxxx Member

    Top notch

    @Francisco said:

    stolipeach said: Yeah. I remember someone saying BuyShared limits phpmail long time ago. I didn't know you wrote your own script for that. I always thought it was some ini directive.

    Nope, sorry!

    Francisco

  • robohostrobohost Member

    Buy reseller package from buyshared and move compromised site there problem solved

  • rskrsk Member, Provider

    robohost said: Buy reseller package from buyshared and move compromised site there problem solved

    Albeit they solved the spam thing on their end, I do not think that is a great idea.

    From a host perspective, I prefer to host a secure site on my servers. Not one that is hacked and just moved over.

    But, I do not know what @francisco has to say? :P

    Thanked by 1Dumbledore
  • JanevskiJanevski Member
    edited July 16

    Warn and if it doesn't get better terminate service for the offending user/spammer.

    If you are extra nice you could give partial refund for the unused service period.

    If you are ultra nice you could migrate such users on a cPanel server with disabled mail or blocked smtp, but it's a waste of time.

    Thanked by 1Dumbledore
  • SadySady Member

    Have a look: https://github.com/saadismail/wp-clean/

    MUST GO THROUGH BASH FILE FIRST BEFORE RUNNING THIS.

    inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim has always helped me tracking down the directory where the mailer is.

    I don't have any relation/affiliation with any LET Host, All of my comments are my own
    Simple bash script to clean compromised wordpress site [cPanel/WHM specified]

    Thanked by 1Dumbledore
  • robohostrobohost Member

    @Sady said: Have a look: https://github.com/saadismail/wp-clean/

    MUST GO THROUGH BASH FILE FIRST BEFORE RUNNING THIS.

    inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim has always helped me tracking down the directory where the mailer is.

    Last week i was cleaning wordpress with infected files, the inmotion command cannot detect it, when i look into the files there is just single line php with var without base64, my asumption is the hacker using remote domains to execute the php

  • sureiamsureiam Member

    @Francisco said: This is why we wrote out send mail script.

    Francisco

    Good call. SMTP is an option in WordPress via a simple plug-in and all other apps also have SMTP function. With the free certs my mail domain is even secured now and only uses SSL for smtp. I see no need for legit phpmail now except laziness to get smtp working properly.

  • SadySady Member

    @robohost said:

    @Sady said: Have a look: https://github.com/saadismail/wp-clean/

    MUST GO THROUGH BASH FILE FIRST BEFORE RUNNING THIS.

    inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim has always helped me tracking down the directory where the mailer is.

    Last week i was cleaning wordpress with infected files, the inmotion command cannot detect it, when i look into the files there is just single line php with var without base64, my asumption is the hacker using remote domains to execute the php

    Commands in that inmotion tutorial is not about infected files. It checks in exim maillog & then shows directories from where scripts were executed to send emails & the number of emails that were sent from those directories.

    I don't have any relation/affiliation with any LET Host, All of my comments are my own
    Simple bash script to clean compromised wordpress site [cPanel/WHM specified]

  • robohostrobohost Member

    @Sady said:

    @robohost said:

    @Sady said: Have a look: https://github.com/saadismail/wp-clean/

    MUST GO THROUGH BASH FILE FIRST BEFORE RUNNING THIS.

    inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim has always helped me tracking down the directory where the mailer is.

    Last week i was cleaning wordpress with infected files, the inmotion command cannot detect it, when i look into the files there is just single line php with var without base64, my asumption is the hacker using remote domains to execute the php

    Commands in that inmotion tutorial is not about infected files. It checks in exim maillog & then shows directories from where scripts were executed to send emails & the number of emails that were sent from those directories.

    Yups i was try that commands and it's return /usr/bin/some folder and there is nothing there

  • DewlanceVPSDewlanceVPS Member, Provider

    If you also provide reseller hosting and same customer violate your rule again and again then terminate whole reseller account.


    I think there is a function which notify you If anyone start sending to many emails. I can't remember which function allow this option to get notified If cross x amount of email per minute or hour.

    Cheap $9/Year Hosting(US/UK/Canada/ES) - Cheap Windows VPS Hosting from Dewlance & Linux Xen VPS at low price. PreMadeKb.com WHMCS/Blesta Readymade Knowledgebase
  • Sady said: Have a look: https://github.com/saadismail/wp-clean/

    I will check this.

    sureiam said: I see no need for legit phpmail now except laziness to get smtp working properly.

    There are some custom coded applications too which use phpmail. So I can't turn it off globally.

    DewlanceVPS said: get notified If cross x amount

    CSF will send notifications. I'm already using it.

  • FranciscoFrancisco Top Provider

    rsk said: But, I do not know what @francisco has to say? :P

    Personally I don't care too much. The system blocks the emails before they even send, so it doesn't matter to me. Once in a while I'll audit the log and throw in some htaccess rules on infected sites to clean them up, but thankfully with the new wordpress anti-brute i put in place it has cut down how many reinfections happen after a cleanup;.

    Francisco

    BuyVM - Dedicated KVM Slices / Anycast Support! / Stallion Control Panel / Windows 2008, 2012, & 2016! / Unmetered Bandwidth!
    BuyShared - Shared & Reseller Hosting / cPanel + Softaculous + CloudLinux / Pure SSD! / Free Dedicated IP Address
Sign In or Register to comment.