New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Exploited Scripts in WordPress Sends Spam
Dumbledore
Member
in Help
How to deal with spam sending cPanel accounts. I can't globally disable phpmail function as its important for many other users.
This is what I tried so far.
1) Tried to limit email with Max hourly emails per domain option: Somehow they are bypassing this limit and sending 1000's of mail.
2) Tried to disable phpmail for a specific account using custom php.ini: I'm using suphp but it's not disabling mail function.
I don't want to suspend them or use suspend_outgoing_email command. Just want to disable their phpmail functionality.
Comments
if(Wordpress) {
Refund();
}
If the account is sending out spam why not suspend the account, seems that this would be a normal practice. God bless you!
I had an exploited Wordpress install and installed a malware detection software(maldetect), it identified impacted php files.
It identified two files which were sending mails by the dozen. I deleted the files and things are back to normal.
I'm trying to find a way to restrict phpmail by either whitelisting or blacklisting.
Remember, this is not a real solution. If they managed to upload a php script, then you should patch up that exploit. Deleting files is pointless when they can reupload them
It could very well be that the client has no idea about wordpress, or security in general. This could be done behind his back. Not him intentionally sending out spam. Seen it with many shared hosting clients, especially the ones that add WP plugins by the dozen.
This is the case.
contact the client, tell him, make him care.
it keeps being his responsibility to secure his website/software.
if he does not react or care, get rid of him or make him pay for managed services.
taking countermeasures behind the back of the client instead of solving the real cause and making him aware IMHO can't be the right solution anyways...
These are small business owners. They even don't know what Wordpress is. Sites are designed by novice designers at a small one time cost. I don't have any contact with them.
I don't know why custom php.ini is not working for disabling phpmail function.
You have bigger problems than a hacked Wordpress if you have no way to get in contact with the people using your servers.
They have no access to the server now.
That is their problem. Their site, their hired designer, their responsibility. Not yours.
I know. I'm trying to do the maximum help I can.
Please don't do that for people who are being actively negligent. All it does is rewarding negligent behaviour, because "somebody will be there to clean it up for me anyway". By all means give them an explanation about what went wrong, and how to go about getting it fixed, answering questions about things that are unclear - but don't take the job upon yourself to do the fixing yourself.
In the end, your customers need to understand that they bear responsibility for the things they put online, and that they bear the responsibility for the people they hire, designers included. This is simply not your concern, nor is it beneficial to anybody to make it your concern - that way, the customer will never stop being negligent, and you'll have to keep cleaning up their mess.
In other words: you'll help them the most by explaining their responsibilities to them in a way that they 1) can understand (with a non-technical background) and 2) can use to actually get the issue resolved quickly (by making concrete recommendations about who to hire to clean it up, for example). In the long run, that's the only viable solution - you want prevention, not remediation.
Can anyone tell me why php.ini / user.ini is not disabling mail function ?. Am I missing anything ?. I use suPHP.
I know this won't help in the long run. I just wanted to give them some time instead of terminating the accounts directly. Anyway, I'm going to suspend the accounts and inform them about the issues.
Same happen with our one of client, He change his (WORDPRESS) website template and update his theme and after 2 days 1000's of emails are sending from his account to .ru emails.
Sending limit was 120, cPanel doesn't block it or stop emails.
We enable spam block in csf and change the password of the user and didn't get that issue again on that account
I have around 10+ exploited accounts. I just suspended them all. I'm done with this!.
Moreover, i just found out ini directives can't disable mail function.
http://php.net/manual/en/ini.list.php
This is why we wrote out send mail script.
Francisco
I would choose to suspend the account and inform the website owner of problems. A small business owner would not want to be responsible for sending out mass spam e-mail. If you relay the problem to the person and advised how to correct the issues; either by paying extra or by hiring outside development to fix the problem, it should not be a problem.
I do not believe that it would be the responsibility of the web host to ensure that their WordPress site is totally secure unless that have some type of specialized WordPress hosting. I would not terminate the account but would word it in such a way that repeat violations would cause for the termination of the account.
When you are talking spam mail you are talking massive fines and I would not prolong their site by looking for alternative "band-aid" solutions. Suspend the account... Nothing wrong with that... until contact is made but it should be the web owner's responsibility. If they do not take responsibility, I believe you are then within your right to terminate the account.
Follow @Francisco approach. Francisco tell the kids. thanks.
Also, when I started with my own servers I contacted someone off fiverr who stated that he could set up my server with Nginx and X-Cart. When I looked at the website, he had installed Wordpress so while it may not have been the case with the provider on fiverr, it may be a tactic or better a ruse to install Wordpress to send spam e-mail and claim being hacked on the backend to absolve themselves from criminal activity and continue with your services.
Yeah. I remember someone saying BuyShared limits phpmail long time ago. I didn't know you wrote your own script for that. I always thought it was some ini directive.
I'm hosting these accounts for more than two years, there was no issue. It started sending emails 1 week ago. I chmod the files but new files started popping up after two days.
I have suspended all accounts now and notified them.
Nope, sorry!
Francisco
Top notch
Buy reseller package from buyshared and move compromised site there problem solved
>
Albeit they solved the spam thing on their end, I do not think that is a great idea.
From a host perspective, I prefer to host a secure site on my servers. Not one that is hacked and just moved over.
But, I do not know what @francisco has to say? :P
Warn and if it doesn't get better terminate service for the offending user/spammer.
If you are extra nice you could give partial refund for the unused service period.
If you are ultra nice you could migrate such users on a cPanel server with disabled mail or blocked smtp, but it's a waste of time.
Have a look: https://github.com/saadismail/wp-clean/
MUST GO THROUGH BASH FILE FIRST BEFORE RUNNING THIS.
inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim has always helped me tracking down the directory where the mailer is.
Last week i was cleaning wordpress with infected files, the inmotion command cannot detect it, when i look into the files there is just single line php with var without base64, my asumption is the hacker using remote domains to execute the php