Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Exploited Scripts in WordPress Sends Spam
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Exploited Scripts in WordPress Sends Spam

How to deal with spam sending cPanel accounts. I can't globally disable phpmail function as its important for many other users.

This is what I tried so far.

1) Tried to limit email with Max hourly emails per domain option: Somehow they are bypassing this limit and sending 1000's of mail.

2) Tried to disable phpmail for a specific account using custom php.ini: I'm using suphp but it's not disabling mail function.

I don't want to suspend them or use suspend_outgoing_email command. Just want to disable their phpmail functionality.

«1

Comments

  • dwtbfdwtbf Member

    if(Wordpress) {

    Refund();

    }

  • If the account is sending out spam why not suspend the account, seems that this would be a normal practice. God bless you!

    Thanked by 1Aidan
  • I had an exploited Wordpress install and installed a malware detection software(maldetect), it identified impacted php files.
    It identified two files which were sending mails by the dozen. I deleted the files and things are back to normal.

  • ljseals said: why not suspend the account

    ramesh_vish said: software(maldetect)

    I'm trying to find a way to restrict phpmail by either whitelisting or blacklisting.

  • rskrsk Member, Patron Provider

    ramesh_vish said: I had an exploited Wordpress install and installed a malware detection software(maldetect), it identified impacted php files. It identified two files which were sending mails by the dozen. I deleted the files and things are back to normal.

    Remember, this is not a real solution. If they managed to upload a php script, then you should patch up that exploit. Deleting files is pointless when they can reupload them :)

    Thanked by 1netomx
  • rskrsk Member, Patron Provider

    ljseals said: If the account is sending out spam why not suspend the account, seems that this would be a normal practice. God bless you!

    It could very well be that the client has no idea about wordpress, or security in general. This could be done behind his back. Not him intentionally sending out spam. Seen it with many shared hosting clients, especially the ones that add WP plugins by the dozen.

    Thanked by 2Dumbledore ljseals
  • rsk said: It could very well be that the client has no idea about wordpress, or security in general. This could be done behind his back. Not him intentionally sending out spam. Seen it with many shared hosting clients, especially the ones that add WP plugins by the dozen.

    This is the case.

  • FalzoFalzo Member

    @stolipeach said:

    rsk said: It could very well be that the client has no idea about wordpress, or security in general. This could be done behind his back. Not him intentionally sending out spam. Seen it with many shared hosting clients, especially the ones that add WP plugins by the dozen.

    This is the case.

    contact the client, tell him, make him care.
    it keeps being his responsibility to secure his website/software.

    if he does not react or care, get rid of him or make him pay for managed services.

    taking countermeasures behind the back of the client instead of solving the real cause and making him aware IMHO can't be the right solution anyways...

  • Falzo said: contact the client, tell him, make him care.

    These are small business owners. They even don't know what Wordpress is. Sites are designed by novice designers at a small one time cost. I don't have any contact with them.

    I don't know why custom php.ini is not working for disabling phpmail function.

  • KuJoeKuJoe Member, Host Rep

    @stolipeach said:

    Falzo said: contact the client, tell him, make him care.

    These are small business owners. They even don't know what Wordpress is. Sites are designed by novice designers at a small one time cost. I don't have any contact with them.

    You have bigger problems than a hacked Wordpress if you have no way to get in contact with the people using your servers.

  • KuJoe said: people using your servers

    They have no access to the server now.

  • joepie91joepie91 Member, Patron Provider

    stolipeach said: These are small business owners. They even don't know what Wordpress is. Sites are designed by novice designers at a small one time cost.

    That is their problem. Their site, their hired designer, their responsibility. Not yours.

  • joepie91 said: That is their problem. Their site, their hired designer, their responsibility. Not yours.

    I know. I'm trying to do the maximum help I can.

  • joepie91joepie91 Member, Patron Provider
    edited July 2017

    @stolipeach said:

    joepie91 said: That is their problem. Their site, their hired designer, their responsibility. Not yours.

    I know. I'm trying to do the maximum help I can.

    Please don't do that for people who are being actively negligent. All it does is rewarding negligent behaviour, because "somebody will be there to clean it up for me anyway". By all means give them an explanation about what went wrong, and how to go about getting it fixed, answering questions about things that are unclear - but don't take the job upon yourself to do the fixing yourself.

    In the end, your customers need to understand that they bear responsibility for the things they put online, and that they bear the responsibility for the people they hire, designers included. This is simply not your concern, nor is it beneficial to anybody to make it your concern - that way, the customer will never stop being negligent, and you'll have to keep cleaning up their mess.

    In other words: you'll help them the most by explaining their responsibilities to them in a way that they 1) can understand (with a non-technical background) and 2) can use to actually get the issue resolved quickly (by making concrete recommendations about who to hire to clean it up, for example). In the long run, that's the only viable solution - you want prevention, not remediation.

    Thanked by 2Dumbledore Falzo
  • Can anyone tell me why php.ini / user.ini is not disabling mail function ?. Am I missing anything ?. I use suPHP.

  • joepie91 said: Please don't do that for people who are being actively negligent. All it does is rewarding negligent behaviour, because "somebody will be there to clean it up for me anyway". By all means give them an explanation about what went wrong, and how to go about getting it fixed, answering questions about things that are unclear - but don't take the job upon yourself to do the fixing yourself.

    In the end, your customers need to understand that they bear responsibility for the things they put online, and that they bear the responsibility for the people they hire, designers included. This is simply not your concern, nor is it beneficial to anybody to make it your concern - that way, the customer will never stop being negligent, and you'll have to keep cleaning up their mess.

    In other words: you'll help them the most by explaining their responsibilities to them in a way that they 1) can understand (with a non-technical background) and 2) can use to actually get the issue resolved quickly (by making concrete recommendations about who to hire to clean it up, for example). In the long run, that's the only viable solution.

    I know this won't help in the long run. I just wanted to give them some time instead of terminating the accounts directly. Anyway, I'm going to suspend the accounts and inform them about the issues.

    Thanked by 2joepie91 ljseals
  • OBHostOBHost Member, Host Rep

    @stolipeach said:
    How to deal with spam sending cPanel accounts. I can't globally disable phpmail function as its important for many other users.

    This is what I tried so far.

    1) Tried to limit email with Max hourly emails per domain option: Somehow they are bypassing this limit and sending 1000's of mail.

    2) Tried to disable phpmail for a specific account using custom php.ini: I'm using suphp but it's not disabling mail function.

    I don't want to suspend them or use suspend_outgoing_email command. Just want to disable their phpmail functionality.

    Same happen with our one of client, He change his (WORDPRESS) website template and update his theme and after 2 days 1000's of emails are sending from his account to .ru emails.
    Sending limit was 120, cPanel doesn't block it or stop emails.

    We enable spam block in csf and change the password of the user and didn't get that issue again on that account

    Thanked by 1Dumbledore
  • OBHost said: Same happen with our one of client,

    I have around 10+ exploited accounts. I just suspended them all. I'm done with this!.

    Moreover, i just found out ini directives can't disable mail function.

    http://php.net/manual/en/ini.list.php

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    This is why we wrote out send mail script.

    Francisco

    Thanked by 1Dumbledore
  • ljsealsljseals Member
    edited July 2017

    @rsk said:

    ljseals said: If the account is sending out spam why not suspend the account, seems that this would be a normal practice. God bless you!

    It could very well be that the client has no idea about WordPress, or security in general. This could be done behind his back. Not him intentionally sending out spam. Seen it with many shared hosting clients, especially the ones that add WP plugins by the dozen.

    I would choose to suspend the account and inform the website owner of problems. A small business owner would not want to be responsible for sending out mass spam e-mail. If you relay the problem to the person and advised how to correct the issues; either by paying extra or by hiring outside development to fix the problem, it should not be a problem.

    I do not believe that it would be the responsibility of the web host to ensure that their WordPress site is totally secure unless that have some type of specialized WordPress hosting. I would not terminate the account but would word it in such a way that repeat violations would cause for the termination of the account.

    When you are talking spam mail you are talking massive fines and I would not prolong their site by looking for alternative "band-aid" solutions. Suspend the account... Nothing wrong with that... until contact is made but it should be the web owner's responsibility. If they do not take responsibility, I believe you are then within your right to terminate the account.

  • HxxxHxxx Member

    Follow @Francisco approach. Francisco tell the kids. thanks.

    Thanked by 1Francisco
  • ljsealsljseals Member
    edited July 2017

    Also, when I started with my own servers I contacted someone off fiverr who stated that he could set up my server with Nginx and X-Cart. When I looked at the website, he had installed Wordpress so while it may not have been the case with the provider on fiverr, it may be a tactic or better a ruse to install Wordpress to send spam e-mail and claim being hacked on the backend to absolve themselves from criminal activity and continue with your services.

  • Francisco said: send mail script

    Yeah. I remember someone saying BuyShared limits phpmail long time ago. I didn't know you wrote your own script for that. I always thought it was some ini directive.

    ljseals said: I do not believe that it would be the responsibility of the web host to ensure that their WordPress site is totally secure unless that have some type of specialized WordPress hosting. I would not terminate the account but would word it in such a way that repeat violations would cause for the termination of the account.

    I'm hosting these accounts for more than two years, there was no issue. It started sending emails 1 week ago. I chmod the files but new files started popping up after two days.

    I have suspended all accounts now and notified them.

    Thanked by 1ljseals
  • FranciscoFrancisco Top Host, Host Rep, Veteran

    stolipeach said: Yeah. I remember someone saying BuyShared limits phpmail long time ago. I didn't know you wrote your own script for that. I always thought it was some ini directive.

    Nope, sorry!

    Francisco

    Thanked by 1Hxxx
  • HxxxHxxx Member

    Top notch

    @Francisco said:

    stolipeach said: Yeah. I remember someone saying BuyShared limits phpmail long time ago. I didn't know you wrote your own script for that. I always thought it was some ini directive.

    Nope, sorry!

    Francisco

  • Buy reseller package from buyshared and move compromised site there problem solved

  • rskrsk Member, Patron Provider

    robohost said: Buy reseller package from buyshared and move compromised site there problem solved

    >

    Albeit they solved the spam thing on their end, I do not think that is a great idea.

    From a host perspective, I prefer to host a secure site on my servers. Not one that is hacked and just moved over.

    But, I do not know what @francisco has to say? :P

    Thanked by 1Dumbledore
  • JanevskiJanevski Member
    edited July 2017

    Warn and if it doesn't get better terminate service for the offending user/spammer.

    If you are extra nice you could give partial refund for the unused service period.

    If you are ultra nice you could migrate such users on a cPanel server with disabled mail or blocked smtp, but it's a waste of time.

    Thanked by 1Dumbledore
  • SadySady Member

    Have a look: https://github.com/saadismail/wp-clean/

    MUST GO THROUGH BASH FILE FIRST BEFORE RUNNING THIS.

    inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim has always helped me tracking down the directory where the mailer is.

    Thanked by 1Dumbledore
  • @Sady said:
    Have a look: https://github.com/saadismail/wp-clean/

    MUST GO THROUGH BASH FILE FIRST BEFORE RUNNING THIS.

    inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim has always helped me tracking down the directory where the mailer is.

    Last week i was cleaning wordpress with infected files, the inmotion command cannot detect it, when i look into the files there is just single line php with var without base64, my asumption is the hacker using remote domains to execute the php

Sign In or Register to comment.