spammers add scripts to my site to send spam

Hi,

i know that spammers every so often create a few php scripts on my server, and then use them to send spam from my server.

I don’t know yet how they do it, as in, what exactly gives them access to be able to write scripts to my server.

The last time they tried, they put these php scripts on the server:

In the access log of “grancanariainfo” I found:

From then on, I get a lot of POSTs, which is somehow sending spam via my server. Here are a few lines from the access log:

How do I find out what exactly they use to be able to write scripts on my server?

Thanks!

Howdy,

That’s a good question, but it’s also a tricky one to figure out

It’s often done via a vulnerability in your website, or a plugin installed onto your website.

It could also get there by a bot guessing the admin password of your site, or FTP account.

Usually, it’s the first option though – a vulnerability.

I’d recommend starting by making sure your site and all the plugins are up to date.

You could also take a look at the timestampts on some of those PHP scripts, and then compare that to activity in your Apache access log for that domain. That may give you an idea of what was occurring on your site at the time those were uploaded.

-Eric

Thanks Eric, that’s what I was trying to show in my post
That I did match the times, and then in the access log. But it still doesn’t tell me much how exactly they got in (or I might be blind;) ), so what I meant was, with that info, time matched, is there info there which tells me what they are actually using to upload those scripts?

Thanks for your attention by the way, really appreciated!

Sorry I probably skimmed through that too quickly

I think what I’d do is view every action performed by the IP “176.31.124.155” as suspicion – and just grep the log file for that IP, and see what they begin doing at the moment they arrive.

However, that POST entry you showed here does appear suspicious:

176.31.124.155 - - [16/Mar/2015:20:24:10 +0100] "POST /media/k2/items/xml.php HTTP/1.1" 200 470 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

I’d be very curious what contents are in the file “/media/k2/items/xml.php”, it may be that it contains a vulnerability of some sort.

It’s not going to be possible to get specifics of what they’re doing. You won’t be able to see what occurred during that “POST” request. All you can see is that they performed a POST using that particular file.

So the next step is to review that file, and see if you can determine anything about it that doesn’t look quite right.

If it doesn’t look like outright malware, it may be that it contains a security flaw that they’re taking advantage of… you may want to make sure it’s at the newest revision.

-Eric

Based on what you post lex that should be joomla with k2 extension. Just to know k2 was reported several times in the past to be vulnerable to all kind of exploits including sql injections. You should check entire site including DB and see what damage is done but before that disable all plugins/extensions what you have installed if not the hacker could get back in no time.
If i was right about joomla maybe you could get better help on their forum as this doesnt have anything to do with virtualmin.

Thanks to both of you for your answers. Yes, that’s a joomla site with K2, but they said issues had been resolved and the site is running all the latest versions. I will go to joomla and ask there, but knew that my original question has more to do with the server, and I know people here know a lot more about servers than over at joomla.

But with the info I’ve gathered I can now go go to them and see what they tell me. I’ll check the xml.php file as well.

Thanks!!

Yes, that xml.php is a dodgy script:

(don’t know what it says yet, but my pc wouldn’t let me save this file for example)

I’ve searched for the ip address in the access log and am now investigating every file mentioned.

Thanks people!

Howdy,

Yeah looks like you’re on the right track there!

You’d definitely want to remove that xml.php script.

Now, how that xml.php script got there in the first place – that information may be lost if that was put there awhile ago. But you could also try the same thing with that script, review the timestamp of it, then look in the Apache logs to see if you can determine who put it there, and what they accessed to do so.

Also, if you haven’t already, you may want to ban the IP addresses you see trying to access those malicious scripts.

-Eric

So that “strange” code is:

$sF[4] = B
$sF[5] = A
$sF[9] = S
$sF[10] = E
$sF[6] = 6
$sF[3] = 4
$sF[11] = __
$sF[8] = D
$sF[10] = E
$sF[1] = C
$sF[7] = O
$sF[8] = D
$sF[10] = E

and

$sF[11] = __
$sF[0] = P
$sF[7] = O
$sF[9] = S
$sF[2] = T

So yeah, this is 100% hack and your site(s) and probably DB(s) are or could be compromised. Hacker just hide base64 decode so software what you could use to seek/spot the hack have hard time to find it. But i would not delete that file, instead prevent to be written and executed and then search in (all) files inside your public folder for “PCT4BA6ODSE_” and “base64_decode”. After you find all files copy them to your computer and then delete. Just in case you need them to find more compromised files or in case people from joomla or wordpress community need them to help you to repair the damage. This doesnt have anything to do with a server, your sites were hacked for some reason like nulled scipts & themes, old scripts, didnt properly secure your websites, etc… Like i said in my previous post maybe you could get better help from joomla and wordpress community because this problem (probably) started with one of this two CMS.

P.S. I put two " _ " because for some reason forum was changing them but actually “$sF[11]” is only one " _ ".