Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 27
  1. #1
    Member
    Join Date
    Jul 2011
    Posts
    95
    Member #
    28555
    Liked
    1 times
    I developed a website for a client who has just got in touch with me regarding an email he has received from his hosting provider.
    Their first email stated that numerous malicious emails were sent out from his domain from an email exist (which doesnt exist) and their second email stated that a wordpress plugin had become compromised and emails were being sent from this.
    They have now taken the website down so as the developer, I have had to get in touch with them and await their reply.
    Firstly, the email address in the email header that they attached for us does not exist on the server, no email addresses have been created.
    Secondly, the plugin in question has not been installed by myself or the site owner, its called wp-plugin-repo-stats.
    We opted to use "Mint" for stats so I know he would not have installed this.

    How would someone have got in to the site to install this? Is there anything else I need to do to make this more secure?

    Adrian

  2.  

  3. #2
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,717
    Member #
    5580
    Liked
    718 times
    I would question whether the emails were really sent using the webhost's server.

    I can send an email to anyone using: buyme@adrianjones.com

    The email would appear from that email address, but the header information with the email would show my webhost server and IP location on that server. To anyone getting the email, without technical skills they would assume the email came from the domain name "adrianjones.com".

    If you would like me to demonstrate that, private message me with your real email address and I'll send you a sample spam email with a fake email address. You can then view the email header information and see what I'm talking about.

    Another possibility is that other PHP files have been added to your directories that use your server. You should view your directories and sort by date. See if anything has been added or updated lately that you were not a part of. Check your .htaccess files carefully for anything added, and also look at the file dates for those. It would be nice to know if you can find out when it all started happening.

    And it would be really nice if you could get a copy of an email, especially the header information, that they are talking about.

    Yet another possibility is that your webhost mistakenly thought the emails were from your site, but it is really someone else's site on their shared webhost. Like cops that do a drug bust and kicking-in the door on the house with the same house number, but wrong street.


  4. #3
    Senior Member Webzarus's Avatar
    Join Date
    May 2011
    Location
    South Carolina Coast
    Posts
    3,322
    Member #
    27709
    Liked
    770 times
    #1. The email account does not have to exist for mail to come from it, depending on how your hosting provided is setup, the only qualifier for SMTP or PHP sendmail to work is that it have an email addess with the @yourdomainname.com specified.

    #2. A WP site can be access numerous ways, and without knowing your exact setup, if the WP package was up to date, that all your permissions on sub folders were set correctly, whether your client can actually install anything .... There's numerous ways it can happen.

    I as well as anyone else commenting here will be just guessing at how exactly it happened.

    As a DEVELOPER you should always have a full site backup of the working files, as well as full and incremental backups of the DB itself. So when ( not if ) this happens, you can delete the site files, push up your backup copy, purge the DB of any recent comments that may have attributed to the issue, and your up and going again.

  5. #4
    Member
    Join Date
    Jul 2011
    Posts
    95
    Member #
    28555
    Liked
    1 times
    Hi Max

    The header email is as follows:

    Return-Path: <bounce@fastmail.fm>
    X-Original-To: fastmailcomp@senderscore.net
    Delivered-To: fastmailcomp@senderscore.net
    Received: from mxe.senderscore.net (mxe.lan.senderscore.net [10.8.2.151]) by
    pard.lan.senderscore.net (Postfix) with ESMTP id 2247F938 for
    <fastmailcomp@senderscore.net>; Wed,3 Apr 2013 23:40:05 -0600 (MDT)
    Received: from forward2-smtp.messagingengine.com
    (forward2-smtp.messagingengine.com [66.111.4.226]) by mxe.senderscore.net
    (Postfix) with ESMTP id E1220BA0 for <fastmailcomp@senderscore.net>; Wed,3
    Apr 2013 23:40:04 -0600 (MDT)
    Received: from imap23.nyi.mail.srv.osa (imap23.nyi.mail.srv.osa
    [10.202.2.73]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id
    B84EB20B64; Thu,4 Apr 2013 01:40:04 -0400 (EDT)
    Received: by imap23.nyi.mail.srv.osa (Postfix, from userid 99) id AFC0F20154;
    Thu,4 Apr 2013 01:40:04 -0400 (EDT)
    Received: from compute4.internal (compute4.nyi.mail.srv.osa [10.202.2.44]) by
    sloti23d5p2 (Cyrus git2.5+0-git-fastmail-9185) with LMTPA; Wed, 03 Apr 2013
    15:00:38 -0400
    Received: from mx3.nyi.mail.srv.osa ([10.202.2.202]) by compute4.internal
    (LMTPProxy); Wed, 03 Apr 2013 15:00:38 -0400
    Received: from cust-smtp-195.fasthosts.co.uk (smtp-out-60.livemail.co.uk
    [213.171.216.60]) by mx3.messagingengine.com (Postfix) with ESMTP id
    C9351740FDB for <aliceishere@fastmail.fm>; Wed,3 Apr 2013 15:00:37 -0400
    (EDT)
    Received: from linweb05.linvh1.fasthosts.co.uk (unknown [88.208.252.196]) by
    cust-smtp-195.fasthosts.co.uk (Postfix) with ESMTP id 3DD5419C241 for
    <aliceishere@fastmail.fm>; Wed,3 Apr 2013 20:00:36 +0100 (BST)
    Received: from linweb05.linvh1.fasthosts.co.uk
    (linweb05.linvh1.fasthosts.co.uk [127.0.0.1]) by
    linweb05.linvh1.fasthosts.co.uk (Postfix) with ESMTP id 2607734CFE for
    <aliceishere@fastmail.fm>; Wed,3 Apr 2013 20:00:36 +0100 (BST)
    Received: (from user_1064221083@localhost) by linweb05.linvh1.fasthosts.co.uk
    (8.13.8/8.13.8/Submit) id r33J0ZvE025820; Wed, 3 Apr 2013 20:00:35 +0100
    Date: Wed, 3 Apr 2013 20:00:35 +0100
    Message-ID: <201304031900.r33J0ZvE025820@linweb05.linvh1.fasthosts.co.uk>
    X-Authentication-Warning: linweb05.linvh1.fasthosts.co.uk: user_1064221083
    set sender to eula_lowe@siteurl.org using -f
    To: "Alice Smith" <aliceishere@fastmail.fm>
    Subject: Teen tit**** teacher
    From: "Eula Lowe" <eula_lowe@siteurl.org>
    Reply-To: "Eula Lowe" <eula_lowe@siteurl.org>
    X-Priority: 3 (Normal)
    MIME-Version: 1.0
    Content-Type: text/html; charset="iso-8859-1"
    Content-Transfer-Encoding: 8bit

    You can see the from: and reply-to: both contain an email address from the domain which doesn't actually exist.

    I have since found out that they are generated from a plugin that has been installed some how by someone, not myself or the site owner, I have now deleted this but have found several log files from this plugin that looks like it has sent an email every couple of seconds for the past 8 days.

    Have a look at the attached error_log file and also the plugins log file from today...

    I'm just waiting for the host to get back to me and hopefully will put this site back online asap, i can then monitor it over the next few days.

  6. #5
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,483
    Member #
    425
    Liked
    2783 times
    The host will not put it back up ASAP if you've been compromised and haven't fixed the problem. You're going to either have to do something to fix the problem or at least indicate that you have a plan to deal with it. They may grant access to your IP to allow it to be fixed, but that's about it.

    What I'm guessing happened is that WP wasn't updated. So that would be your first step. Update WP and all plugins that you installed. Every one of them. No exceptions.

    Step 2: change any and all passwords. In the event that the hack occurred via FTP or some other service, you'll want to deal with that. Ideally, you'll want to come up with a combination of mixed case letters, numbers, and symbols (something like WebDesignForums#2013).

    Step 3: remove or disable any plugins and services you're not using. If you don't need it, kill it.

    Step 4: update WP or your plugins whenever there's an update. This, unfortunately, is the curse of using something such as WP. It's insecure and gets exploited. You'll have to deal with that, or build a better mousetrap.

    Now, this won't actually tell you what happened. Chances are you're not going to figure out what happened or who's responsible. This should, however, fix the issue and prevent future recurrence.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  7. #6
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,717
    Member #
    5580
    Liked
    718 times
    Good you found the offending plug-in. Hard to tell if security was breached because of your WordPress scripting, or the webhost's server. I had to switch webhosts one time because files were getting placed in everyone's website (not just mine). Make sure your WordPress site is the latest version also.


  8. #7
    Senior Member Webzarus's Avatar
    Join Date
    May 2011
    Location
    South Carolina Coast
    Posts
    3,322
    Member #
    27709
    Liked
    770 times
    8 days ? Wow, it really took them that long to see that... I guess they all shouldn't be taking 7 day vacations at the same time.

    And it probably took them a while once someone reported the domain to spamhaus. And they in turn came to your hosting provider and told them they would all be blacklisted if they didn't take some action.

    The slowness of response speaks volumes...

    I know there are some that speak smack about some hosting providers putting a limit on SMTP relays for a 24 hour period... But in this case, it would have mitigated the damage, and guaranteed the site would have been disabled and secured at a much earlier stage.

  9. #8
    Member
    Join Date
    Jul 2011
    Posts
    95
    Member #
    28555
    Liked
    1 times
    TheGAME1264 - I have since found the culprit was a plugin installed by someone somewhere somehow and this has been removed via FTP - I can now proceed with tightening security.

    Webzarus - It was going on for 8 days but the host warned the site owner on the 2nd day however he is out of the country and could only get access to email at a certain hotspot on a certain day, therefore I couldnt action it until today which is the 8th day.

    Looking at the error_log via FTP, this line keeps appearing every 20 seconds:
    [Tue Apr 09 15:52:50 2013] [error] [client 217.125.187.226] File does not exist: /home/linweb05/o/oldcryptians.org/user/htdocs

    What could this mean?

    And also the other log file which is in a "logfiles" folder on the root (dont know how this was generated but was created when this all started), this line is still occuring every 20 seconds or so too...
    - [09/Apr/2013:15:52:50 +0100] "POST /wp-content/plugins/wp-plugin-repo-stats/returnRKq.php HTTP/1.1" 404 251 "-" "Mozilla/5.0"

    The plugin this path refers to has been deleted but this line was appearing when the plugin was there also.

  10. #9
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,483
    Member #
    425
    Liked
    2783 times
    Yeah, I saw that. My point was that just removing the plugin probably won't cut it with the host. They're going to want to see more security measures tightened first. That way, the threat of recurrence is minimized and the other customers on the server are protected (assuming it's a shared server).

    Unfortunately, I've gained quite a bit of experience in dealing with being on the bad side of a host, and usually you have to go beyond solving the problem to satisfy the host. It's good practice anyway, but hosts are especially anal about this.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  11. #10
    Member
    Join Date
    Jul 2011
    Posts
    95
    Member #
    28555
    Liked
    1 times
    I put a support ticket in earlier asking for it to go live, have just updated to inform them I had removed the plugin, hes just asked for confirmation of what I have removed and has said he will escelate this so the suspension is lifted. The Database password is very cryptic ie. uH56%gf£4D etc and I cant update wordpress or change the admin dashboard password until they activate it again anyway so they will have to do this first before I can tell them I have resolved the security lapse.


Page 1 of 3 1 2 3 LastLast

Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 05:09 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com