0

We have a server with 300+ websites on it, and it has gotten an abuse letter from spamcop. We have investigated the logs, and searched for the PHPMailer version stated in the mail and all came up with nothing.

I was wondering if there is a chance for some sort of phpmailer script that is obfuscated or encoded, and how to find it. I am running NeoPi and Web Shell Detector, but so far nothing comes up.

Is there a way to monitor the outgoing port 25 and filter it with the domain name? The domain which the emails are supposed to be coming from is clean, I am suspecting that another code is using this domain because of its DKIM,SPIF etc.

Return-Path: <dianne.l@*****.com>
X-Original-To: x
Delivered-To: x
Received: by truhi.net (Postfix, from userid 132)
    id 5BB8510057D; Sat, 29 Jul 2017 11:35:05 +0300 (EEST)
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on truhi.net
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=3.1 tests=HTML_MESSAGE autolearn=ham
    autolearn_force=no version=3.4.1
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=**.**.**.***; helo=a.**.com; envelope-from=dianne.l@*****.com; receiver=<UNKNOWN> 
X-Greylist: delayed 319 seconds by postgrey-1.36 at truhi; Sat, 29 Jul 2017 11:35:04 EEST
Received: from a.**.com (mail.**.com [**.**.**.***])
    by truhi.net (Postfix) with ESMTP id 0D6C4100164
    for <x>; Sat, 29 Jul 2017 11:35:02 +0300 (EEST)
Received: by a.**.com (Postfix, from userid 33)
    id 3075E922488; Sat, 29 Jul 2017 11:29:35 +0300 (IDT)
To: x
Subject: Enter our club as a lover
Date: Sat, 29 Jul 2017 11:29:35 +0300
From: "Dianne L." <dianne.l@*****.com>
Message-ID: <7fee________________________c316@www.*****.com>
X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="b1_7feee464828bc148486a4b82f280c316"
Content-Transfer-Encoding: 8bit
Sniffleh
  • 81
  • 9
  • 1
    Have you used iptables to block outgoing (tcp) packets from apache/php user? [ deny by default, allow some by specific exceptions] Have you allowed outgoing connections to port 25 ONLY from postfx user? It is possible that email are sent directly (without postfix help) and the headers are faked. – AnFi Aug 02 '17 at 20:13
  • Hey, thanks for the reply. That's a good idea. Though if Id block it I would still need to find the security hole. Any idea for that? – Sniffleh Aug 02 '17 at 20:17
  • 1
    Would Wireshark work for you? – Colt Aug 02 '17 at 22:14
  • Hey, Colt. I have managed to fix this issue as described in the answer. Thank you very much! – Sniffleh Aug 03 '17 at 13:26

1 Answers1

3

I ended up using php's mail.log directive in the php.ini, and found the bad script.

Sniffleh
  • 81
  • 9
  • btw, don't think this was a dupe, since it was a hacked wordpress account that was just needed to be detected. all other anti spam tacticts were in use – Sniffleh Sep 01 '17 at 02:03