Website hacked, used as spam sender

Twice now, I’ve had user accounts hacked, with php files installed that allow the hacker to send email out through our server. The first one was rather easy to detect and remove, but this second attack proved much more difficult. Here’s how I finally succeeded.

First, as all of my web servers relay mail out through a mail server, I put a block on the IP Address, so the mail server would reject the spam and not send it on out. That solves the initial problem, but prevents legitimate mail from going out from that server.

Second I used:

sudo postsuper -d ALL

to wipe out all of the queued mail. I followed that up with:

sudo postqueue -p

to retrieve the mail headers and, more important, the Queue IDs. With any of the queued messages that are obviously junk:

sudo postcat -q ZZZ

Where ZZZ is the Queue ID. The results of that command is a dump of the message, including the full headers. In there is the originating source of the message. In my case it was:

X-PHP-Originating-Script: 70:class.php

A search through my web logs turned up one place where this URL had been hit heavily (a CMS Made Simple site hosted here) but examining the file didn’t immediately show me anything from which I could draw a conclusion.

But… scanning that directory turned up some other files, including a nice little page the hackers used to send mail:

Spam sending PHP script
Spam sending PHP script

Further searching turned up another bit of trouble:

Hackers’ toolkit found on a customer’s site

The customer (’s developer) has been informed and the files removed.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.