Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 03 Feb 2014, 23:32
JacquiiDesigns's Avatar
JacquiiDesigns JacquiiDesigns is offline
 
Join Date: Dec 2008
Location: Tennessee
Real name: Jacquii Cooke
Spam Generated from vBulletin php Mail -- Account Compromised?!

While investigating an issue with my mail server, I've found something quite curious and a bit upsetting in the Mail Queue Manager in WHM ... It looks like there's some spam being generated from the ******** account via the vBulletin PHP mail form:



Here's the Extended Header code:

Date:
Tue, 21 Jan 2014 11:26:23 -0500
From:
********
Subject:
Spend $12 and earn up to $4000 a week... GUARANTEED!!
Auto-Submitted:
auto-generated
Content-Transfer-Encoding:
8bit
Content-Type:
text/plain; charset="ISO-8859-1"
Message-ID:
<20140121162553.c0c0dea600f4@www.********.com>
MIME-Version:
1.0
Received:
from nobody by vps.********.com with local (Exim 4.80)
(envelope-from <nobody@vps.********.com>)
id 1W5e9f-0008Ju-0p; Tue, 21 Jan 2014 11:26:23 -0500
Return-Path:
********
T To:
sord1992@gmail.com, sordinska@gmail.com, sorinsas60@gmail.com, sornpong24@gmail.com, sorokamail@mail.ru, sorrell116@bellsouth.net, sorrell116@yahoo.com, sory_mal@yahoo.com, soshanya@gmail.com, sosna345@gmail.com, soso09@ediffmail.com, sosumi02@gmail.com, soswalker@gmail.com, soubanpk@hotmail.com, sougatadas56@gmail.com, souhail40@gmail.com, souissihoucine12@yahoo.fr, soul_lich10@yahoo.com, SOUL010683@HOTMAIL.COM, soul100@hotmail.co.uk, soule990@aol.com, soulhealer12@hotmail.com, soulplayca@gmail.com, soulsanogo2007@yahoo.fr, soulsearch3r@gmail.com, ----SNIP - there are what appears to be hundreds more email address listed here...
X-Mailer:
vBulletin Mail via PHP
X-Priority:
3
-------------------
-------------------
vBulletin does not automatically generate such code. This seems malicious and should NOT be happening.

My server admin has told me the following:

This indicates that there may have been a vBulletin webmaster account compromise. The last occurrence appears to be from Jan. 21. Unfortunately, the DSO PHP handler do not have logs so we cannot determine what component of vBulletin is at fault.
Any additional ideas on what could cause this and how to fix the issue so it never occurs again will be very much appreciated!

J.
Attached Images
File Type: png possible-spam.png (30.9 KB, 75 views)
__________________
Call For Submissions. Come share your poetry & writing at JPiC Forum.
JPiC Forum For Writers | Celebrating Diversity With The Typed Word
Reply With Quote
  #2  
Old 03 Feb 2014, 23:39
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
1) Don't allow guestst to email users.

2) ACP--> Settings --> Options --> Site Name / URL / Contact Details, find the setting, Allow Unregistered Users to use 'Contact Us' ans set it to "No"

3) Your forum might have been compromised. Run the Suspect File Versions tool and look for anything suspicious, most notably, anything that says File does not contain expected contents. If there's anything that says File not recognized as part of vBulletin, that's normal, as it's from modifications you have. Just make sure all those modifications are modifications you installed yourself.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #3  
Old 03 Feb 2014, 23:42
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Excuse me for asking also but, didn't you just publish the email addresses of some of your users in a open forum?
Reply With Quote
  #4  
Old 03 Feb 2014, 23:45
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
Ohhh, and you may want to run this query to get rid of any more emails:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

If you are using a table prefix, be sure to add it before mailqueue.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
  #5  
Old 03 Feb 2014, 23:50
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
If you think you have been hacked then follow this. But you would be best to follow post 2 as it looks like that is your problem

First you need to follow our advisory about deleting the install folder off your forums.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
Reply With Quote
  #6  
Old 04 Feb 2014, 20:47
JacquiiDesigns's Avatar
JacquiiDesigns JacquiiDesigns is offline
 
Join Date: Dec 2008
Location: Tennessee
Real name: Jacquii Cooke
Thanks so much for the tips Chris and ForceHSS. Much appreciation!

Originally Posted by Max Taxable View Post
Excuse me for asking also but, didn't you just publish the email addresses of some of your users in a open forum?
No I didn't. I would never do such a thing.

For clarification: The spam email had NOT been sent to forum members, but rather to email addresses that appear to be compiled from a generic mail list. The email address listed in the op is part of that generic mail list.

Thanks again guys. Off to do more troubleshooting.

J.
__________________
Call For Submissions. Come share your poetry & writing at JPiC Forum.
JPiC Forum For Writers | Celebrating Diversity With The Typed Word
Reply With Quote
  #7  
Old 04 Feb 2014, 20:50
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Aug 2009
Real name: Chris
Please report back any findings, so we can see what's going on.
__________________
You can get access to my 180 mods for vB 3.6 - 4.x at The Admin Zone as well as the professional support you are used to. New vBulletin Spider Definitions, vBulletin Spiders List Hits 1000 Spiders! ​ OzzModz down. Site has had a data breach, checking how the intrusion happened. Change your PW if you use the same one on my site and others.
Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
E-mail account invalidated by recipient of activation e-mail Paul vBulletin 2.x Full Releases 6 22 Sep 2002 18:09



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 04:54.

Layout Options | Width: Wide Color: