Sending Spam via PHP script

I recently had a complaint of 'abuse' , with my mail server sending out spam.  First, one of my users complained that email was bouncing back, then Linode notified me that I'd been flagged for abuse.  I also found that Spamcop had blacklisted my server.  In the Abuse report from Linode, this line stood out:  X-PHP-Originating-Script: 33:.page93.php(241) : eval()'d code I didn't catch on right away, but that's a warning that a php file (.page93.php) is sending out the email.  This clicked with me when I Googled around and stumbled into this post (http://goo.gl/9l7wmk).   To confirm, I followed these steps:  

  • running 'mailq' at the command line told me there were 3,700+ emails in the queue.  That alone should have been a sign.  
  • copied the message ID of one of them, and ran 'postcat -vq [messageId] | less' so I could look for that  'X-PHP-Originating-Script' line.  It was there, and when I repeated this test for a few more, I found it was there every time.  
  • I ran 'find -name ".page93.php /" and that turned up exactly one entry, in a ckeditor uploads folder.  
  • Googling around showed that I must have missed a ckeditor vulnerability warning along the way - this isn't an uncommon problem, apparently.
  • To increase safety, I made some permissions adjustments in Apache, too, as described here: http://stackoverflow.com/questions/9133024/www-data-permissions
2014-10-24, 12:10 pm

Add new comment