Sending Spam via PHP script

I recently had a complaint of 'abuse' , with my mail server sending out spam.  First, one of my users complained that email was bouncing back, then Linode notified me that I'd been flagged for abuse.  I also found that Spamcop had blacklisted my server.  In the Abuse report from Linode, this line stood out:  X-PHP-Originating-Script: 33:.page93.php(241) : eval()'d code I didn't catch on right away, but that's a warning that a php file (.page93.php) is sending out the email.  This clicked with me when I Googled around and stumbled into this post (http://goo.gl/9l7wmk).   To confirm, I followed these steps:  

  • running 'mailq' at the command line told me there were 3,700+ emails in the queue.  That alone should have been a sign.  
  • copied the message ID of one of them, and ran 'postcat -vq [messageId] | less' so I could look for that  'X-PHP-Originating-Script' line.  It was there, and when I repeated this test for a few more, I found it was there every time.  
  • I ran 'find -name ".page93.php /" and that turned up exactly one entry, in a ckeditor uploads folder.  
  • Googling around showed that I must have missed a ckeditor vulnerability warning along the way - this isn't an uncommon problem, apparently.
  • To increase safety, I made some permissions adjustments in Apache, too, as described here: http://stackoverflow.com/questions/9133024/www-data-permissions

Add new comment

The content of this field is kept private and will not be shown publicly.

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Add new comment

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.