PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
It is currently Fri Sep 25, 2020 6:45 pm

All times are UTC - 5 hours

Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sat Oct 08, 2011 8:02 pm 
Forum Newbie

Joined: Sat Oct 08, 2011 7:19 pm
Posts: 2
Hey guys,
New to the forum so I'll introduce myself. I'm Jugal, a freelance web developer from Mumbai, India.
Apart from making websites, I also offer web hosting to my clients.

I have a dedicated server running Windows Server 2008 with IIS 7 and Parallel Plesk installed.
I have more than 250 domains hosted here, most of which process PHP forms and thus, mail() function.

There has been an attack on my server where one of the php script containing mail() function is being exploited to send spams to random email id's. I have been getting bounceback emails from invalid id's this bot is sending spams to. So far, the count has been more than 12,000.

I suspect, the method described here is being used to carry out this operation: ... t&p=121159
So maybe one of my client used a weak php email code which hacker (bot) is enjoying to send spams to. (Or maybe not?)

Now, what I want to do is to hunt down the vulnerable mail() function responsible for this. Finding "mail()" by using Notepad++ seems unreasonable as from 250 domains, many of them are ecommerce scripts, form processors, wordpress blogs, etc. counting up to more than 1,000 search results and it'll be impossible to check the same manually.

Anyone, any idea how do I do this? Is there a tool for windows / apache to monitor all SMTP requests and to trace it to the responsible domain / .php file?
Or can we write a php program or anything to monitor the same?

Or just ANY solution to hunt the responsible domain at least, so that I can delete it.

I'm very much tensed. Hopefully, it's weekend so maybe I have 2 days to fix this else my clients are gonna call up and complain of those spams.

Hoping for a solution here!


PostPosted: Sat Oct 08, 2011 8:25 pm 
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
My first check would be if you have any word press sites, make sure they and all of their plugins are up to date. Had a site running a (not too far) out of date copy of WP, and they were making calls to the site passing it $_POST['file'] (or something similar), and whatever was in there, was getting that site to send out a bunch spam. Never did get to track down the specifics, had to move on to other things once that exploit was blocked.

The was I traced it was taking the exact time stamp of a few reported e-mails, checked the mail log to make sure what time the server got the command to send them (in case the sending was delayed due to load), and then checked across all 250+ access_logs for calls within a minute of that time stamp. Took a while, was tedious, but I'm a geek that loves tracking things like that down.

Unfortunately I have no clue to how it all works on a windows machine, sorry I can't help you more, but the WP problem we saw came to mind.

Good luck! (and welcome to the forum)


PostPosted: Sat Oct 08, 2011 9:00 pm 
Forum Newbie

Joined: Sat Oct 08, 2011 7:19 pm
Posts: 2
Thanks for the quick reply Greg.
I have email logs where it shows those emails being sent. Just has an IP address, 'to' and 'from' among other unnecessary data.
The 'to' fields are random email id's and 'from' fields appears to be a non-existent email id of my primary domain name.
Will that help?

I have Apache installed anyways, so I'll have a look at the access_logs and see if I can find something.

Thanks again.

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours

Who is online

Users browsing this forum: No registered users and 13 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group