Now - PHP --- Help Wiz

[George Piburn]

Hello from GeorgeBoards

My Email is harvested , and now I am getting Mail Returns from all sorts of address where it is either blocked or no longer active accounts on some ones list.

Same ole trick , Love Interest type email being sent out as if they are from Me.

Just Hoping for some advice on how to make it stop.

I have my own email on a professional server (lunarpages)

georgeATgeorgeboardsDOTcom

[Wiz Feinberg]

George. Before you take my answer as Gospel, please contact Lunarpages tech support and ask them to check your email server logs for signs of outgoing spam. In the event your credentials have been stolen, harvested, or guessed (by a dictionary attack on your passwords), the SMTP (outgoing email) log will reveal that your server is sending the spam. You will be told to change all passwords for the affected email accounts. This will stop the activity as soon as you save the new, unguessable passwords. Use a password generator supplied in the email section of cPanel.

Next, scan your PC for viruses and Trojans with an advanced anti-virus program. You didn't say whether you back up SAS with anything else. Trend Micro and Kaspersky are two companies that have online scanners (you have to download the engine to your PC).

Unless the first two suggestions prove true (hack/virus == 1), you may well just be the victim of what we in the anti-spam business call a "Joe Job." This is a commonplace situation where spammers acquire massive email databases. They almost always spoof the From and Return Path account to another innocent party. Here's how it works.

Spammer buys an up-to-date email database. He signs up as an affiliate for a Russian Dating scheme and is offered downloadable email templates that are modified every so often. He is told about services that will send x million spam messages in a single or ongoing campaign for x amount of BitCoins. He chooses the template, which grabs email addresses from the database and inserts To, From and Return Path names and accounts in the headers. It composes the message and sends the template to the spamming servers.

Many email servers check the source and reputation of the sending server, as well as checking for known email threats. Also, many are configured to bounce undeliverable messages to recipients with full inboxes, or closed accounts. Some may even bounce spam messages due to a misconfiguration, or misunderstanding of the mail server operators. If the messages a spammer sends have your borrowed account name in the From and Return path, any bounces from Mailer Daemons go to you.

That is a Joe Job. There isn't much you can do about it, other than deactivating the accounts being Joe Jobbed and creating new ones. Or, you can simply delete them off the mail server by creating a new rule via cPanel/Email/Account Filtering that auto deletes messages about undeliverable mail.

[George Piburn]

Thank you Wiz for all of this great education.

We are pretty good at stripping out PHP from out of our web sites over at Lunar, which we do from time to time and keep a pretty close eye on that pile of dookie.

I use Malwarebytes to scan and quarantine then destroy those type threats, I scanned a few times recently and no infections.

Pretty sure it is what you described as a Job Job, - we have had this before over the 20 + years we have been an on line business.

I appreciate the tip on the cpanel Filtering solution.

Your responses are a wealth of knowledge that every one can use to their advantage hopefully this will help more than my situation.

[Wiz Feinberg]

George;
Glad to have helped.

I have created a handful of email filters that work on cPanel email accounts. I use them on Bluehost. I simply transpose my MailWasher Pro filters to what cPanel allows, which is not too shabby. Then I redirect to dev/null.

It's probably not a good idea to dev/null Mailer Daemon bounce notices, just in case they are valid for messages you were replying to. I sometimes find that people who submit comments and questions misplace a character here and there in their email address. When I try to reply, it bounces for wrong account prefixes.

[George Piburn]

A small topic drift , but since it is all related ---

I just did my weekly php search, and found 2 new ones - deleted them of course , they were placed this morning at 10.30 am.

The Domain is steelguitarcamp(dot)com it is part of my lunar.

I have done all of the password changes several times and this is the main folder these bad guys seem to be able to get into.

Lunar has not been able to isolate just how they can get in there . I have re done cpanel PWs -

Some how them Ruskies or who ever continue to provide this annoyance.
On this scam they tend to create Viagra type spams - or at least times before that was it. No Malicious Malware of virus infections just a launching pad for their spam.

[Wiz Feinberg]

George, this is a whole nuther story. There have been non-stop automated attacks against pert near every publicly accessible website on earth, for at least a year or two. The people responsible use freely or commercially available hacking tools to probe for particular weaknesses in PHP scripts. The targets vary on a rotating basis.

For the last couple of weeks my raw access logs show daily attempts to PUT /nyet.gif on my server. This is followed by GET /nyet.gif. If the person running the server hasn't blocked PUT directives and doesn't block that file name, the GET will return a positive hit and send the domain name home to the cybercriminals running the attack. In a short time, other scripts will be uploaded to that server, or shared hosting website account.

In other attacks, vulnerable installations of WordPress and its numerous plug-ins are targeted. Look in you access logs for any attempts to GET or POST to /wp-admin, or /admin, or other control and config files and directories.

In the current exploit attacks, new administrator level accounts are added to WordPress, or Joomlia, or other vulnerable CMS software or shopping carts frequently offered for free by web hosts. If files you delete are being recreated, carefully review your scripts to see if unexpected admin users were added. Change your password for administering your blog, shopping cart, guestbook/user contact forms. Change your passwords after deleting unwanted users.

In some cases you may have to destroy the entire website and restore it from a known good backup. Or, uninstall all PHP software, scan and remove bad files and JavaScript Includes, The reinstall afresh and create a new Admin password using a password generator. If possible, use a pass phrase, with spaces between words.

Finally, have you website fully scanned by Qualys or another safety scanner company. Until it is proved safe from malware, it is unsafe for your visitors and customers.

[George Piburn]

The Wordpress was the next set of questions, so you already have addressed my concerns. Ahhh like minds.

Fortunately my wife is the super tech on all of this, and is a code specialist.

I will give her all of this superb information and the counter strike will begin soonly.

Updates on this saga will follow as the progress occurs. Hopefully all of this conversation will help others too.

Many Thanks Blessings - Happy Merry

George -io

[Wiz Feinberg]

Since I hit a nerve by mentioning WordPress, make absolutely certain that you have, or install the latest version, then turn on automatic updates.

Next, disable every plug-in that didn't ship with WordPress. For the remaining plug-ins, check each for an auto-update switch. Some, if not most should be updated with WordPress updates. But, some plug-ins will be found to have zero day vulnerabilities and need to be patched separately from the main WP program.

PHP is one of the most widely used active scripting technologies for general website use. It is found everywhere. Many of the scripts that are used to upload files or include other files have serious mistakes in their coding that when found can be exploited. There are people who's sole job is to go over PHP software and plug-in scripts, one line at a time, looking for exploitable mistakes.

[George Piburn]

We have been going at it all morning, latest update on our progress is:

We have the latest version of Wordpress, only WP Plugins - auto update on.

Mrs.Boards has vast knowledge about these type scripts and codes and studies your instruction and others to major degree.

About Re created PHP , none of these recreated after we destroy them, always new and different.

Basically we stay on top of this regularly, and appreciate your help always. I hope this thread helps others too, in the constant battle with funky-ness.

In our case if it gets out of hand we can pay lunar a fee to monitor and address bad stuff by their techs that have a dedicated service for all of those search and destroy efforts you describe.

For others that may be looking at this thread , -- with problems beyond their comprehension, I suggest they contact their server and see if they can get a thorough cleansing.

[Wiz Feinberg]

If new scripts keep appearing in WordPress, after deleting previous ones, and you are reasonably certain that any Administrator level accounts for WordPress other than yours have been removed, either the malicious script creating these files is hidden inside a compromised plug-in, or has been shifted to a cron job (server oriented tasks set to run on a timer basis). Open cPanel and check to see what if any cron jobs are scheduled to run.

Have you changed the login to cPanel yet? What about MySql? That's the M in LAMP; the 4 basic components of a Linux Web Server setup. If malcode resides in your database, every time the blog or database loads, that script reruns. Use MySql MyAdmin to check all tables for errors, then to repair any errors found, then run it again to optimize all tables.

Are you making a habit of saving copies of your databases? They can be saved to the server, above the web root, and/or to a computer or mapped/networked drive location. The extension can be .sql unzipped, or it may be saved gzipped or tarballed.

[George Piburn]

We changed the PW's for cpanel login and overall admin too.
Went through the Wordpress very carefully as you instruction.
She checked for data base and we don't use those, she understands all about them and how they work an so on.

My next question is: - are any of those search and destroy utilities, set up with a FREE version similar to Malwarebytes , or maybe a trial that we can use to get through one cleansing before we get into buying.


If we have any serious issues, and need to spend money, it is less expensive to use Lunar's paid support services to keep our sites cleaned up.

Just for informational -- to build sites we use Mac os 10.6 with Dreamweaver Cs5.5 and other high end Adobe products.
+ years of Professional Training with Code, HTML, Java and so on.
I use my HP compaq for the forum, firefox and outlook type actions.

Thank you again for all of the hand holding and general information, it means a lot to me.

Best Regards

George -io

[Wiz Feinberg]

Qualys FreeScan

Securi SiteCheck