Evo 1.0.14 sending spam email (solved) - My Forums

Evo 1.0.14 sending spam email (solved)

migiel — Oct 11, 2014, 11:06 AM

Dear all,

FYI:
Before i upgraded to 1.0.14 my older version (don't know which version it was 1.0.7!?) was hacked and was used for sending spam emails. unfortunately this upgrade did not solve the problem.

After to many hours searching the site and the internet i found out that the mails were send by the Tinymce rich text editor plugin.
Deleted it and replaced it by CKEditor

Until now (3 hours later) it seems that the problem is solved.

Kr
Michiel

Re: Evo 1.0.14 sending spam email (solved)

migiel — Dec 11, 2014, 01:47 PM

@gallenkamp, Thanks... but i had to change the whole site to Revo, i had that coming anyway.
@Spheerys, thanks for you info!

Re: Evo 1.0.14 sending spam email (solved)

Spheerys — Nov 11, 2014, 12:30 PM

Quote from: paulp at Oct 14, 2014, 10:23 AM

If you have SSH access to a server it's pretty easy to see if any accounts are sending out large amounts of email ( through exim ), to do this log into the server via SSH and run the command:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
The above will list the accounts that have been sending out emails like below:
434 /home/site1/public_html/blog
1012 /home/site2/public_html/blog
2129 /home/site3
16808 /home/site4/public_html/assets/docs
From this we can see that site4 has sent 16808 which will be the culperate, so we need to find out where the email is being sent from, to get this run the following command:
ls -lahtr /home/site4/public_html/assets/docs
This will list the docs like below, in the list we will notice that one file is owned by nobody, this is probably the script that is sending out so thats a starting point.
-rwxrwxrwx  1 burysted burysted  16K Mar  1  2010 license.txt*
-rwxrwxrwx  1 burysted burysted   70 Mar  1  2010 index.html*
-rw-r--r--  1 nobody   nobody    32K Oct 20  2010 db.php
This is the easiest way I have found for finding compromised accounts, however you can guarentee that there are other files within the account so you'll need to find and remove all of them

Very nice tip, but if somebody have the same for the file /var/log/mail.log (postfix/dovecot), I'm interested

Re: Evo 1.0.14 sending spam email (solved)

gallenkamp — Oct 16, 2014, 03:03 PM

@Migiel

How big is your site in total? If you can download the whole ftp and zip it into a dropbox or just your webspace, I can download it at my server and scan it there. Then I can zip it and let you download it. you clean your webspace and upload the cleaned files from me.
If you answer within one hour or so, we can do it now. It's 10pm here, but I will be up for another two or three hours.

Re: Evo 1.0.14 sending spam email (solved)

migiel — Oct 16, 2014, 12:36 PM

Hi pmfx, yes i did install it via the Modx extra's page, i never looked at the release date.
Maybe better look for an other solution.

Still no undelivered spam mail received though, so i'm pretty sure that, in my case, it was TinyMCE that was sending the spam.
My site i actually very basic, so if i find the time i will port it to Revo.

Re: Evo 1.0.14 sending spam email (solved)

migiel — Oct 16, 2014, 12:28 PM

Hi Gallenkamp, i'm not sure if i can do that.
My host gives only limited access to C-panel. I will ask if they can install it for me.
Thanks!

Re: Evo 1.0.14 sending spam email (solved)

pmfx — Oct 16, 2014, 05:34 AM

Migiel, sound promising but did you take CKEditor from here http://modx.com/extras/package/ckeditorforevo ? Looks outdated (Released Mar 16, 2011)

Re: Evo 1.0.14 sending spam email (solved)

gallenkamp — Oct 14, 2014, 02:52 PM

Hi migiel, did you try maldet for linux? It cleaned my evo 1.0.14 site yesterday. No spam since then.

Re: Evo 1.0.14 sending spam email (solved)

migiel — Oct 14, 2014, 05:31 AM

Thanks Paul, i will try this as according to my Host, there are still mails send from my modx evo.
But i'm not sure if they are right as i'm not receiving any undelivered mails back in my mailbox. Before i deleted TinyMCE i had at least a dozen per minute.

@PMFX, i have replaced TinyMCE with CKEditor, it looks like other cms systems have had the same issue with TinyMCE

Re: Evo 1.0.14 sending spam email (solved)

paulp — Oct 14, 2014, 05:23 AM

If you have SSH access to a server it's pretty easy to see if any accounts are sending out large amounts of email ( through exim ), to do this log into the server via SSH and run the command:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

The above will list the accounts that have been sending out emails like below:

434 /home/site1/public_html/blog
1012 /home/site2/public_html/blog
2129 /home/site3
16808 /home/site4/public_html/assets/docs

From this we can see that site4 has sent 16808 which will be the culperate, so we need to find out where the email is being sent from, to get this run the following command:

ls -lahtr /home/site4/public_html/assets/docs

This will list the docs like below, in the list we will notice that one file is owned by nobody, this is probably the script that is sending out so thats a starting point.

-rwxrwxrwx  1 burysted burysted  16K Mar  1  2010 license.txt*
-rwxrwxrwx  1 burysted burysted   70 Mar  1  2010 index.html*
-rw-r--r--  1 nobody   nobody    32K Oct 20  2010 db.php

This is the easiest way I have found for finding compromised accounts, however you can guarentee that there are other files within the account so you'll need to find and remove all of them