WampServer
Apache, PHP, MySQL
on Windows
WAMP FakeSendmail hacked
Posted by:
nfcohl
(---.completel.net)
Date: November 24, 2016 10:37AM
Hello all,
I have to replace someone and take over the admin of a WAMP server, so I'm quite new to this, sorry if information is missing.
There is an old Joomla running on it, and site has been hacked a few days ago. I updated stuff and now everything is fine.
But I realised Apache error logs were growing fast. It contains lost of :
sendmail: Error during delivery: Spam detected.
Looking at the Sendmail debug.log, I can see SPAM being sent using my server (end of this post)
How can I find out where it is originated from and block that ?
Thanks
16/11/24 10:22:27 ** --- MESSAGE BEGIN ---
16/11/24 10:22:27 ** To: rwiddersjr@comcast.net
16/11/24 10:22:27 ** Subject: We do have a search for a partner
16/11/24 10:22:27 ** Date: Thu, 24 Nov 2016 10:22:27 +0100
16/11/24 10:22:27 ** From: Crystal <crystal@intranet.cohl.fr>
16/11/24 10:22:27 ** Message-ID: <8ee993a214679b255898182e1b476590@intranet.cohl.fr>
16/11/24 10:22:27 ** X-Priority: 3
16/11/24 10:22:27 ** MIME-Version: 1.0
16/11/24 10:22:27 ** Content-Type: multipart/alternative;
16/11/24 10:22:27 ** boundary="b1_8ee993a214679b255898182e1b476590"
16/11/24 10:22:27 ** Content-Transfer-Encoding: 8bit
16/11/24 10:22:27 **
16/11/24 10:22:27 **
16/11/24 10:22:27 ** --b1_8ee993a214679b255898182e1b476590
16/11/24 10:22:27 ** Content-Type: text/plain; charset=us-ascii
16/11/24 10:22:27 **
[...]
Connecting to smtp.completel.fr:25
16/11/24 10:22:27 ** Connected.
16/11/24 10:22:27 << 220 smtp3.mail.completel.net ESMTP Postfix<EOL>
16/11/24 10:22:27 >> EHLO SRVWEB01.******<EOL>
16/11/24 10:22:27 << 250-smtp3.mail.completel.net<EOL>250-PIPELINING<EOL>250-SIZE 51200000<EOL>250-ETRN<EOL>250-ENHANCEDSTATUSCODES<EOL>250-8BITMIME<EOL>250 DSN<EOL>
16/11/24 10:22:27 >> MAIL FROM: <crystal@intranet.cohl.fr><EOL>
16/11/24 10:22:27 << 250 2.1.0 Ok<EOL>
16/11/24 10:22:27 >> RCPT TO: <rwiddersjr@comcast.net><EOL>
16/11/24 10:22:28 << 250 2.1.5 Ok<EOL>
16/11/24 10:22:28 >> DATA<EOL>
16/11/24 10:22:28 << 354 End data with <CR><LF>.<CR><LF><EOL>
I have to replace someone and take over the admin of a WAMP server, so I'm quite new to this, sorry if information is missing.
There is an old Joomla running on it, and site has been hacked a few days ago. I updated stuff and now everything is fine.
But I realised Apache error logs were growing fast. It contains lost of :
sendmail: Error during delivery: Spam detected.
Looking at the Sendmail debug.log, I can see SPAM being sent using my server (end of this post)
How can I find out where it is originated from and block that ?
Thanks
16/11/24 10:22:27 ** --- MESSAGE BEGIN ---
16/11/24 10:22:27 ** To: rwiddersjr@comcast.net
16/11/24 10:22:27 ** Subject: We do have a search for a partner
16/11/24 10:22:27 ** Date: Thu, 24 Nov 2016 10:22:27 +0100
16/11/24 10:22:27 ** From: Crystal <crystal@intranet.cohl.fr>
16/11/24 10:22:27 ** Message-ID: <8ee993a214679b255898182e1b476590@intranet.cohl.fr>
16/11/24 10:22:27 ** X-Priority: 3
16/11/24 10:22:27 ** MIME-Version: 1.0
16/11/24 10:22:27 ** Content-Type: multipart/alternative;
16/11/24 10:22:27 ** boundary="b1_8ee993a214679b255898182e1b476590"
16/11/24 10:22:27 ** Content-Transfer-Encoding: 8bit
16/11/24 10:22:27 **
16/11/24 10:22:27 **
16/11/24 10:22:27 ** --b1_8ee993a214679b255898182e1b476590
16/11/24 10:22:27 ** Content-Type: text/plain; charset=us-ascii
16/11/24 10:22:27 **
[...]
Connecting to smtp.completel.fr:25
16/11/24 10:22:27 ** Connected.
16/11/24 10:22:27 << 220 smtp3.mail.completel.net ESMTP Postfix<EOL>
16/11/24 10:22:27 >> EHLO SRVWEB01.******<EOL>
16/11/24 10:22:27 << 250-smtp3.mail.completel.net<EOL>250-PIPELINING<EOL>250-SIZE 51200000<EOL>250-ETRN<EOL>250-ENHANCEDSTATUSCODES<EOL>250-8BITMIME<EOL>250 DSN<EOL>
16/11/24 10:22:27 >> MAIL FROM: <crystal@intranet.cohl.fr><EOL>
16/11/24 10:22:27 << 250 2.1.0 Ok<EOL>
16/11/24 10:22:27 >> RCPT TO: <rwiddersjr@comcast.net><EOL>
16/11/24 10:22:28 << 250 2.1.5 Ok<EOL>
16/11/24 10:22:28 >> DATA<EOL>
16/11/24 10:22:28 << 354 End data with <CR><LF>.<CR><LF><EOL>
Re: WAMP FakeSendmail hacked
Posted by:
RiggsFolly
(Moderator)
Date: November 24, 2016 01:21PM
Hi,
Sorry, this is not a WAMPServer issue, its a Joomla/site issue.
---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-
Sorry, this is not a WAMPServer issue, its a Joomla/site issue.
---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-
Re: WAMP FakeSendmail hacked
Posted by:
nfcohl
(---.completel.net)
Date: November 25, 2016 11:48AM
Sorry about that, but I was thinking : Apache php.ini contains the path to sendmail, and I can only disable it from there.
I thought that it doesn't rely on Joomla for that matter.
Thanks
I thought that it doesn't rely on Joomla for that matter.
Thanks
Sorry, only registered users may post in this forum.
