Comments (0)

By admin, November 27, 2011 1:47 pm

I noticed the outgoing traffic of my email gateway has almost doubled over the past two days. There were thousands of spam mails using the default PHP email account (s285@domain.com was the default email account configured in PHP.ini, this helps a lot in tracking back which server is sending the spam) connecting from the Relayed dedicated server.

s285 is the relay dedicated server that’s been sending spam though our gateway and there are more than 50 sub sites on it, so to find out which sub site got infected spam mailer seemed impossible at first.

By searching thought which php file was modified in the past week, I was lucky to locate only a few, and by examining the file name (normally those hacking robot or mailer has blizzard names), I found one strange php script named 9024.php, tried to run it from the web page shows nothing, opened it with notepad, found it’s a PHPMailer using URL string as the parameter.

Then I simply removed it, but wait, how did it get uploaded in the first place? Well, client is running ASP and I asked if they have any upload function, but it turns out they have no idea at all  and I have no time to search through 200+ ASP scripts.

So the quick solution is to disable PHP function for this site.

Case closed. MAMAMIA!

p.s., Btw, I have a feeling that PHP hacking scripts are gaining a lot of ground in the past 2-3 years. One of the most interesting case I’ve came across that I’ve seen DDOS PHP script utilizing UDP and use URL string as the attacking parameter, I must admit this is simply genius indeed!