Any one else having the same issue "a hacker is spending 100s of emails through my vb site." All my plugins are from vb.org(up to date) and I don't use any nulled scripts.

The email that is sent


This is a message from Allan Cox ( mailto: ) from the College Students forum ( http://collegers.net/ ).

The message is as follows:

Hi,


Finally, we can drive the electric company out from our home...and not pay another cent on electr!city ever again.

The secret to Free..UNLIM!TED ENERGY is here, click or copy and paste the link below:
http://payspree.com/6038/pontiacgto


Best regards,


Allan
Affiliate




Please reply to magnetforpower@yahoo.com with OUT as the subject to be removed from our listing. Thanks.


I had contacted Payspree support and they had banned the affiliate account. However I still this vulnerability which send email.

The only way to stop it is disabling Plugins & hooks in AdminCP settings. Even when I disable all the plugin except CMS, blog, FB login, the emails are generated and sent.

Any action of relief ? :confused:

Did you look at your web server logs? You might be able to figure out which vb script is being called to send them.

The log is


<username@collegers.net>
1334664710 0
-ident username
-received_protocol local
-body_linecount 62
-max_received_linelength 114
-auth_id username
-auth_sender username@collegers.net
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
thuylh@iev-group.com

196P Received: from username by collegers.net with local (Exim 4.77)
(envelope-from <username@collegers.net>)
id 1SK7GA-0007mb-99
for thuylh@iev-group.com; Tue, 17 Apr 2012 07:11:50 -0500
025T To: thuylh@iev-group.com
064 Subject: Cut-down your electric bill with this leaked invention
060 X-PHP-Script: collegers.net/showthread.php for 66.249.71.39
052F From: "College Students forum" <info@collegers.net>
031 Auto-Submitted: auto-generated
032* Return-Path: info@collegers.net
056I Message-ID: <20120417121145.0a29cfb6d21c@collegers.net>
018 MIME-Version: 1.0
047 Content-Type: text/plain; charset="ISO-8859-1"
032 Content-Transfer-Encoding: 8bit
014 X-Priority: 3
033 X-Mailer: vBulletin Mail via PHP
039S Sender: <username@collegers.net>
038 Date: Tue, 17 Apr 2012 07:11:50 -0500



replaced username is my CP username

OK, that's some sort of emailing log (I don't know exactly what that is), but what I mean is the web server access log. For instance if the problem is in some_script.php then it seem like you would see a lot of those in a row in your access log.

where can I find ? CPanel or WHM ? and if possible which section/category

Ah...I wish I could tell you but to be honest I don't know. I'm not familiar with CPanel. We just use ssh and the apache logs are in a directory. You could ask your host, if that's easy, otherwise I'm sure someone else here will know.

BTW, I'm not sure this will lead to finding the problem, but it seems like a good place to start.

Thanks for the head up. There is a feature called "Raw Access Log".
Will check and get back with more information.

--------------- Added 1334768864 at 1334768864 ---------------

I deleted around 10 plugins and I am using only those most popular (and reliable) plugins.

Din see any emails bouncing yet(enabled the plugins for 6+ hours)