Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 04-17-2012, 04:07 PM
sivaganeshk sivaganeshk is offline
 
Join Date: Oct 2010
Posts: 250
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Spam emails

Any one else having the same issue "a hacker is spending 100s of emails through my vb site." All my plugins are from vb.org(up to date) and I don't use any nulled scripts.

The email that is sent

Quote:
This is a message from Allan Cox ( mailto: ) from the College Students forum ( http://collegers.net/ ).

The message is as follows:

Hi,


Finally, we can drive the electric company out from our home...and not pay another cent on electr!city ever again.

The secret to Free..UNLIM!TED ENERGY is here, click or copy and paste the link below:
http://payspree.com/6038/pontiacgto


Best regards,


Allan
Affiliate




Please reply to magnetforpower@yahoo.com with OUT as the subject to be removed from our listing. Thanks.
I had contacted Payspree support and they had banned the affiliate account. However I still this vulnerability which send email.

The only way to stop it is disabling Plugins & hooks in AdminCP settings. Even when I disable all the plugin except CMS, blog, FB login, the emails are generated and sent.

Any action of relief ?
Reply With Quote
  #2  
Old 04-17-2012, 04:12 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Did you look at your web server logs? You might be able to figure out which vb script is being called to send them.
Reply With Quote
  #3  
Old 04-17-2012, 04:28 PM
sivaganeshk sivaganeshk is offline
 
Join Date: Oct 2010
Posts: 250
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The log is

Quote:
<username@collegers.net>
1334664710 0
-ident username
-received_protocol local
-body_linecount 62
-max_received_linelength 114
-auth_id username
-auth_sender username@collegers.net
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
thuylh@iev-group.com

196P Received: from username by collegers.net with local (Exim 4.77)
(envelope-from <username@collegers.net>)
id 1SK7GA-0007mb-99
for thuylh@iev-group.com; Tue, 17 Apr 2012 07:11:50 -0500
025T To: thuylh@iev-group.com
064 Subject: Cut-down your electric bill with this leaked invention
060 X-PHP-Script: collegers.net/showthread.php for 66.249.71.39
052F From: "College Students forum" <info@collegers.net>
031 Auto-Submitted: auto-generated
032* Return-Path: info@collegers.net
056I Message-ID: <20120417121145.0a29cfb6d21c@collegers.net>
018 MIME-Version: 1.0
047 Content-Type: text/plain; charset="ISO-8859-1"
032 Content-Transfer-Encoding: 8bit
014 X-Priority: 3
033 X-Mailer: vBulletin Mail via PHP
039S Sender: <username@collegers.net>
038 Date: Tue, 17 Apr 2012 07:11:50 -0500

replaced username is my CP username
Reply With Quote
  #4  
Old 04-17-2012, 04:32 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

OK, that's some sort of emailing log (I don't know exactly what that is), but what I mean is the web server access log. For instance if the problem is in some_script.php then it seem like you would see a lot of those in a row in your access log.
Reply With Quote
  #5  
Old 04-17-2012, 04:40 PM
sivaganeshk sivaganeshk is offline
 
Join Date: Oct 2010
Posts: 250
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

where can I find ? CPanel or WHM ? and if possible which section/category
Reply With Quote
  #6  
Old 04-17-2012, 04:41 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ah...I wish I could tell you but to be honest I don't know. I'm not familiar with CPanel. We just use ssh and the apache logs are in a directory. You could ask your host, if that's easy, otherwise I'm sure someone else here will know.

BTW, I'm not sure this will lead to finding the problem, but it seems like a good place to start.
Reply With Quote
  #7  
Old 04-17-2012, 05:02 PM
sivaganeshk sivaganeshk is offline
 
Join Date: Oct 2010
Posts: 250
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for the head up. There is a feature called "Raw Access Log".
Will check and get back with more information.

--------------- Added [DATE]1334768864[/DATE] at [TIME]1334768864[/TIME] ---------------

I deleted around 10 plugins and I am using only those most popular (and reliable) plugins.

Din see any emails bouncing yet(enabled the plugins for 6+ hours)
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:10 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04584 seconds
  • Memory Usage 2,222KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete