Woltlab user registration bots

  • Hi,


    I recently got reports from Microsoft that my server was sending spam mails.
    It turns out Woltlab (wcf) is sending these spam mails!


    Hereby an excerpt from the website mail logs:

    Code
    [24-Jun-2016 07:13:45 Europe/Amsterdam] mail() on [/home/username/domains/domain.com/public_html/wcf/lib/system/mail/PHPMailSender.class.php:19]: To: Labrieaq8n <dgsdzaaxdxsxccss@apocztaz.com.pl> -- Headers: X-Priority: 3 X-Mailer: WoltLab Community Framework Mail Package From: WebsiteName <webmaster@domain.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0
    [24-Jun-2016 08:39:11 Europe/Amsterdam] mail() on [/home/username/domains/domain.com/public_html/wcf/lib/system/mail/PHPMailSender.class.php:19]: To: frye3376 <all@azuma81106.ammuca.eu> -- Headers: X-Priority: 3 X-Mailer: WoltLab Community Framework Mail Package From: WebsiteName <webmaster@domain.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0
    [24-Jun-2016 09:46:01 Europe/Amsterdam] mail() on [/home/username/domains/domain.com/public_html/wcf/lib/system/mail/PHPMailSender.class.php:19]: To: Viviengmt <qrhneduj@gmail4u.eu> -- Headers: X-Priority: 3 X-Mailer: WoltLab Community Framework Mail Package From: WebsiteName <webmaster@domain.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0
    [24-Jun-2016 10:17:35 Europe/Amsterdam] mail() on [/home/username/domains/domain.com/public_html/wcf/lib/system/mail/PHPMailSender.class.php:19]: To: Donaldmqjx <bettyann@randox.securemail.co.pl> -- Headers: X-Priority: 3 X-Mailer: WoltLab Community Framework Mail Package From: WebsiteName <webmaster@domain.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0


    I also found some files created in /tmp by the woltlab user!
    Eg:
    /tmp/phpSexPxI /tmp/phpmhWxZ8 /tmp/phpWggxkh /tmp/phpLgF77K /tmp/phpsjg6Jv /tmp/phpTxQNvJ /tmp/phpFf8MW6 /tmp/phpHXIEck


    All these files where base64 encoded php scripts.
    Eg: a file uploader.


    No other intrusions have been found, nor any rootkits.
    No weird server logins have been done.


    The hack looks like it came via woltlab.



    Now, in order to make woltlab a nice and secure environment, I think it would be good if I could work together with the Woltlab team to find out which script or package is unsecure.
    This allows Woltlab to remove this package from the store or to fix the issue.


    Questions:
    1) What is the best way to find out which script is sending these mails? Do I need to add some logging somewhere?
    2) Is there still a way to save my current Woltlab installation and make it secure again?



    Many thanks!

  • First things first, the above log only shows that emails have been sent through the built-in mail subsystem, but it doesn't show where these emails have been dispatched. Have you checked your access logs for requests that happened closely to the time these emails have been send?


    I also found some files created in /tmp by the woltlab user!

    This doesn't mean anything, these are remains of uploads made to your site but have not made it into an attachment and remain idling in the tmp directory until they're auto-removed by the OS. They can't be executed from outside there, so it doesn't matter.

    Alexander Ebert
    Senior Developer WoltLab® GmbH

  • Hi

    Hereby an excerpt from the website mail logs:

    those email addresses do not belong to Microsoft mailservers. Are you sure that this is a correct excerpt? Those mails could be registration mails (check whether users with the listed mail addresses exist in your community).

  • Hi,


    - I just took some random parts from the mail logs, it just happens to not contain any hotmail/outlook mail addresses.


    - I do find those email addresses inside the users list.
    So maybe the spam issue and the mail logs are different issues?


    162.158.202.75 - - [24/Jun/2016:09:46:02 +0200] "POST /Register/? HTTP/1.1" 200 10413 "https://www.domain.com/Register/?l=2" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"


    162.158.202.100 - - [24/Jun/2016:10:17:36 +0200] "POST /Register/? HTTP/1.1" 200 10420 "https://www.domain.com/Register/?l=2" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"


    And a bit later they visit the RegisterActivation page.


    So looks like this is not the issue then, it's just registration bots.
    Strange, reCaptcha clearly isn't enough then...



    - The reported spam is real spam, with images and actual sales messages.
    Not a registration mail.
    So probably need to dig a bit deeper.



    Tx for the help!

  • Hi

    So probably need to dig a bit deeper.

    yes, probably. You might want to check your server for running processes you don't expect. Those might bypass your standard logs and therefore may remain undetected.

  • You happen to be running any other sites on that server.. like Wordpress/Joomla/Drupal?
    if this is a vps/dedi that has it's own MTA server, have you grep'd your mail log for hotmail/outlook/live addresses?