Spamming Script. Cannot get rid of it

[chikagoh]

Greetings,

Someone keeps uploading a spammer script (php). I find it, I delete it, and then another is uploaded in it's place. The upload locations is always in a different directory.

How can I find where the hole is that is allowing these php scripts to be uploaded?

Running: Joomla! 2.5.27 Stable [ Ember ] 30-September-2014 14:00 GMT

Thank you

[itoctopus]

It seems that you are addressing the consequences, but not the cause. Either you have a vulnerable extension or there is a script that was uploaded previously to your site that allows control over your filesystem.

Check your logs and see if you can find a suspicious call to a php file around the same time where that spam PHP script was uploaded/created.

[mandville]

Also check . Cron jobs and follow checklist 7=
Post your fpa

[chikagoh]

Someone uploading php spamming script

Cannot find anything in my logfiles

Joomla! Instance :: Joomla! 2.5.27-Stable (Ember) 30-September-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (644) | Owner: 10000 (uid: /gid: ) | Group: 505 (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-431.29.2.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/www/vhosts/XXX/httpdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.3 | PHP API: apache2handler | Session Path Writable: No | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: 0 | Open Base: /var/www/vhosts/XXX/:/tmp/ | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 60 | Memory Limit: 128M

MySQL Configuration :: Version: 5.1.73 (Client:5.1.73) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 3.78 MiB | #of Tables: 125

PHP Extensions :: Core (5.3.3) | date (5.3.3) | ereg () | libxml () | openssl () | pcre () | zlib (1.1) | bz2 () | calendar () | ctype () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | session () | iconv () | Reflection ($Revision: 300393 $) | standard (5.3.3) | shmop () | SPL (0.2) | SimpleXML (0.1) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tokenizer (0.1) | xml () | apache2handler () | curl () | dom (20031129) | fileinfo (1.0.5-dev) | gd () | imap () | json (1.2.1) | mbstring () | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | sqlite3 (0.7-dev) | wddx () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.9.1) | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: mcrypt | suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Apache Modules :: core | prefork | http_core | mod_so | mod_auth_basic | mod_auth_digest | mod_authn_file | mod_authn_alias | mod_authn_anon | mod_authn_dbm | mod_authn_default | mod_authz_host | mod_authz_user | mod_authz_owner | mod_authz_groupfile | mod_authz_dbm | mod_authz_default | util_ldap | mod_authnz_ldap | mod_include | mod_log_config | mod_logio | mod_env | mod_ext_filter | mod_mime_magic | mod_expires | mod_deflate | mod_headers | mod_usertrack | mod_setenvif | mod_mime | mod_dav | mod_status | mod_autoindex | mod_info | mod_dav_fs | mod_vhost_alias | mod_negotiation | mod_dir | mod_actions | mod_speling | mod_userdir | mod_alias | mod_substitute | mod_rewrite | mod_proxy | mod_proxy_balancer | mod_proxy_ftp | mod_proxy_http | mod_proxy_ajp | mod_proxy_connect | mod_cache | mod_suexec | mod_disk_cache | mod_cgi | mod_version | mod_aclr2 | mod_fcgid | mod_perl | mod_php5 | mod_python | mod_rpaf-2 | mod_ssl | Apache |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::

Components :: SITE :: CB ProfileBook (1.3) | Yanc Integration (1.2) | CB Mamblog Tab (1.2) | Rating Field (1.2) | CB Profile Gallery (1.2) | CB Mambo Author Tab (1.2) | CB Captcha (1.3) | com_mailto (2.5.0) | com_wrapper (2.5.0) | WF_ANCHOR_TITLE (2.3.4.4) | WF_BROWSER_TITLE (2.3.4.4) | WF_INLINEPOPUPS_TITLE (2.3.4.4) | WF_MEDIA_TITLE (2.3.4.4) | WF_PREVIEW_TITLE (2.3.4.4) | WF_ARTICLE_TITLE (2.3.4.4) | WF_SPELLCHECKER_TITLE (2.3.4.4) | WF_CLIPBOARD_TITLE (2.3.4.4) | WF_FULLSCREEN_TITLE (2.3.4.4) | WF_DIRECTIONALITY_TITLE (2.3.4.4) | WF_TEXTCASE_TITLE (2.3.4.4) | WF_NONBREAKING_TITLE (2.3.4.4) | WF_LAYER_TITLE (2.3.4.4) | WF_CHARMAP_TITLE (2.3.4.4) | WF_IMGMANAGER_TITLE (2.3.4.4) | WF_XHTMLXTRAS_TITLE (2.3.4.4) | WF_SOURCE_TITLE (2.3.4.4) | WF_KITCHENSINK_TITLE (2.3.4.4) | WF_PRINT_TITLE (2.3.4.4) | WF_LISTS_TITLE (2.3.4.4) | WF_TABLE_TITLE (2.3.4.4) | WF_STYLE_TITLE (2.3.4.4) | WF_SEARCHREPLACE_TITLE (2.3.4.4) | WF_AUTOSAVE_TITLE (2.3.4.4) | WF_VISUALBLOCKS_TITLE (2.3.4.4) | WF_CONTEXTMENU_TITLE (2.3.4.4) | WF_VISUALCHARS_TITLE (2.3.4.4) | WF_LINK_TITLE (2.3.4.4) | WF_CLEANUP_TITLE (2.3.4.4) | WF_AGGREGATOR_VINE_TITLE (2.3.4.4) | WF_AGGREGATOR_[youtube]_TITLE (2.3.4.4) | WF_AGGREGATOR_GOOGLEMAPS_TITLE (2.3.4.4) | WF_AGGREGATOR_VIMEO_TITLE (2.3.4.4) | K2 Links for JCE Link (2.2) | WF_LINKS_JOOMLALINKS_TITLE (2.3.4.4) | WF_LINK_SEARCH_TITLE (2.3.4.4) | WF_FILESYSTEM_JOOMLA_TITLE (2.3.4.4) | WF_POPUPS_WINDOW_TITLE (2.3.4.4) | WF_POPUPS_JCEMEDIABOX_TITLE (2.3.4.4) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.3.4.4) |
Components :: ADMIN :: com_users (2.5.0) | com_search (2.5.0) | com_languages (2.5.0) | COM_K2 (2.6.8) | mod_k2_comments (-) | mod_k2_comments (-) | com_installer (2.5.0) | com_redirect (2.5.0) | com_xmap (2.3.2) | comprofiler (1.9.1) | comprofiler (1.9.1) | com_newsfeeds (2.5.0) | COM_CONTACTENHANCED (2.5.17) | com_cache (2.5.0) | com_plugins (2.5.0) | com_cpanel (2.5.0) | com_messages (2.5.0) | eXtplorer (2.1.0) | com_admin (2.5.0) | com_categories (2.5.0) | com_banners (2.5.0) | RokGallery (2.22) | com_config (2.5.0) | com_login (2.5.0) | com_content (2.5.0) | com_media (2.5.0) | Gantry (4.1.26) | com_joomlaupdate (2.5.0) | com_modules (2.5.0) | com_checkin (2.5.0) | JCE (2.3.4.4) | Unknown (-) | Akeeba (3.6.9) | com_finder (2.5.0) | com_menus (2.5.0) | com_templates (2.5.0) | com_weblinks (2.5.0) | RokSprocket (2.1.2) |

Modules :: SITE :: CB Login (1.9.1) | mod_articles_categories (2.5.0) | CB Online (1.9) | mod_footer (2.5.0) | CB Workflows (1.9) | mod_articles_popular (2.5.0) | mod_banners (2.5.0) | RokNavMenu (2.0.7) | K2 User (2.6.8) | mod_login (2.5.0) | mod_articles_category (2.5.0) | Contact Information Module (2.5) | Latestweet (4.3) | RokTwittie (1.8) | RokSprocket Module (2.1.2) | Contact Enhanced Alpha Index (3.0) | mod_search (2.5.0) | mod_syndicate (2.5.0) | Rapid Contact (1.2) | CB Gallery Module (1.2.2) | mod_feed (2.5.0) | mod_ce_category (2.5.12) | mod_menu (2.5.0) | K2 Content (2.6.8) | mod_languages (2.5.0) | mod_custom (2.5.0) | mod_wrapper (2.5.0) | mod_random_image (2.5.0) | RokGallery Module (2.22) | mod_articles_archive (2.5.0) | K2 Tools (2.6.8) | mod_articles_news (2.5.0) | Contact Enhanced Form (2.5.15) | mod_finder (2.5.0) | CB Activity (2.4.1) | mod_users_latest (2.5.0) | K2 Comments (2.6.8) | Contact Enhanced Latest Submit (3.0) | Contact Enhanced Search (2.5.10) | CB PB Latest (1.3) | mod_whosonline (2.5.0) | mod_related_items (2.5.0) | Contact Enhanced Slideshow (2.5.10) | Contact Enhanced Birthday (3.0) | mod_weblinks (2.5.0) | mod_breadcrumbs (2.5.0) | K2 Users (2.6.8) | mod_articles_latest (2.5.0) | CB GroupJive (2.7.0) | mod_stats (2.5.0) |
Modules :: ADMIN :: K2 Quick Icons (admin) (2.6.8) | K2 Stats (admin) (2.6.8) | Contact Enhanced Latest Submit (3.0) | mod_login (2.5.0) | mod_toolbar (2.5.0) | mod_feed (2.5.0) | mod_menu (2.5.0) | mod_submenu (2.5.0) | mod_logged (2.5.0) | mod_custom (2.5.0) | mod_status (2.5.0) | Contact Enhanced Statistics (3.0) | mod_popular (2.5.0) | mod_multilangstatus (2.5.0) | Community Builder Admin menu (1.0) | mod_quickicon (2.5.0) | mod_latest (2.5.0) | mod_title (2.5.0) | mod_version (2.5.0) |

Plugins :: SITE :: Contact Enhanced - Custom Code (3.1.0) | Josetta - K2 Items (2.6.8) | Josetta - K2 Categories (2.6.8) | User - K2 (2.6.8) | plg_user_joomla (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_ce_contactcreator (3.0.0) | plg_user_profile (2.5.0) | plg_search_contactenhanced (2.5.12) | Search - GroupJive (2.7.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_newsfeeds (2.5.0) | Search - Community Builder (1.1.0) | Search - K2 (2.6.8) | plg_search_weblinks (2.5.0) | Content - Contact Enhanced For (2.5.15) | plg_content_pagebreak (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagenavigation (2.5.0) | Content - Community Builder Au (1.0.1) | Content - RokInjectModule (1.6) | plg_content_geshi (2.5.0) | plg_content_joomla (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_finder (2.5.0) | Button - Contact Enhanced Form (2.5.10) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_readmore (2.5.0) | Button - RokGallery (2.22) | plg_quickicon_jcefilebrowser (2.3.4.4) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | Xmap - Content Plugin (2.0.4) | Xmap - Mosets Tree Plugin (2.0.2) | Xmap - Virtuemart Plugin (2.0.1) | Xmap - Kunena Plugin (2.0.3) | Xmap - SobiPro Plugin (2.0.2) | Xmap - WebLinks Plugin (2.0.1) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_editors_jce (2.3.4.4) | plg_editors_tinymce (3.5.4.1) | plg_editors_codemirror (1.0) | plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | PLG_SYSTEM_MODALS (4.12.3FREE) | plg_system_sef (2.5.0) | System - Contact Enhanced (CE) (3.1) | plg_system_languagecode (2.5.0) | System - RokCommon (3.1.11) | plg_system_highlight (2.5.0) | System - CB Core Redirect (1.0.0) | PLG_SYSTEM_NNFRAMEWORK (14.8.6) | System - RokSprocket (2.1.2) | PLG_ECC (2.5-8) | Google Maps (2.20) | System - Gantry (4.1.26) | plg_system_logout (2.5.0) | plg_system_p3p (2.5.0) | System - RokExtender (2.0.0) | System - Mail Links to Contact (2.5.10) | System - K2 (2.6.8) | plg_system_languagefilter (2.5.0) | System - Autologin (2.5.0) | System - Contact Enhanced (CE) (2.5.16) | System - RokGallery (2.22) | plg_system_remember (2.5.0) | plg_system_redirect (2.5.0) | plg_system_log (2.5.0) | plg_system_cache (2.5.0) | System - iSeKeywords (2.5.10) | plg_system_debug (2.5.0) | plg_captcha_recaptcha (2.5.0) | Captcha - SecurImage (3.2.2) | plg_finder_contactenhanced (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_k2 (2.6.8) | plg_finder_weblinks (2.5.0) | plg_extension_joomla (2.5.0) |

Templates :: SITE :: beez_20 (2.5.0) | beez5 (2.5.0) | rt_metropolis (1.1) | atomic (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

[chikagoh]

Not finding anything in the logs related to an FTP upload.

The only thing I can find is the script by putting a wrapper on postfix and logging it
Everytime I find the script and remove it, a new script gets used to spam Same script though:

X-Additional-Header: /var/www/vhosts/XXX/httpdocs/cache/Gantry
To: [email protected]
Subject: Lol She's a Screamer
X-PHP-Originating-Script: 48:model.php
From: "Lacy Bray" <[email protected]>
Reply-To:"Lacy Bray" <[email protected]>
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

[itoctopus]

Which logs are you checking? Are you checking the Apache access logs? These are the logs that I'm talking about. The file doesn't have to be uploaded through FTP, it can be uploaded using the malicious file that you possibly have on your server. The Apache logs will probably tell you which one it is.

Also, don't forget to change all the passwords.

[chikagoh]

I'm looking at all logs (apache, ftp, etc..). I am pretty certain the script is being uploaded via http, I just cannot find anything in the apache logs.

I've changed the password, and have even deployed a brand new server where the only thing that wasn't new was the web content and mysql database.

[chikagoh]

So I think I have narrowed this down, but I don't know enough about php to determine which script has the security issue.

I removed the latest spam script, and as usual, within 24 hours, a new script has been uploaded elsewhere within the site.

I searched through the http access logfile for the first instance of the spam script, and then greped for the IP associated.

The spam script in question: ---------- 1 apache apache 64890 Dec 13 09:53 view.php

The 09:53 time associated with the first instance (a GET) in my apache log:

91.121.160.169 - - [13/Dec/2014:09:53:12 +0000] "GET /libraries/gantry/core/params/view.php HTTP/1.0" 200 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

But the IP associated has some activity right before the GET:

91.121.160.169 - - [13/Dec/2014:07:13:05 +0000] "POST /plugins/quickicon/index.php HTTP/1.0" 200 3349 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:07:13:05 +0000] "POST /libraries/gantry/facets/menu/themes/touch/general.php HTTP/1.0" 200 3349 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:07:13:06 +0000] "POST /modules/mod_ce_form/language/code.php HTTP/1.0" 200 3349 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:07:13:06 +0000] "POST /libraries/gantry/core/gantryfeature.class.php HTTP/1.0" 200 3349 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:08:24:18 +0000] "POST /libraries/gantry/core/renderers/gantryfeaturerenderer.class.php HTTP/1.0" 200 226 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:09:53:12 +0000] "POST /modules/mod_contactinfo/mod_contactinfo.php HTTP/1.0" 200 602 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"


This is where I get lost. I do not have the skills to determine how these scripts work together (if at all), and/or which one could be the issue.

[mandville]

well contact enhanced is several versio n out of date. whats your cron jobs like? whyt has your host said

[Webdongle]

...
Someone keeps uploading a spammer script (php). I find it, I delete it, and then another is uploaded in it's place. ...

You only find what they want you to find. You need to delete all the folders/files on the server and http://forum.joomla.org/viewtopic.php?f=621&t=582854

[Slackervaara]

The free security extension JHackGuard has an option to disable file upload for guests.