com_mailto used for spam.

[stanko75]

Hello,

this morning I realised that using that component from my site anyone can send an e-mail to anyone from my site! This mean, it was used for spam!

From log, i relized that spamers were using link like:

Code: Select all

/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2pvb21sYS50cmluZXQuc2kvaW5kZXgucGhwP3ZpZXc9YXJ0aWNsZSZpZD0yNTEzNCZvcHRpb249Y29tX2FscGhhY29udGVudCZJdGVtaWQ9Njc

In my case, it would be:

http://www.milosev.com/index.php?option ... GVtaWQ9Njc

For now, I just deleted that component.

Does anyone have expirience with it, and what is best solution to stop spammers to use that component for spaming?

Thank you in advance,
Stanko.

[lafrance]

Hello.

As I never seen or heard of this you may want to follow those step bellow.
As com_mailto only those what it suppose too.

1. Run the forum post assistant and security tool

2. Ensure you have the latest version of Joomla. We recommend update manager

3. Review Vulnerable Extensions List

4. Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

5. Change all passwords and if possible user names for the website host control panel and your Joomla site.This include FTP,Cpanel etc.

6. Use proper permissions on files and directories. They should be max permissions of 644 for files & 755 for folders with no exceptions.

[stanko75]

Thank you for your answer!

I was not hacked, I think that this is a bit, maybe, security hole in Joomla!

I checked also logs from my company, and I saw a lot of queries with link which I posted.

Luckily, in my company I didn't set up Mail Settings, so it is impossible to send an e - mail from the web site of my company.

Try it by yourself, install Joomla!, and set mail settings, so it can be possible to send mail from your web site, after that, try query which I posted in my first post, you will see that you are able to send an e - mail to anyone! Which can be easily exploited by spamers!

[mandville]

What you are picking up on is this
E-mail this link to a friend
is this a large amount of traffic, would the site be expected to email a friend?
If you are concerned that it is a security hole or bug then please go to http://developer.joomla.org/ and report to the appropriate people

[stanko75]

Yes, I let that option open, so people can e - mail an article to a friend, but that option is abused by spamers, and because of that my domain is blacklisted..

Thank you, I will report as a security hole.

[mandville]

I checked your domain IP and hosts IP and couldnt find them in spamhaus, so not sure where you are getting blacklisted reports from.
It may be an idea to get your outgoing mail log to see the content thats being sent to find the content of this mail.
if you are a shared IP then it will no doubt affect all your hosts customers and eventually them.

[stanko75]

I am blacklisted in the SORBS-SPAM, I was using this link to check my self:

http://www.mxtoolbox.com/SuperTool.aspx ... ilosev.com

I am on shared IP, I know, there is possibility that someone is also spaming, but I suspect that problem is at me, because I already changed host server, where I also had problems with spam.

I still didn't report it, since I want to check once again on a clean install, just to be sure, before reporting it as a security issue.

[mandville]

i would contact your host to get them to get the flags removed. or go direct to 3ix who i think are the actually upstream host. You could try and get a delist yourself

[stanko75]

I already tried all that First time it was about 7 days ago, and last time, again, about two days ago, and this morning I realized that until now anyone could send an e - mail through my web page...

[stanko75]

My apologize, now I checked all, and problem was:

6. Use proper permissions on files and directories. They should be max permissions of 644 for files & 755 for folders with no exceptions.

I am sorry.

[mandville]

just to confirm there is no confusion, were your permissions set as something dirfferent?
was a phishing/mail script installed ?

[stanko75]

I am not completely sure. I installed clean Joomla! and tested, then I realized that link which I posted is not working, then I changed permissions and I could send an e-mail.

For sure, before I deleted com_mailto I could sent an e-mail, now I can't.

Is there easy way to check if phishing/mail script is installed? Or I have to look my logs?

[mandville]

get your host to show you how to check your mail server logs. Only you now what was on the server.

[stanko75]

Thank you, I sent support ticket to my host.

[jeffchannell]

http://joomlacode.org/gf/project/joomla ... m_id=24288
http://joomlacode.org/gf/project/joomla ... m_id=24289