Site is sending low-volume spam

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
dlockesf
Joomla! Apprentice
Joomla! Apprentice
Posts: 37
Joined: Fri May 19, 2017 9:50 pm

Site is sending low-volume spam

Post by dlockesf » Tue Jul 10, 2018 9:34 pm

I'm getting about two returned messages a day that I haven't sent. They cite my site's php file in the x-ph-script line. My ISP believes my site has been hacked. I've just started working my way through the "Recovering from a hack" process. I qualify as a newbie.

FPA output

Problem Description :: Forum Post Assistant (v1.4.3 (Frosty)) : 10th July 2018 wrote:My site is sending low volume spam emails."Unable to deliver" return emails cite globalsupplytraining.com/index.php for 195.123.219.90
Actions Taken To Resolve by Forum Post Assistant (v1.4.3 (Frosty)) 10th July 2018 wrote:Starting to work my way through "Recover from a Hack" instructions
Forum Post Assistant (v1.4.3 (Frosty)) : 10th July 2018 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.8.10-Stable (Amani) 26-June-2018
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | dbConnection Type: mysql | PHP Supports J! 3.8.10: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 2.6.32-696.28.1.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 555.08 GiB |

PHP Configuration :: Version: 5.6.33 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 24567 | Log Errors To: error_log | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 100M | Max. POST Size: 1000M | Max. Input Time: 120 | Max. Execution Time: 120 | Memory Limit: 128M

Database Configuration :: Version: 5.6.38 (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Host: --protected-- (--protected--) | Localhost: Yes | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 20.90 MiB | #of Tables:  89
Detailed Environment :: wrote:PHP Extensions :: Core (5.6.33) | date (5.6.33) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | hash (1.0) | iconv () | SPL (0.2) | json (1.2.1) | mbstring () | mcrypt () | session () | standard (5.6.33) | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | mysqli (0.1) | Phar (2.0.2) | posix () | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | mysql (1.0) | SimpleXML (0.1) | soap () | sockets () | imap () | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.12.5) | cgi-fcgi () | suhosin (0.9.38) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.6.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (---) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 576756 | Threads: 2 | Questions: 45263390 | Slow queries: 32 | Opens: 134780 | Flush tables: 1 | Open tables: 2000 | Queries per second avg: 78.479 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party::

Components :: ADMIN ::
Core :: com_finder (3.0.0) 1 | com_menus (3.0.0) 1 | com_plugins (3.0.0) 1 | com_installer (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_joomlaupdate (3.6.2) 1 | com_redirect (3.0.0) 1 | com_config (3.0.0) 1 | com_templates (3.0.0) 1 | com_admin (3.0.0) 1 | com_cache (3.0.0) 1 | com_modules (3.0.0) 1 | com_search (3.0.0) 1 | com_media (3.0.0) 1 | com_users (3.0.0) 1 | com_messages (3.0.0) 1 | com_content (3.0.0) 1 | com_languages (3.0.0) 1 | com_banners (3.0.0) 1 | com_tags (3.1.0) 1 | com_associations (3.7.0) 1 | com_newsfeeds (3.0.0) 1 | com_ajax (3.2.0) 1 | com_login (3.0.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_fields (3.7.0) 1 | com_cpanel (3.0.0) 1 |
3rd Party:: COM_COMMENT (6.0.3) 1 | Akeeba (6.1.1) 1 |

Modules :: SITE ::
Core :: mod_wrapper (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_banners (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_login (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_articles_categories (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_search (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_whosonline (3.0.0) 1 |
3rd Party::

Modules :: ADMIN ::
Core :: mod_status (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_version (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_login (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_title (3.0.0) 1 |
3rd Party::

Plugins :: SITE ::
Core :: plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_languagecode (3.0.0) 0 | plg_system_stats (3.5.0) 1 | plg_system_log (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_p3p (3.0.0) 0 | plg_system_remember (3.0.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_content_pagenavigation (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_loadmodule (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_vote (3.0.0) 0 | plg_installer_webinstaller (1.1.1) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_search_content (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_captcha_recaptcha (3.4.0) 0 |
3rd Party:: PLG_SYSTEM_AKEEBAUPDATECHECK_T (1.1) 1 | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) 1 | manage.myJoomla.com Secure Plu (n/a) 1 | Content - CComment (6.0.3) 0 | plg_quickicon_akeebabackup (1.0) 1 | Search - CComment (6.0.3) 0 | plg_editors_codemirror (5.38.0) 1 | plg_editors_tinymce (4.5.8) 1 | K2 Plugin - CComment (6.0.3) 0 |
Templates Discovered :: wrote:Templates :: SITE :: js_onyx (3.1.0) 1 | protostar (1.0) 1 | beez3 (3.1.0) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36105
Joined: Sat Apr 05, 2008 9:58 pm

Re: Site is sending low-volume spam

Post by Webdongle » Wed Jul 11, 2018 9:24 am

Do you have Registration set to self ? If so then enable Recaptcha.
Where did you download the Template from ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

dlockesf
Joomla! Apprentice
Joomla! Apprentice
Posts: 37
Joined: Fri May 19, 2017 9:50 pm

Re: Site is sending low-volume spam

Post by dlockesf » Wed Jul 11, 2018 7:34 pm

I downloaded the fpa from the zip version on viewtopic.php?t=582860.

I had ccoment installed without any requirement for registration. Actually, I don't see how to require registration, but I just started to look. I disabled ccomment and the low-level spam continued. It was disabled when I did the fpa. It's re enabled now. I wasn't using Recaptcha. Should I run fpa again?

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 6049
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Site is sending low-volume spam

Post by sozzled » Wed Jul 11, 2018 8:44 pm

As a general comment, whenever I read topics that discuss issues about why people's websites "start" sending spam, the people who ask these kinds of questions should really be looking first in a mirror. As a general comment, spam happens because people's websites allow it to happen!

While there's no precise about where spam comes from, most spam originates from one of the following sources:

a) Someone advertises their email address on their website so that anyone can see it; this is like saying, "We're here for your spam."
b) Contact forms that do not require user registration before they're accessible; it doesn't matter if there's CAPTCHA "protection" or not: it's almost the same as in case (a) above.
c) Article commenting extensions; there's usually a lower risk of attracting spam here but, as long as the commenting extension doesn't allow any posting by unregistered people without approval by a moderator, these kinds of posts are not usually displayed to the public.
d) Forum components that allow public (or anonymous) posting. Unless you're prepared to examine (and approve for publishing) every message posted on your forums, keep your forums secured by requiring people to register on your site first.

CAPTCHA is next-to-useless to prevent spam. CAPTCHA reduce the overall amount of spam, or reduce the rate at which people receive spam, but it doesn't (and it can't) prevent spam. So, it doesn't really matter if you re-post your FPA report or not.

The quantity of spam is also not dependent on which site template people use. You can get spam regardless of whether you spent a few hundred dollars for a template from a reputable developer or whether you use Protostar.

Spam is also not dependent on whether websites allow "self-registration" or not. The rules that you implement as far as checking whether people can register their own accounts with a website may help to reduce the level of spam.

CComment comes in two flavours: there's a free version and a pro version. There's better security in the pro version; whether it's worth a few dollars for that additional security is your decision.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36105
Joined: Sat Apr 05, 2008 9:58 pm

Re: Site is sending low-volume spam

Post by Webdongle » Wed Jul 11, 2018 9:53 pm

dlockesf wrote:I downloaded the fpa from the zip version on viewtopic.php?t=582860 ...?
Perhaps you should look at the question again
Webdongle wrote: ...
Where did you download the Template from ?

Also I asked ... Do you have Registration set to self ? If so then enable Recaptcha.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

dlockesf
Joomla! Apprentice
Joomla! Apprentice
Posts: 37
Joined: Fri May 19, 2017 9:50 pm

Re: Site is sending low-volume spam

Post by dlockesf » Wed Jul 11, 2018 10:27 pm

Webdongle, remember I'm a beginner and beginners are likely to misunderstand questions.

I got js_onyx from Joomlashack.

Where do I find a Registration setting? OK, I found it. "Allow registration" is set to No.

Regards,
Last edited by dlockesf on Wed Jul 11, 2018 10:45 pm, edited 1 time in total.

dlockesf
Joomla! Apprentice
Joomla! Apprentice
Posts: 37
Joined: Fri May 19, 2017 9:50 pm

Re: Site is sending low-volume spam

Post by dlockesf » Wed Jul 11, 2018 10:32 pm

Sozzled, I believe my contact email address is obfuscated. Also, the spam I'm sending shows a different sending address than the obfuscated one on the web site.

I do fall into category c. Yes, I have to approve posts. So far I haven't had any. I can keep up! This is kind of a proforma web site, just to show I do have a business going.

Regards

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36105
Joined: Sat Apr 05, 2008 9:58 pm

Re: Site is sending low-volume spam

Post by Webdongle » Thu Jul 12, 2018 12:40 am

dlockesf wrote:... remember I'm a beginner and beginners are likely to misunderstand questions....
What by readin 'Template' as 'fpa'?


dlockesf wrote:...
I got js_onyx from Joomlashack....
They are reputable no problem there.

dlockesf wrote:...
Where do I find a Registration setting? OK, I found it. "Allow registration" is set to No.
...
Do you have any form that sends a copy to the person submitting it ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

dlockesf
Joomla! Apprentice
Joomla! Apprentice
Posts: 37
Joined: Fri May 19, 2017 9:50 pm

Re: Site is sending low-volume spam

Post by dlockesf » Thu Jul 12, 2018 8:49 pm

No, no copy of submittals is sent to the submitter.


Post Reply

Return to “Security in Joomla! 3.x”