Little spam using class.phpmailer.php Topic is solved

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
danjde
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Mon Dec 28, 2009 1:48 pm

Little spam using class.phpmailer.php

Post by danjde » Tue Aug 07, 2018 3:15 pm

Hi Friends,
my site, Joomla 3.8.10, send about two emails every week from yandex.ru domain or Russian country.
The emails start using "/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php".

Code: Select all

[05-Aug-2018 14:16:03 Europe/Berlin] mail() on [/var/www/mysite.net/public_html/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php:702]: To: loginjofDRbir2018@yandex.ru -- Headers: Date: Sun, 5 Aug 2018 14:16:03 +0200 From: HORSE <info@mysite.net> Reply-To: sommemires <loginjofDRbir2018@yandex.ru> Message-ID: <172561a751824a87c5df176a8fb2eaea@mysite.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
I've enabled the "PHP mail.log directive" but I can only see that spam start using "class.phpmailer.php".
How I could identify the responsible script?
Or eventually, block the sending by domain?


Many many thanks!

Davide
http://www.cosmogonia.org - cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 10093
Joined: Thu Feb 15, 2007 5:48 am
Location: Oxford, UK
Contact:

Re: Little spam using class.phpmailer.php

Post by toivo » Tue Aug 07, 2018 3:23 pm

Please post the output from the Forum Post Assistant (FPA), run at your Joomla site, by following the instructions at viewtopic.php?f=714&t=793531
Toivo Talikka, Global Moderator
my first programs were assembled and run in 16KB :)
troubleshooting smtp and other articles https://talikka.com/joomla

danjde
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Mon Dec 28, 2009 1:48 pm

Re: Little spam using class.phpmailer.php

Post by danjde » Tue Aug 07, 2018 3:51 pm

Thanks @toivo, here the output:
Problem Description :: Forum Post Assistant (v1.4.3 (Frosty)) : 7th August 2018 wrote:Little spam using class.phpmailer.php
Forum Post Assistant (v1.4.3 (Frosty)) : 7th August 2018 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.8.10-Stable (Amani) 26-June-2018
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 1 | CacheTime: 30 | CacheHandler: memcache | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 60 | Session handler: database | Shared sessions: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 1 | dbConnection Type: mysql | PHP Supports J! 3.8.10: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.16.0-4-amd64 | Technology: x86_64 | Web Server: Apache/2.4.10 (Debian) | Encoding: gzip, deflate, br | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 234.40 GiB |

PHP Configuration :: Version: 5.6.33-0+deb8u1 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 10M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 300 | Memory Limit: 128M

Database Configuration :: Version: 5.5.59-0+deb8u1-log (Client:5.5.59) | Host: --protected-- (--protected--) | Localhost: Yes | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 15.25 MiB | #of Tables: 143
Detailed Environment :: wrote:PHP Extensions :: Core (5.6.33-0+deb8u1) | date (5.6.33-0+deb8u1) | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gettext () | SPL (0.2) | iconv () | mbstring () | session () | posix () | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | standard (5.6.33-0+deb8u1) | shmop () | SimpleXML (0.1) | soap () | sockets () | Phar (2.0.2) | exif (1.4 $Id: 1c8772f76be691b7b3f77ca31eb788a2abbcefe5 $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.12.5) | apache2handler () | PDO (1.0.4dev) | apcu (4.0.7) | curl () | gd () | intl (1.1.0) | json (1.3.6) | mcrypt () | memcache (3.0.8) | memcached (2.2.0) | mysql (1.0) | mysqli (0.1) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | pspell () | readline (5.6.33-0+deb8u1) | sqlite3 (0.7-dev) | tidy (2.0) | mhash () | apc (4.0.7) | Zend OPcache (7.0.6-devFE) | Zend Engine (2.6.0) |
Potential Missing Extensions ::
Disabled Functions :: pcntl_alarm | pcntl_fork | pcntl_waitpid | pcntl_wait | pcntl_wifexited | pcntl_wifstopped | pcntl_wifsignaled | pcntl_wexitstatus | pcntl_wtermsig | pcntl_wstopsig | pcntl_signal | pcntl_signal_dispatch | pcntl_get_last_error | pcntl_strerror | pcntl_sigprocmask | pcntl_sigwaitinfo | pcntl_sigtimedwait | pcntl_exec | pcntl_getpriority | pcntl_setpriority | |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | mod_so | mod_watchdog | http_core | mod_log_config | mod_logio | mod_version | mod_unixd | mod_access_compat | mod_alias | mod_auth_basic | mod_authn_core | mod_authn_file | mod_authz_core | mod_authz_host | mod_authz_user | mod_autoindex | mod_cache | mod_cache_disk | mod_deflate | mod_dir | mod_env | mod_expires | mod_ext_filter | mod_file_cache | mod_filter | mod_headers | mod_mime | prefork | mod_negotiation | mod_php5 | mod_proxy | mod_reqtimeout | mod_rewrite | mod_security2 | mod_setenvif | mod_socache_shmcb | mod_ssl | mod_status | mod_unique_id | Apache/2.4.10 (Debian) |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (775) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) :: libraries/f0f/ (775) | libraries/f0f/form/ (775) | libraries/f0f/form/field/ (775) | libraries/f0f/form/header/ (775) | libraries/f0f/input/ (775) | libraries/f0f/query/ (775) | libraries/f0f/toolbar/ (775) | libraries/foxcontact/ (775) | libraries/foxcontact/foxhtml/ (775) | libraries/foxcontact/loader/ (775) |
Database Information :: wrote:Database statistics :: Uptime: 2687328 | Threads: 4 | Questions: 37044703 | Slow queries: 61 | Opens: 29795 | Flush tables: 1 | Open tables: 400 | Queries per second avg: 13.784 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party:: WF_LINKS_JOOMLALINKS_TITLE (2.6.31) 1 | WF_LINK_SEARCH_TITLE (2.6.31) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.31) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.31) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.31) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.31) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.31) 1 | WF_POPUPS_WINDOW_TITLE (2.6.31) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.31) 1 | WF_PRINT_TITLE (2.6.31) 1 | WF_VISUALCHARS_TITLE (2.6.31) 1 | WF_FORMATSELECT_TITLE (2.6.31) 1 | WF_LINK_TITLE (2.6.31) 1 | WF_EMOTIONS_TITLE (2.6.31) 1 | WF_MICRODATA_TITLE (1.0.10) 1 | WF_IMGMANAGER_TITLE (2.6.31) 1 | WF_MEDIA_TITLE (2.6.31) 1 | WF_FONTCOLOR_TITLE (2.6.31) 1 | WF_STYLE_TITLE (2.6.31) 1 | WF_PREVIEW_TITLE (2.6.31) 1 | WF_ARTICLE_TITLE (2.6.31) 1 | WF_FILEMANAGER_TITLE (2.1.9) 1 | WF_STYLESELECT_TITLE (2.6.31) 1 | WF_SPELLCHECKER_TITLE (2.6.31) 1 | WF_TABLE_TITLE (2.6.31) 1 | WF_SOURCE_TITLE (2.6.31) 1 | WF_FULLSCREEN_TITLE (2.6.31) 1 | WF_CONTEXTMENU_TITLE (2.6.31) 1 | WF_SEARCHREPLACE_TITLE (2.6.31) 1 | WF_IFRAME_TITLE (2.1.3) 1 | WF_FONTSELECT_TITLE (2.6.31) 1 | WF_CAPTION_TITLE (2.1.13) 1 | WF_NONBREAKING_TITLE (2.6.31) 1 | WF_MEDIAMANAGER_TITLE (2.0.16) 1 | WF_BROWSER_TITLE (2.6.31) 1 | WF_CLIPBOARD_TITLE (2.6.31) 1 | WF_ANCHOR_TITLE (2.6.31) 1 | WF_INLINEPOPUPS_TITLE (2.6.31) 1 | WF_HR_TITLE (2.6.31) 1 | WF_LISTS_TITLE (2.6.31) 1 | WF_CLEANUP_TITLE (2.6.31) 1 | WF_XHTMLXTRAS_TITLE (2.6.31) 1 | WF_CHARMAP_TITLE (2.6.31) 1 | WF_DIRECTIONALITY_TITLE (2.6.31) 1 | WF_VISUALBLOCKS_TITLE (2.6.31) 1 | WF_FONTSIZESELECT_TITLE (2.6.31) 1 | WF_AUTOSAVE_TITLE (2.6.31) 1 | WF_KITCHENSINK_TITLE (2.6.31) 1 | WF_TEXTCASE_TITLE (2.6.31) 1 | WF_IMGMANAGER_EXT_TITLE (2.0.32) 1 | WF_LAYER_TITLE (2.6.31) 1 |

Components :: ADMIN ::
Core :: com_fields (3.7.0) 1 | com_languages (3.0.0) 1 | com_content (3.0.0) 1 | com_redirect (3.0.0) 1 | com_plugins (3.0.0) 1 | com_finder (3.0.0) 1 | com_checkin (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_weblinks (3.6.0) 1 | com_config (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_banners (3.0.0) 1 | com_categories (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_installer (3.0.0) 1 | com_ajax (3.2.0) 1 | com_admin (3.0.0) 1 | com_cache (3.0.0) 1 | com_tags (3.1.0) 1 | com_cpanel (3.0.0) 1 | com_templates (3.0.0) 1 | com_messages (3.0.0) 1 | com_users (3.0.0) 1 | com_search (3.0.0) 1 | com_menus (3.0.0) 1 | com_modules (3.0.0) 1 | com_associations (3.7.0) 1 |
3rd Party:: RokGallery (2.42) 1 | COM_FOXCONTACT (3.4.2) 1 | COM_J4SCHEMA (5.3.0) 1 | J4Schema (2.1.0) 1 | ImageShow (5.0.9) 1 | ImageShow (5.0.9) 1 | RokSprocket (2.1.23) 1 | com_slideshowfx (6.09.00) 0 | COM_JCE (2.6.31) 1 | COM_GANTRY (4.1.35) 1 | COM_OSMAP (4.2.18) 1 | COM_SPAMPROTECT (1.1.0) 1 |

Modules :: SITE ::
Core :: mod_custom (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_search (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_weblinks (3.6.0) 1 | mod_languages (3.5.0) 1 | mod_finder (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_login (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_menu (3.0.0) 1 |
3rd Party:: JSN ImageShow (5.0.9) 1 | Flickrberry (1.0.0) 1 | RokMiniEvents3 (3.0.3) 1 | mod_slideshowfx (6.09.00) 0 | mod_eprivacy (2.14) 0 | mod_jbcookies (3.0.9) 1 | RokAjaxSearch (2.0.4) 1 | RokGallery Module (2.42) 1 | Insert Article (1.8) 1 | RokWeather (2.0.4) 1 | RokNavMenu (2.0.9) 1 | Brilliant Instajoom (1.0.0) 1 | RokFeatureTable (1.7) 1 | RokSprocket Module (2.1.23) 1 | MOD_FOXCONTACT (3.4.2) 1 | mod_viktripadvisorreview (2.0) 1 |

Modules :: ADMIN ::
Core :: mod_custom (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_status (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_login (3.0.0) 1 | mod_title (3.0.0) 1 | mod_version (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_menu (3.0.0) 1 |
3rd Party:: JSN ImageShow Quick Icons (5.0.9) 1 |

Plugins :: SITE ::
Core :: plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_content_emailcloak (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_fields (3.7.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_log (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_redirect (3.0.0) 0 | plg_system_updatenotification (3.5.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_languagecode (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_languagefilter (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_debug (3.0.0) 1 | plg_captcha_recaptcha (3.4.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_search_contacts (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_weblinks (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.1.1) 1 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_extension_joomla (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_weblinks (3.6.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 |
3rd Party:: Editor - RokPad (2.1.9) 1 | plg_editors_tinymce (4.5.8) 1 | plg_editors_codemirror (5.38.0) 1 | plg_editors_jce (2.6.31) 1 | Button - ImageShow (5.0.9) 1 | Button - RokGallery (2.42) 1 | plg_editors-xtd_sourcerer (7.2.0) 1 | PLG_USER_SPAMPROTECT (1.0.2) 1 | Content - JSN ImageShow (5.0.9) 1 | plg_sfx (6.09.03) 0 | plg_content_foxcontact (3.4.2) 1 | PLG_SIGE (3.2.4) 1 | plg_content_jce (2.6.31) 1 | Content - RokInjectModule (1.7) 1 | System - JSN ImageShow (5.0.9) 1 | System - Gantry 4 (4.1.35) 1 | PLG_SYSTEM_FMALERTCOOKIES (1.3.5) 0 | PLG_SYS_ADMINEXILE (2.3.6) 1 | PLG_SYS_HEADTAG (2.5) 0 | System - RokGallery (2.42) 1 | plg_system_sourcerer (7.2.0) 1 | System - RokNavMenu Export (2.0.1) 1 | PLG_SYS_MOOTABLE (1.1.2) 1 | System - JCE MediaBox (1.2.9) 1 | System - RokExtender (2.0.0) 1 | Abivia.net SuperTable Free Plu (2.0.5) 1 | System - RokSprocket (2.1.23) 1 | plg_system_jsnframework (2.0.2) 1 | plg_system_regularlabs (18.2.10140) 1 | plg_system_jce (2.6.31) 1 | System - RokCommon (3.2.5) 1 | CacheControl (1.1) 0 | plg_system_ossystem (1.3.0) 1 | PLG_RESPONSIVESCROLLINGTABLES (1.2.2) 0 | System - Microdata or RDFa sem (0.1.0) 1 | PLG_SYS_EPRIVACY (2.14) 0 | Theme Flow (1.1.3) 1 | Theme Slider (1.2.8) 1 | Theme Flip (1.0.2) 1 | Theme Masonry (1.0.7) 1 | Theme Grid (1.2.8) 1 | Source Joomgallery (1.0.4) 1 | Theme Pile (1.0.5) 1 | Source Picasa (1.1.8) 1 | Theme Strip (1.1.4) 1 | Theme Carousel (1.1.5) 1 | Theme Classic (1.4.1) 1 | Installer - J4Schema (1.0.0) 1 | plg_installer_jce (2.6.31) 1 | OSMap - Virtuemart Plugin (3.3.0) 0 | OSMap - WebLinks Plugin (3.3.0) 1 | OSMap - SobiPro Plugin (3.3.0) 0 | PLG_OSMAP_JOOMLA (4.2.18) 1 | OSMap - Mosets Tree Plugin (3.3.0) 0 | OSMap - Kunena Plugin (3.3.0) 0 | OSMAP_PLUGIN_K2 (3.3.0) 0 | plg_extension_jce (2.6.31) 1 | plg_fields_mediajce (2.6.31) 1 | plg_quickicon_jce (2.6.31) 1 |
Templates Discovered :: wrote:Templates :: SITE :: rt_osmosis (1.9) 1 | protostar (1.0) 0 | beez3 (3.1.0) 0 |
Templates :: ADMIN :: isis (1.0) 1 | hathor (3.0.0) 1 |
http://www.cosmogonia.org - cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 10093
Joined: Thu Feb 15, 2007 5:48 am
Location: Oxford, UK
Contact:

Re: Little spam using class.phpmailer.php

Post by toivo » Tue Aug 07, 2018 4:28 pm

You should keep the third party extensions uptodate, for example Fox Contact Form 3.4.2 - the current version is 3.8.1.

The list of elevated permissions has several folders with permissions 775 when they should be 755.

You could use a service to audit the site, for example myJoomla.com, where the first audit is free.
Toivo Talikka, Global Moderator
my first programs were assembled and run in 16KB :)
troubleshooting smtp and other articles https://talikka.com/joomla

danjde
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Mon Dec 28, 2009 1:48 pm

Re: Little spam using class.phpmailer.php

Post by danjde » Tue Aug 07, 2018 5:01 pm

Hi @toivo and thanks for your kind help!
I've fixed the folders permission and soon upgrade Fox Contact.

in relation to my original question, is there a way to detect the script that uses "class.phpmailer.php"?

Many thanks again!

Davide
http://www.cosmogonia.org - cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 10093
Joined: Thu Feb 15, 2007 5:48 am
Location: Oxford, UK
Contact:

Re: Little spam using class.phpmailer.php

Post by toivo » Tue Aug 07, 2018 5:22 pm

Methods in the script libraries/vendor/phpmailer/phpmailer/class.phpmailer.php like isMail(), isSMTP() and send() used by the Joomla! core and most extensions that utilise Joomla's Mail class, which extends the PHPMailer class.
Toivo Talikka, Global Moderator
my first programs were assembled and run in 16KB :)
troubleshooting smtp and other articles https://talikka.com/joomla

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 6080
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Little spam using class.phpmailer.php

Post by sozzled » Tue Aug 07, 2018 7:13 pm

I don't know whether this may be helpful to the situation but I've observed many [unsuccessful] attempts to probe a few of the websites that I manage by seeking the existence of the Fox Contact component. It seems that this component is a popular one among would-be hackers attempting to infiltrate unprotected websites that have not been properly maintained.

I rarely use "contact forms" myself—they're usually more trouble than they're worth because of the likelihood that most of the time the emails they generated are time-wasting questions or spam. However, if I did want to use a contact form, I probably would not choose Fox Contact because it has had a checkered history of exploitation. I'm not saying that the current version of Fox Contact is unreliable—I have no idea whether it is or whether it isn't—and I don't want to cast doubt on the sincerity of its developer to rectify weaknesses that have been discovered in the past, but I would suggest that people exercise caution in two areas:

1) Contact forms are notorious sources of spam; and

2) Visits to your websites from yandex.ru are also notorious sources of spam.

It's entirely an individual choice whether to use contact forms or allow contact forms to be used by yandex.ru email addresses. Having written that, contact forms and yandex.ru email addresses are not without creating problems for website owners.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

danjde
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Mon Dec 28, 2009 1:48 pm

Re: Little spam using class.phpmailer.php

Post by danjde » Tue Aug 07, 2018 10:09 pm

Thanks to @toivo for his tips (I've done a free audit by myJoomla.com, but it did not find any significant things)!
And thanks to @sozzled for his advice around the contact forms.

I've set some right (as myJoomla.com suggest) Joomla options, where:

email to friend --> OFF
text filtering settings to not allow the default Administrator user group to enter unfiltered content
block Flash files to be uploaded through Joomla
set Error Reporing in Joomla's Global Configuration to None
remove "Never Logged In" Accounts
set 'display_errors' on PHP.ini ---> OFF
set the session.gc_probability value to 1


many thanks to all
http://www.cosmogonia.org - cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1163
Joined: Sat Aug 20, 2005 12:32 pm
Location: Weymouth, UK
Contact:

Re: Little spam using class.phpmailer.php

Post by PhilTaylor-Prazgod » Wed Aug 08, 2018 8:29 am

I've done a free audit by myJoomla.com, but it did not find any significant things
Factually incorrect.

The audit actual shows a LOT wrong with your out-of-date site.

I'm not going to out you here, but I suggest you review the Snapshot and Audit results again, as there is clear actionable things that you have not fixed and will allow spamming.
Phil Taylor - Full Time Joomla/PHP Security Expert
Blue Flame Digital Solutions Limited.
-- https://myJoomla.com/ Multi Award Winning Joomla Security & Auditing Service
-- https://www.phil-taylor.com/

danjde
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Mon Dec 28, 2009 1:48 pm

Re: Little spam using class.phpmailer.php

Post by danjde » Thu Aug 09, 2018 5:06 pm

Maybe I didn't express myself correctly.
The audit helped me a lot in the correct configuration of the site.
What I wanted to say is that it not show me modified software to send spam.
Probably the problem was in the settings (of my site) too permissive.

Now I keep under control the situation and then update the post.

Thanks to all!

Davide
http://www.cosmogonia.org - cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1163
Joined: Sat Aug 20, 2005 12:32 pm
Location: Weymouth, UK
Contact:

Re: Little spam using class.phpmailer.php

Post by PhilTaylor-Prazgod » Thu Aug 09, 2018 5:09 pm

But still you have left the "Mail To Friend" feature of Joomla core enabled, which allows the kind of spam you are reporting as having...

The audit CLEARLY tells you that.
Phil Taylor - Full Time Joomla/PHP Security Expert
Blue Flame Digital Solutions Limited.
-- https://myJoomla.com/ Multi Award Winning Joomla Security & Auditing Service
-- https://www.phil-taylor.com/

danjde
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Mon Dec 28, 2009 1:48 pm

Re: Little spam using class.phpmailer.php

Post by danjde » Thu Aug 09, 2018 5:15 pm

PhilTaylor-Prazgod wrote:
Thu Aug 09, 2018 5:09 pm
But still you have left the "Mail To Friend"
No, I've disabled it, as suggested.
Look here: https://www.veronalive.it/agenda/arte-e ... zione.html
or here: https://www.veronalive.it/primo-piano/t ... 34437.html

Thanks a lot! ;)
http://www.cosmogonia.org - cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

danjde
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Mon Dec 28, 2009 1:48 pm

Re: Little spam using class.phpmailer.php

Post by danjde » Sat Aug 11, 2018 4:04 pm

Nothing!
I've seen today that a mail (spam) was started anyway.

Code: Select all

[11-Aug-2018 07:44:37 Europe/Berlin] mail() on [/var/www/veronalive.it/public_html/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php:702]: To: folterix@yandex.com -- Headers: Date: Sat, 11 Aug 2018 07:44:37 +0200 From: "Redazione veronalive.it" <info@veronalive.it> Reply-To: JalonHoM <folterix@yandex.com> Message-ID: <cee78392b45bf19042b2813839a6e29c@veronalive.it> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit

I was started a previous thread on Joomla Italy , where they said that this issue is caused to a human intervention and so unmanageable...

Mah!?

But is it not possible to prevent class.phpmailer.php mailing to these addresses? A sort of blacklist?

Thanks again
http://www.cosmogonia.org - cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

danjde
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Mon Dec 28, 2009 1:48 pm

Re: Little spam using class.phpmailer.php

Post by danjde » Wed Sep 19, 2018 9:50 am

Hi Friends,
I inform you that for over a month no recorded spam activity!
I followed @PhilTaylor-Prazgod prescriptions (by myJoomla.com audit), in particular by disabling "Mail To Friend" I think it's resolutive. I think that such function should be disabled by default on each release.

If the spam should resume, I will report to you!


Thanks to all!

Davide
http://www.cosmogonia.org - cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1845
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Little spam using class.phpmailer.php

Post by JAVesey » Wed Sep 19, 2018 7:08 pm

danjde wrote:
Wed Sep 19, 2018 9:50 am
I inform you that for over a month no recorded spam activity!
I followed @PhilTaylor-Prazgod prescriptions (by myJoomla.com audit)...
Good news re: spamming (lack of) and also that you have followed expert advice after seeking it :)

Have you taken the opportunity to review/audit and update all your 3rd-party extensions to their current version? Remember that not all extensions use Joomla's built-in update notification service so you will have to manually review and update these.
John V
Cardiff, Wales, UK
Uses Joomla 3.9.1

dangling
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Tue Nov 01, 2005 4:51 pm

Re: Little spam using class.phpmailer.php

Post by dangling » Tue Oct 23, 2018 10:30 am

I also have this issue. Where do I disable Mail To Friend ?
Thanks

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1163
Joined: Sat Aug 20, 2005 12:32 pm
Location: Weymouth, UK
Contact:

Re: Little spam using class.phpmailer.php

Post by PhilTaylor-Prazgod » Tue Oct 23, 2018 6:03 pm

Watch the awesome video from BasicJoomla here:

https://www.[youtube].com/watch?v=GQ1M59GdKK8
Phil Taylor - Full Time Joomla/PHP Security Expert
Blue Flame Digital Solutions Limited.
-- https://myJoomla.com/ Multi Award Winning Joomla Security & Auditing Service
-- https://www.phil-taylor.com/

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 6080
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Little spam using class.phpmailer.php

Post by sozzled » Tue Oct 23, 2018 7:17 pm

@dangling (and others): see the documentation https://docs.joomla.org/J3.x:Joomla_3.8 ... _to_Friend
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

dangling
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Tue Nov 01, 2005 4:51 pm

Re: Little spam using class.phpmailer.php

Post by dangling » Wed Oct 24, 2018 8:31 am

Ok I already disable that by default, thought it was something I didnt know about. Cheers
Paul


Post Reply

Return to “Security in Joomla! 3.x”