Finding source of spam emails

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
volantistn
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Sat Jul 28, 2012 4:28 pm

Finding source of spam emails

Post by volantistn » Thu Apr 04, 2019 5:18 pm

My host notified me there's a bunch of spam emails coming from my server and I have not been able to find the source of them on my own. Any help would be much appreciated. Here's the FPA output:
Forum Post Assistant (v1.4.8 (koine)) : 4th April 2019 wrote:
Problem Description :: wrote:Site sending spam emails
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.9.4-Stable (Amani) 12-March-2019
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.9
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: true | Cache: true | CacheTime: 60 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 60 | Session handler: database | Shared sessions: N/A | SSL: 0 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.4: Yes | Database Supports J! 3.9.4: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 2.6.32-042stab134.8 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 8.64 GiB |

PHP Configuration :: Version: 7.1.27 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: | Error Reporting: 32759 | Log Errors To: error_log | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 10M | Max. POST Size: 12M | Max. Input Time: 60 | Max. Execution Time: 120 | Memory Limit: 128M

Database Configuration :: Version: 5.6.41 (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: 38fea24f2847fa7519001be390c98ae0acafe387 $) | Host: --protected-- (--protected--) | default Collation: latin1_swedish_ci (default Character Set: latin1) | Database Size: 6.37 MiB | #of Tables:  92
Detailed Environment :: wrote:PHP Extensions :: Core (7.1.27) | date (7.1.27) | libxml (7.1.27) | openssl (7.1.27) | pcre (7.1.27) | zlib (7.1.27) | filter (7.1.27) | hash (1.0) | Reflection (7.1.27) | SPL (7.1.27) | session (7.1.27) | standard (7.1.27) | apache2handler () | bcmath (7.1.27) | bz2 (7.1.27) | calendar (7.1.27) | ctype (7.1.27) | curl (7.1.27) | dom (20031129) | enchant (7.1.27) | mbstring (7.1.27) | fileinfo (1.0.5) | ftp (7.1.27) | gd (7.1.27) | gettext (7.1.27) | gmp (7.1.27) | iconv (7.1.27) | imap (7.1.27) | intl (1.1.0) | json (1.5.0) | exif (7.1.27) | mcrypt (7.1.27) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: 38fea24f2847fa7519001be390c98ae0acafe387 $) | PDO (7.1.27) | Phar (2.0.2) | posix (7.1.27) | pspell (7.1.27) | SimpleXML (7.1.27) | soap (7.1.27) | sockets (7.1.27) | sqlite3 (7.1.27) | tidy (7.1.27) | tokenizer (7.1.27) | xml (7.1.27) | xmlwriter (7.1.27) | xsl (7.1.27) | zip (1.13.5) | mysqli (7.1.27) | pdo_mysql (7.1.27) | pdo_sqlite (7.1.27) | wddx (7.1.27) | xmlreader (7.1.27) | xmlrpc (7.1.27) | ionCube Loader () | Zend OPcache (7.1.27) | Zend Engine (3.1.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | mod_so | http_core | prefork | mod_cgi | mod_access_compat | mod_actions | mod_alias | mod_auth_basic | mod_authn_core | mod_authn_file | mod_authz_core | mod_authz_groupfile | mod_authz_host | mod_authz_user | mod_autoindex | mod_deflate | mod_dir | mod_expires | mod_filter | mod_headers | mod_include | mod_log_config | mod_logio | mod_mime | mod_negotiation | mod_proxy | mod_proxy_fcgi | mod_proxy_http | mod_proxy_wstunnel | mod_rewrite | mod_setenvif | mod_slotmem_shm | mod_socache_dbm | mod_socache_memcache | mod_socache_shmcb | mod_status | mod_unique_id | mod_unixd | mod_userdir | mod_bwlimited | mod_ssl | mod_security2 | mod_ruid2 | mod_php7 | Apache |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 1292698 | Threads: 1 | Questions: 35596617 | Slow queries: 0 | Opens: 38959 | Flush tables: 1 | Open tables: 512 | Queries per second avg: 27.536 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
3rd Party:: WF_CLEANUP_TITLE (2.6.32) ? | WF_TABLE_TITLE (2.6.32) ? | WF_VISUALCHARS_TITLE (2.6.32) ? | WF_INLINEPOPUPS_TITLE (2.6.32) ? | WF_STYLESELECT_TITLE (2.6.32) ? | WF_FONTCOLOR_TITLE (2.6.32) ? | WF_CHARMAP_TITLE (2.6.32) ? | WF_SPELLCHECKER_TITLE (2.6.32) ? | WF_FULLSCREEN_TITLE (2.6.32) ? | WF_CLIPBOARD_TITLE (2.6.32) ? | WF_VISUALBLOCKS_TITLE (2.6.32) ? | WF_PRINT_TITLE (2.6.32) ? | WF_XHTMLXTRAS_TITLE (2.6.32) ? | WF_DIRECTIONALITY_TITLE (2.6.32) ? | WF_CONTEXTMENU_TITLE (2.6.32) ? | WF_BROWSER_TITLE (2.6.32) ? | WF_IMGMANAGER_TITLE (2.6.32) ? | WF_FORMATSELECT_TITLE (2.6.32) ? | WF_TEXTCASE_TITLE (2.6.32) ? | WF_ARTICLE_TITLE (2.6.32) ? | WF_PREVIEW_TITLE (2.6.32) ? | WF_HR_TITLE (2.6.32) ? | WF_EMOTIONS_TITLE (2.6.32) ? | WF_STYLE_TITLE (2.6.32) ? | WF_SOURCE_TITLE (2.6.32) ? | WF_NONBREAKING_TITLE (2.6.32) ? | WF_MEDIA_TITLE (2.6.32) ? | WF_FONTSELECT_TITLE (2.6.32) ? | WF_ANCHOR_TITLE (2.6.32) ? | WF_LINK_TITLE (2.6.32) ? | WF_FONTSIZESELECT_TITLE (2.6.32) ? | WF_LAYER_TITLE (2.6.32) ? | WF_AUTOSAVE_TITLE (2.6.32) ? | WF_KITCHENSINK_TITLE (2.6.32) ? | WF_LISTS_TITLE (2.6.32) ? | WF_SEARCHREPLACE_TITLE (2.6.32) ? | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.32) ? | WF_POPUPS_WINDOW_TITLE (2.6.32) ? | WF_FILESYSTEM_JOOMLA_TITLE (2.6.32) ? | WF_AGGREGATOR_VINE_TITLE (2.6.32) ? | WF_AGGREGATOR_DAILYMOTION_TITLE (2.6.32) ? | WF_AGGREGATOR_VIMEO_TITLE (2.6.32) ? | WF_AGGREGATOR_[youtube]_TITLE (2.6.32) ? | WF_LINKS_JOOMLALINKS_TITLE (2.6.32) ? | WF_LINK_SEARCH_TITLE (2.6.32) ? |

Components :: ADMIN ::
Core :: com_config (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_privacy (3.9.0) 1 | com_admin (3.0.0) 1 | com_ajax (3.2.0) 1 | com_finder (3.0.0) 1 | com_tags (3.1.0) 1 | com_plugins (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_cpanel (3.0.0) 1 | com_fields (3.7.0) 1 | com_messages (3.0.0) 1 | com_menus (3.0.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_cache (3.0.0) 1 | com_banners (3.0.0) 1 | com_installer (3.0.0) 1 | com_search (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_users (3.0.0) 1 | com_content (3.0.0) 1 | com_redirect (3.0.0) 1 | com_templates (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_actionlogs (3.9.0) 1 | com_login (3.0.0) 1 | com_languages (3.0.0) 1 | com_modules (3.0.0) 1 | com_associations (3.7.0) 1 | com_media (3.0.0) 1 |
3rd Party:: RokSprocket (2.1.26) 1 | Akeeba (6.4.2.1) 1 | com_chronoforms5 (5.0.17) 1 | COM_JCE (2.6.32) 1 | com_gantry5 (5.4.26) 1 |

Modules :: SITE ::
Core :: mod_whosonline (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_login (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_articles_categories (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_search (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_tags_popular (3.1.0) 1 | mod_footer (3.0.0) 1 | mod_finder (3.0.0) 1 |
3rd Party:: RokSprocket Module (2.1.26) 1 | RokAjaxSearch (2.0.6) 1 | mod_gantry5_particle (5.4.26) 1 |

Modules :: ADMIN ::
Core :: mod_submenu (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | mod_version (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_login (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_quickicon (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_logged (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_title (3.0.0) 1 | mod_toolbar (3.0.0) 1 |
3rd Party::

Libraries :: SITE ::
Core ::
3rd Party::

Plugins :: SITE ::
Core :: plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_user_terms (3.9.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_languagecode (3.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_stats (3.5.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_fields (3.7.0) 1 | plg_system_updatenotification (3.5.0) 0 | plg_system_privacyconsent (3.9.0) 0 | plg_system_log (3.0.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_p3p (3.0.0) 0 | plg_system_remember (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 0 | plg_system_sef (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_installer_webinstaller (2.0.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_emailcloak (3.0.0) 0 | plg_content_loadmodule (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_finder (3.0.0) 0 | plg_content_pagebreak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_repeatable (3.9.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_finder_content (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_joomla (3.0.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | PLG_ACTIONLOG_JOOMLA (3.9.0) 1 |
3rd Party:: plg_quickicon_gantry5 (5.4.26) 1 | plg_quickicon_jce (2.6.32) 1 | plg_quickicon_akeebabackup (6.4.2.1) 1 | Button - RokBox (2.0.15) 1 | PLG_SYSTEM_AKEEBAACTIONLOG (6.4.2.1) 0 | System - RokCommon (3.2.7) 1 | System - RokSprocket (2.1.26) 1 | PLG_SYSTEM_BACKUPONUPDATE (6.4.2.1) 1 | PLG_SYS_HEADTAG (2.5) 1 | System - RokBooster (1.1.18) 0 | plg_system_gantry5 (5.4.26) 1 | PLG_SYSTEM_AKEEBAUPDATECHECK (6.4.2.1) 0 | System - RokBox (2.0.15) 1 | plg_system_jce (2.6.32) 1 | plg_extension_jce (2.6.32) 1 | plg_installer_jce (2.6.32) 1 | RokBox (2.0.15) 1 | plg_content_jce (2.6.32) 1 | Content - RokInjectModule (2.1.26) 1 | plg_fields_mediajce (2.6.32) 1 | plg_gantry5_preset (5.4.26) 1 | RokPad (2.1.10) 1 | plg_editors_codemirror (5.40.0) 1 | plg_editors_tinymce (4.5.9) 1 | plg_editors_jce (2.6.32) 1 |
Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) 0 | rt_salient (1.0.2) 1 | protostar (1.0) 0 |
Templates :: ADMIN :: isis (1.0) 1 | hathor (3.0.0) 0 |
Last edited by toivo on Fri Apr 05, 2019 9:10 am, edited 1 time in total.
Reason: mod note: disabled smilies in post Options for readability

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37044
Joined: Sat Apr 05, 2008 9:58 pm

Re: Finding source of spam emails

Post by Webdongle » Thu Apr 04, 2019 5:25 pm

com_chronoforms5 is old
Suggest treat site as hacked viewtopic.php?f=714&t=946026
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein


Post Reply

Return to “Security in Joomla! 3.x”