Page 1 of 1

Scritpt sending spam - joomla 3.9

Posted: Tue Apr 09, 2019 3:06 pm
by bmassaer
Hello,

I've received a message from the domain host that, on my site sintpietersbuiten.be, a script is sending spam.
They've put the site offline. I'm using Joomla 3.9.
How can I fix this - with the back-end not active?

This is the mail:

Infected script that is sending spam:
/home/bartmof280/domains/sintpietersbuiten.be/public_html/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php

*Possible solutions:*
Install reCaptcha when class.phpmailer.php is used see "Infected script that is sending spam"

You can install the reCaptcha plugin to your website and add the captcha on every page where your website is using the mail function.

Amount of spam emails that have been sent:
755

Detection date and time:
09-Apr-2019 08:30:30

Log:
[09-Apr-2019 08:30:30 Europe/Amsterdam] mail() on [/home/bartmof280/domains/sintpietersbuiten.be/public_html/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php:702]: To: hellothere2345@live.com.au -- Headers: Date: Tue, 9 Apr 2019 08:30:30 +0200 From: Werkgroep Sint-Pieters-Buiten <stpietersbuiten@gmail.com> Reply-To: hellothere2345 <hellothere2345@live.com.au> Message-ID: <f78829ef2ed801d80475095eae02a1e1@sintpietersbuiten.be> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 -- Subject: Kopie van: Hello cute---90319:2019-04-09 08:26:44 1hDkDU-00DL9s-J8 <= stpietersbuiten@gmail.com U=bartmof280 P=local S=980 id=32a3c84e4634942bd45736f6c05befec@sintpietersbuiten.be T='Werkgroep Sint-Pieters-Buiten: Hello' from <stpietersbuiten@gmail.com> for info@sintpietersbuiten.be

Re: Scritpt sending spam - joomla 3.9

Posted: Tue Apr 09, 2019 3:56 pm
by pe7er
Are you using Joomla's default Contacts (com_contact) ?

If not, could you add index.php?option=com_contact&view=contact&id=1 behind the domain name of your website?
If the contact form has the "Send Copy" option enabled, spammers can craft the URL and use your contact form.
Instead of their own email address, they will use the address of the victim that gets a "copy" of their form input (which is spam).

Re: Scritpt sending spam - joomla 3.9

Posted: Wed Apr 10, 2019 11:35 pm
by kmedri
I have just started getting issues with this spammers method, however I do not create any contacts in our websites. Is the contact&id=1 with email test@test.com a default contact created within Joomla! on installation?
Many thanks Kevin

Re: Scritpt sending spam - joomla 3.9

Posted: Thu Apr 11, 2019 6:41 am
by pe7er
kmedri wrote:
Wed Apr 10, 2019 11:35 pm
Is the contact&id=1 with email test@test.com a default contact created within Joomla! on installation?
A default Joomla installation without sample content does not contain any record in the contacts table.
However, if you installed Joomla with the "Learn Joomla" sample data,
or if you used a Quick Install version from a 3rd party (e.g. template club)
then you might have sample records in your Components > Contact component.

On sites I do not use "Contacts", I disable the component:
Extensions > Manage > Manage > [Search Tools] button
filter on: Unprotected + Administrator + Component
Disable all components that you don't use (e.g. Contacts, Newsfeeds)

Re: Scritpt sending spam - joomla 3.9

Posted: Fri Apr 12, 2019 5:55 pm
by Webdongle