Spamming from my Joomla site

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
AltySCwebmaster
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sun Dec 16, 2018 8:01 am

Spamming from my Joomla site

Post by AltySCwebmaster » Fri Nov 01, 2019 7:08 pm

Can Anyone help me please, I'm not a developer, I have my site up to date - I keep the installed packages up to date but lately I seem to be regularly hacked to spam out, no matter how much I do to try and evade it, password complexity, Virus scans, updates etc etc.

Not sure what else to try

 
AltySCwebmaster
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sun Dec 16, 2018 8:01 am

Re: Spamming from my Joomla site

Post by AltySCwebmaster » Fri Nov 01, 2019 7:09 pm

Forum Post Assistant (v1.4.9 (lambrusca) : 1st November 2019 wrote:
Problem Description :: wrote:Spamming out from Joomla
Log/Error Message :: wrote:Many emails generated from the only account that the website uses
Actions Taken To Resolve wrote:Many occasions reset passwords and chnaged email account and av scans etc..
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.9.12-Stable (Amani) 24-September-2019
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: /gid: ) | Group: --protected-- (gid: ) | Valid For: 3.9
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: Yes | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: http://altrinchamsc.org.uk | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 0 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.12: Yes | Database Supports J! 3.9.12: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-962.3.2.lve1.5.24.8.el7.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 62.39 GiB |

PHP Configuration :: Version: 7.2.23 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 32759 | Log Errors To: /home/altysc/logs/altrinchamsc_org_uk.php.error.log | Last Known Error: 28th October 2019 02:33:03. | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 8M | Max. Input Time: 90 | Max. Execution Time: 600 | Memory Limit: 512M

Database Configuration :: Version: 5.7.28 (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: 3591daad22de08524295e1bd073aceeff11e6579 $) | Host: --protected-- (--protected--) | default Collation: latin1_swedish_ci (default Character Set: latin1) | Database Size: 20.94 MiB | #of Tables:  155
Detailed Environment :: wrote:PHP Extensions :: Core (7.2.23) | date (7.2.23) | libxml (7.2.23) | openssl (7.2.23) | pcre (7.2.23) | zlib (7.2.23) | filter (7.2.23) | hash (1.0) | pcntl (7.2.23) | Reflection (7.2.23) | SPL (7.2.23) | session (7.2.23) | standard (7.2.23) | cgi-fcgi () | bcmath (7.2.23) | bz2 (7.2.23) | calendar (7.2.23) | ctype (7.2.23) | curl (7.2.23) | dom (20031129) | mbstring (7.2.23) | fileinfo (1.0.5) | ftp (7.2.23) | gd (7.2.23) | gettext (7.2.23) | iconv (7.2.23) | imap (7.2.23) | intl (1.1.0) | json (1.6.0) | exif (7.2.23) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: 3591daad22de08524295e1bd073aceeff11e6579 $) | PDO (7.2.23) | Phar (2.0.2) | posix (7.2.23) | SimpleXML (7.2.23) | soap (7.2.23) | sockets (7.2.23) | sqlite3 (7.2.23) | tidy (7.2.23) | tokenizer (7.2.23) | xml (7.2.23) | xmlwriter (7.2.23) | xsl (7.2.23) | zip (1.15.4) | mysqli (7.2.23) | pdo_mysql (7.2.23) | pdo_sqlite (7.2.23) | wddx (7.2.23) | xmlreader (7.2.23) | xmlrpc (7.2.23) | Zend OPcache (7.2.23) | Zend Engine (3.2.0) |
Potential Missing Extensions ::
Disabled Functions :: system | passthru | popen | exec | proc_close | proc_get_status | proc_nice | proc_open | proc_terminate | highlight_file | escapeshellcmd | define_syslog_variables | posix_uname | posix_getpwuid | apache_child_terminate | posix_kill | posix_mkfifo | posix_setpgid | posix_setsid | posix_setuid | escapeshellarg | posix_uname | ftp_exec | ftp_connect | ftp_login | ftp_get | ftp_put | ftp_nb_fput | ftp_raw | ftp_rawlist | ini_alter | ini_restore | inject_code | syslog | openlog | define_syslog_variables | apache_setenv | mysql_pconnect | eval | phpAds_XmlRpc | phpAds_remoteInfo | phpAds_xmlrpcEncode | phpAds_xmlrpcDecode | xmlrpc_entity_decode | fp | fput | shell_exec | apache_get_modules | mail | opcache_get_status |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) :: abante/resources/image/18/7d/ (777) | administrator/components/com_akeeba/backup/ (777) |
Database Information :: wrote:Database statistics :: Uptime: 34053 | Threads: 9 | Questions: 12694156 | Slow queries: 0 | Opens: 572367 | Flush tables: 1 | Open tables: 1024 | Queries per second avg: 372.776 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
3rd Party:: WF_INLINEPOPUPS_TITLE (2.6.26) ? | WF_ANCHOR_TITLE (2.6.26) ? | WF_CLEANUP_TITLE (2.6.26) ? | WF_LAYER_TITLE (2.6.26) ? | WF_STYLESELECT_TITLE (2.6.26) ? | WF_MEDIA_TITLE (2.6.26) ? | WF_BROWSER_TITLE (2.6.26) ? | WF_PRINT_TITLE (2.6.26) ? | WF_TABLE_TITLE (2.6.26) ? | WF_CONTEXTMENU_TITLE (2.6.26) ? | WF_FULLSCREEN_TITLE (2.6.26) ? | WF_IMGMANAGER_TITLE (2.6.26) ? | WF_CLIPBOARD_TITLE (2.6.26) ? | WF_VISUALBLOCKS_TITLE (2.6.26) ? | WF_PREVIEW_TITLE (2.6.26) ? | WF_FONTSIZESELECT_TITLE (2.6.26) ? | WF_EMOTIONS_TITLE (2.6.26) ? | WF_NONBREAKING_TITLE (2.6.26) ? | WF_LINK_TITLE (2.6.26) ? | WF_CHARMAP_TITLE (2.6.26) ? | WF_SOURCE_TITLE (2.6.26) ? | WF_DIRECTIONALITY_TITLE (2.6.26) ? | WF_FONTSELECT_TITLE (2.6.26) ? | WF_XHTMLXTRAS_TITLE (2.6.26) ? | WF_STYLE_TITLE (2.6.26) ? | WF_KITCHENSINK_TITLE (2.6.26) ? | WF_VISUALCHARS_TITLE (2.6.26) ? | WF_SPELLCHECKER_TITLE (2.6.26) ? | WF_LISTS_TITLE (2.6.26) ? | WF_HR_TITLE (2.6.26) ? | WF_FORMATSELECT_TITLE (2.6.26) ? | WF_SEARCHREPLACE_TITLE (2.6.26) ? | WF_AUTOSAVE_TITLE (2.6.26) ? | WF_TEXTCASE_TITLE (2.6.26) ? | WF_ARTICLE_TITLE (2.6.26) ? | WF_FONTCOLOR_TITLE (2.6.26) ? | WF_AGGREGATOR_[youtube]_TITLE (2.6.26) ? | WF_AGGREGATOR_VIMEO_TITLE (2.6.26) ? | WF_AGGREGATOR_VINE_TITLE (2.6.26) ? | WF_AGGREGATOR_DAILYMOTION_TITLE (2.6.26) ? | WF_POPUPS_WINDOW_TITLE (2.6.26) ? | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.26) ? | WF_LINKS_JOOMLALINKS_TITLE (2.6.26) ? | WF_LINK_SEARCH_TITLE (2.6.26) ? | WF_FILESYSTEM_JOOMLA_TITLE (2.6.26) ? |

Components :: ADMIN ::
Core :: com_login (3.0.0) 1 | com_modules (3.0.0) 1 | com_actionlogs (3.9.0) 1 | com_users (3.0.0) 1 | com_banners (3.0.0) 1 | com_menus (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_content (3.0.0) 1 | com_languages (3.0.0) 1 | com_media (3.0.0) 1 | com_fields (3.7.0) 1 | com_ajax (3.2.0) 1 | com_cache (3.0.0) 1 | com_templates (3.0.0) 1 | com_search (3.0.0) 1 | com_categories (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_config (3.0.0) 1 | com_privacy (3.9.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_associations (3.7.0) 1 | com_tags (3.1.0) 1 | com_admin (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_redirect (3.0.0) 1 | com_messages (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_checkin (3.0.0) 1 | com_plugins (3.0.0) 1 | com_weblinks (3.7.0) 1 |
3rd Party:: COM_JEVENTS (3.4.50) 1 | RokGallery (2.45) 1 | Discussions (1.6.1) ? | RokSprocket (2.1.26) 1 | JoomailerMailchimpIntegration (3.0.3) 1 | COM_JCE (2.6.26) 1 | com_attachments (3.2.6) 1 | Akeeba (6.6.1) 1 | COM_GANTRY (4.1.42) 1 | COM_CREATIVECONTACTFORM (4.6.1) 1 |

Modules :: SITE ::
Core :: mod_login (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_footer (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_weblinks (3.7.0) 1 | mod_syndicate (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_languages (3.5.0) 1 | mod_stats (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_search (3.0.0) 1 |
3rd Party:: MOD_JEV_CALENDAR_TITLE (3.4.50) 1 | RokGallery Module (2.45) 1 | MOD_JEV_FILTER_MODULE_TITLE (3.4.50) 1 | RokNavMenu (2.0.9) 1 | MOD_CREATIVECONTACTFORM_NAME (4.6.0) 1 | MOD_JEV_SWITCH_VIEW_TITLE (3.4.50) 1 | Donations Thermometer (1.7.0) 1 | RokSprocket Module (2.1.26) 1 | MOD_JEV_LEGEND_TITLE (3.4.50) 1 | Twitter Follower Slider (1.0.0) 1 | MOD_JEV_LATEST_EVENTS_TITLE (3.4.50) 1 | Subscribe for download (2.1) 1 | Facebook Like Box Slider (1.0) 1 | MOD_JEV_CUSTOM_MODULE_TITLE (3.4.50) 1 | Mini Frontpage (2.2.2) 1 | RokAjaxSearch (2.0.6) 1 | MailChimp Signup (2.1) 1 |

Modules :: ADMIN ::
Core :: mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_version (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_title (3.0.0) 1 | mod_status (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_latestactions (3.9.0) 1 |
3rd Party:: MailChimp Stats (1.2) 1 |

Libraries ::
Core ::
3rd Party:: file_fof30 (3.4.1) ? |

Plugins ::
Core :: plg_authentication_cookie (3.0.0) 1 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 1 | plg_authentication_gmail (3.0.0) 1 | plg_system_redirect (3.0.0) 1 | plg_system_weblinks (3.7.0) 0 | plg_system_log (3.0.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_p3p (3.0.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_stats (3.5.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_languagecode (3.0.0) 0 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 0 | plg_system_updatenotification (3.5.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_sessiongc (3.8.6) 1 | plg_system_sef (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | plg_finder_weblinks (3.7.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_privacy_consents (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_search_weblinks (3.7.0) 1 | plg_search_tags (3.0.0) 0 | plg_search_categories (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_captcha_recaptcha (3.4.0) 1 | plg_user_profile (3.0.0) 1 | plg_user_terms (3.9.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_repeatable (3.9.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_finder (3.0.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_geshi (2.5.0) 0 | plg_content_pagebreak (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_webinstaller (2.0.1) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_weblink (3.7.0) 0 |
3rd Party:: plg_system_show_attachments_in_edit (3.2.6) ? | Google Maps (2.18) 1 | Creative Contact Form (4.6.0) 1 | PLG_SYSTEM_BACKUPONUPDATE (6.6.1) 1 | plg_system_jce (2.6.26) 1 | System - RokSprocket (2.1.26) 1 | PLG_SYSTEM_AKEEBAUPDATECHECK (6.6.1) 1 | System - RokGallery (2.45) 1 | PLG_SYSTEM_GWEJSON (3.4.50) 1 | System - RokBooster (1.1.18) 0 | System - Discussions (1.6) 1 | System - RokExtender (2.0.0) 1 | System - Gantry 4 (4.1.42) 1 | System - CSSConfig (0.2.0) 0 | System - RokCommon (3.2.7) 1 | System - RokBox (2.0.15) 1 | plg_quickicon_akeebabackup (6.6.1) 1 | plg_quickicon_jce (2.6.26) 1 | plg_quickicon_attachments (3.2.6) 1 | PLG_ACTIONLOG_AKEEBABACKUP (6.6.1) 0 | PLG_FINDER_JEVENTS (3.4.50) 0 | Smart Search - Discussions (1.6) 1 | Community - joomlamailer (1.0) 0 | PLG_JEV_SEARCH_TITLE (3.4.50) 1 | Search - Discussions (1.6) 1 | plg_search_attachments (3.2.6) 1 | plg_extension_jce (2.6.26) 1 | PLG_JMONITORING_AKEEBABACKUP_TITLE (1.0) 1 | joomlamailer - Registration (1.1) 1 | DirectPHP (3.01) 1 | plg_content_jce (2.6.26) 1 | Simple Image Gallery (by JoomlaWork (3.6.0) ? | Simple Image Gallery (by JoomlaWork (3.6.0) ? | PLG_JEV_CORE_CONTENT_PLUGIN_TITLE (3.4.50) 1 | Content - RokInjectModule (2.1.26) 1 | Content - Discussions (1.6) 0 | plg_content_attachments (3.2.6) 1 | RokBox (2.0.15) 1 | Content - InstantPaypal (2.0) 0 | plg_installer_jce (2.6.26) 1 | plg_installer_jeventsinstaller (3.4.50) 1 | joomlamailer - Sidebar editor (1.1) 1 | joomlamailer - MySpace icon (1.0) 1 | joomlamailer - Twitter icon (1.0) 1 | joomlamailer - com_content (1.2) 1 | joomlamailer - Facebook icon (1.0) 1 | joomlamailer - K2 (1.1) 1 | joomlamailer - JomSocial discussion (1.1) ? | joomlamailer - Table of content (1.1) 1 | joomlamailer - JomSocial profiles (1.1) 1 | joomlamailer - VirtueMart (1.1) 1 | joomlamailer - Instagram icon (1.0) 1 | plg_editors-xtd_add_attachment_btn (3.2.6) 1 | plg_editors-xtd_insert_attachments_ (3.2.6) ? | Button - RokGallery (2.45) 1 | Button - RokBox (2.0.15) 1 | plg_editors_tinymce (4.5.11) 1 | plg_editors_codemirror (5.40.0) 1 | plg_editors_jce (2.6.26) 1 | plg_attachments_for_content (3.2.6) 1 | plg_attachments_plugin_framework (3.2.6) 1 |
Templates Discovered :: wrote:Templates :: SITE :: rt_afterburner2 (1.7) 1 | protostar (1.0) 0 | swim0001 (1.0) 1 | beez3 (3.1.0) 0 | rt_cygnet (1.0) 1 |
Templates :: ADMIN :: isis (1.0) 1 | hathor (3.0.0) 1 | bluestork (2.5.0) 1 |

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9590
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Spamming from my Joomla site

Post by sozzled » Fri Nov 01, 2019 7:27 pm

Thank you for your questions. I do not know how, specifically, we can assist you because I do not know, specifically, how you think you may have been "hacked", your passwords have been compromised/reset or email addresses have been changed.

I could make several suggestions about your website such as to remove the old, outdated, unworkable J! 2.5 extensions that you have installed (and some of my suggestions may improve matters), I could also suggest making changes to some PHP settings but I doubt that these are the reason(s) for your problem(s). I could also suggest making some changes to the database collation / character encoding and file permission settings but, again, these are just normal house-keeping chores.

Further, I'm sure you've done your best to keep "installed packages" up-to-date, but some extensions that you're using, such as JCE Editor and Gantry 4 and a few others, are behind-the-times (FWIW).

I submitted your website to sucuri.net and the free scan did not detect the presence of any malware.

Have you looked at the server logs to see when, where, who may have accessed your website to change user account information such as passwords or email addresses? What information do you have about these problems that you have been having?
Last edited by sozzled on Fri Nov 01, 2019 7:44 pm, edited 1 time in total.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

AltySCwebmaster
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sun Dec 16, 2018 8:01 am

Re: Spamming from my Joomla site

Post by AltySCwebmaster » Fri Nov 01, 2019 7:40 pm

I have been working with the ISP to try and narrow it down, but I'm not sufficiently technical to know the right logs to ask for or interrogate.

This has occurred a few times now and each time I put a very complex password into the site, there are only a few core functions that use the mail account, one is the user account authorisation part of the site and the other is the Creative Contact form add in.

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9590
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Spamming from my Joomla site

Post by sozzled » Fri Nov 01, 2019 7:52 pm

As I indicated above, I can think of a dozen suggestions I could offer (and we could spend an hour talking over these matters by videoconference) but I'm a bit lost as to how, specifically, you have information—real solid evidence—of unauthorised user account changes that I think you are claiming to have.

The fact that you use a contact form extension, however, is not evidence of a security problem. FWIW, contact forms are, in my opinion, mostly a waste of time because they're used by people who have little interest in the business that people may be running and they're used to send email to the site manager for all kinds of non business-related rubbish. That's just the nature of the game. If you want to use a contact form, and allow any Tom, Dick or Mary to use it, that's your business (and, please, not think that CAPTCHA stops people from abusing contact forms, because it doesn't).

I don't know what practical measures I can suggest here, on the forum. As I say, I could spend an hour talking about what you could do, but the decisions about what you need to do are in your court. If you want to spend an hour of your time talking, via videoconference, with someone like me, I can make that time available today but, if not today, you'll have to wait a week before I'm back in town again. I sincerely wish you the best of luck.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

AltySCwebmaster
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sun Dec 16, 2018 8:01 am

Re: Spamming from my Joomla site

Post by AltySCwebmaster » Fri Nov 01, 2019 7:56 pm

Thank you and I may take you up on that when you are next available.. I have made a few changes with my ISP that may have resolved it (I can hope!) so I don't want to waste your time.

Thank you for your support so far.

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9590
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Spamming from my Joomla site

Post by sozzled » Fri Nov 01, 2019 8:00 pm

I am "next" available for the next eight hours. After that, it's pot luck.

BTW, don't concern yourself with "wasting" my time (I enjoy the opportunity to talk with real people instead of writing on the forum); it's not my time ... it's yours. Cheers. :)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

helpwithjoomla
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 101
Joined: Sat Sep 21, 2019 7:29 pm
Contact:

Re: Spamming from my Joomla site

Post by helpwithjoomla » Fri Nov 01, 2019 10:10 pm

Sozzled - what do you think about the 777 permissions on some folders?
Joomla Developers Available To Help With Joomla!
https://www.helpwithjoomla.com

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9590
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Spamming from my Joomla site

Post by sozzled » Fri Nov 01, 2019 10:16 pm

@helpwithjoomla: That's one of 20 ideas that may, or may not, have any bearing on the case. The first problem that I have is with the opening statement (which I don't understand):
AltySCwebmaster wrote:
Fri Nov 01, 2019 7:08 pm
... but lately I seem to be regularly hacked to spam out, no matter how much I do to try and evade it ...
Therefore, because I don't know what evidence we have before us to examine this "spam" or ascertain whether the website has been "hacked", any number of suggestions may help ... or they may not help. However, it's not my website, it's not my business and it's not my decision what to do next.

Thanks for the idea, @helpwithjoomla
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2738
Joined: Sun May 04, 2008 12:37 pm

Re: Spamming from my Joomla site

Post by waarnemer » Fri Nov 01, 2019 10:44 pm

How sure are you actually the spam is realy coming from your website?
If you can, check the internet headers of an email spam for traces of your site, ip, host etcetera.

You need one of the receivers of your spam to help you with it of course. (if you received one yourself, that is easy)

It may as well hint into the direction of your problem.

Also read this: https://docs.joomla.org/Security_Checkl ... or_defaced

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14975
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Spamming from my Joomla site

Post by mandville » Fri Nov 01, 2019 11:50 pm

i think i can spot a possible issue.
your contact form has "Send me a copy" enabled.
disable that and see if your spam goes down
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

AltySCwebmaster
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sun Dec 16, 2018 8:01 am

Re: Spamming from my Joomla site

Post by AltySCwebmaster » Sat Nov 02, 2019 9:30 am

Hi,

So to give a little more context, we have a single email account set up for the website to use for sending emails via the contact forms, they have a number of uses, in some cases are very helpful for people entering swimming events, the 'send me a copy' is particularly useful as we get users saying they entered when they just didn't so the copy becomes a receipt/confirmation.

occasionally (Over the past six months i'd say) the mailbox in question appears to be sending out 100's of emails, notable in that it chokes up other genuine email and gets our domain/IP blacklisted, then on inspection there are 100's of outgoing emails in the server logs, none of the outgoing emails appear in the mailbox itself so were not generated through the mailbox.

The ISP said that the mails were generated by a script from what they could tell but couldn't tie down any more detail and suggested the 'developer looking at it'.

Not sure if that helps..

When I change the password for that account and update Joomla config, the spam mails stop for a while, then at some point a month or two later, come back again.

AltySCwebmaster
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sun Dec 16, 2018 8:01 am

Re: Spamming from my Joomla site

Post by AltySCwebmaster » Sat Nov 02, 2019 9:34 am

I have just checked the account and there are some non delivery emails:
Capture.JPG
You do not have the required permissions to view the files attached to this post.

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 27145
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: Spamming from my Joomla site

Post by Per Yngve Berg » Sat Nov 02, 2019 10:16 am

Your contact form is abused. The mail is not delivered because the address entered in the form is not existent. Spammers use the copy to myself and enters the address of the person they want to spam in the sender address field.

I see you are using an old version of Google Captcha. Try to switch to the new Invisible Captcha Plugin. Note: You need new V3 keys from Google to use it.

waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2738
Joined: Sun May 04, 2008 12:37 pm

Re: Spamming from my Joomla site

Post by waarnemer » Sat Nov 02, 2019 12:33 pm

Or.. a very good invisible captcha is hashcash by Michael Richey...

No need for any google key...

AltySCwebmaster
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sun Dec 16, 2018 8:01 am

Re: Spamming from my Joomla site

Post by AltySCwebmaster » Sun Nov 03, 2019 10:08 am

I have installed hashcash but cant see how I can enable that with my 'CreativeContact form' any suggestions?

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 27145
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: Spamming from my Joomla site

Post by Per Yngve Berg » Sun Nov 03, 2019 10:24 am

I see a Google Capthcha. Have you unpublished the Google Captcha Plugin and enabled the Hashcash Plugin?

AltySCwebmaster
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sun Dec 16, 2018 8:01 am

Re: Spamming from my Joomla site

Post by AltySCwebmaster » Sun Nov 03, 2019 12:01 pm

I have tried several options but cant see how hashcash is working (If indeed it is, and the Google one doesnt seem to work either, it fails with Error validating reCAPTCHA

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 27145
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: Spamming from my Joomla site

Post by Per Yngve Berg » Sun Nov 03, 2019 12:47 pm

Select Capthcha type in Global Configuration->Site

AltySCwebmaster
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sun Dec 16, 2018 8:01 am

Re: Spamming from my Joomla site

Post by AltySCwebmaster » Sun Nov 03, 2019 1:14 pm

Ho will i know its working on my forms?

AltySCwebmaster
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sun Dec 16, 2018 8:01 am

Re: Spamming from my Joomla site

Post by AltySCwebmaster » Sun Nov 03, 2019 1:31 pm

I can see now that this may work for default Joomla forms but there is no option beyond google recaptcha in the 'Creative Contact form' which is the add on that I use

waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2738
Joined: Sun May 04, 2008 12:37 pm

Re: Spamming from my Joomla site

Post by waarnemer » Sun Nov 03, 2019 2:09 pm

Oh I see now...I did not look that far.... my bad..... the extension is not using the captcha plugins... any of them...but uses it's own technology...
Then using this extension you cannot avoid using the google key. You will have to enter the values of the (re)captcha in the component configuration...

But you may want to ask the developer of the extension what version of (re)captcha it supports and if they plan to support the Joomla! (re)captche features in future.

Using current extension and technology you may need to consider. It is depending on legislation in your country and the countries you target.
Any service from Google is/will/may/can drop technology (ie. cookies) to track your visitors.
You may need to ad that to your cookie and privacy policy.

I can see your current contact form has no special fields but core Joomla! lacks a module to show the form.
Some thoughts: you could make the "Welcome to ....." in a custom module and have the form as core component and target the menu item that way. No need for additional extensions that way..... or.....
You can install: https://extensions.joomla.org/extension ... -anywhere/ and have a custom module created with your component inside. (and have a feature added with a huge lot of future flexibility)
Then you can use the captcha plugins.

 

Post Reply

Return to “Security in Joomla! 3.x”