com_mailto used for spam.

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
stanko75
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Oct 11, 2007 11:13 am
Location: Ljubljana
Contact:

com_mailto used for spam.

Post by stanko75 » Mon Jan 25, 2010 7:53 am

Hello,

this morning I realised that using that component from my site anyone can send an e-mail to anyone from my site! This mean, it was used for spam!

From log, i relized that spamers were using link like:

Code: Select all

/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2pvb21sYS50cmluZXQuc2kvaW5kZXgucGhwP3ZpZXc9YXJ0aWNsZSZpZD0yNTEzNCZvcHRpb249Y29tX2FscGhhY29udGVudCZJdGVtaWQ9Njc
In my case, it would be:

http://www.milosev.com/index.php?option ... GVtaWQ9Njc

For now, I just deleted that component.

Does anyone have expirience with it, and what is best solution to stop spammers to use that component for spaming?

Thank you in advance,
Stanko.
Last edited by mandville on Mon Jan 25, 2010 11:58 am, edited 1 time in total.
Reason: wrapped code for readability

User avatar
lafrance
Joomla! Ace
Joomla! Ace
Posts: 1116
Joined: Thu Jan 11, 2007 5:02 pm
Location: Alberta,Canada
Contact:

Re: com_mailto used for spam.

Post by lafrance » Mon Jan 25, 2010 9:15 am

Hello.

As I never seen or heard of this you may want to follow those step bellow.
As com_mailto only those what it suppose too.

1. Run the forum post assistant and security tool

2. Ensure you have the latest version of Joomla. We recommend update manager

3. Review Vulnerable Extensions List

4. Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

5. Change all passwords and if possible user names for the website host control panel and your Joomla site.This include FTP,Cpanel etc.

6. Use proper permissions on files and directories. They should be max permissions of 644 for files & 755 for folders with no exceptions.
VEL contributor @ http://docs.joomla.org/Investigation_of_exploits
OSM,Trademark and Licensing Team,jed editor
Please no pm direct contact irc freenode.net #joomla

stanko75
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Oct 11, 2007 11:13 am
Location: Ljubljana
Contact:

Re: com_mailto used for spam.

Post by stanko75 » Mon Jan 25, 2010 9:27 am

Thank you for your answer!

I was not hacked, I think that this is a bit, maybe, security hole in Joomla!

I checked also logs from my company, and I saw a lot of queries with link which I posted.

Luckily, in my company I didn't set up Mail Settings, so it is impossible to send an e - mail from the web site of my company.

Try it by yourself, install Joomla!, and set mail settings, so it can be possible to send mail from your web site, after that, try query which I posted in my first post, you will see that you are able to send an e - mail to anyone! Which can be easily exploited by spamers!

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14773
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: com_mailto used for spam.

Post by mandville » Mon Jan 25, 2010 12:00 pm

What you are picking up on is this
E-mail this link to a friend
is this a large amount of traffic, would the site be expected to email a friend?
If you are concerned that it is a security hole or bug then please go to http://developer.joomla.org/ and report to the appropriate people
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

stanko75
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Oct 11, 2007 11:13 am
Location: Ljubljana
Contact:

Re: com_mailto used for spam.

Post by stanko75 » Mon Jan 25, 2010 12:49 pm

Yes, I let that option open, so people can e - mail an article to a friend, but that option is abused by spamers, and because of that my domain is blacklisted..

Thank you, I will report as a security hole.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14773
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: com_mailto used for spam.

Post by mandville » Mon Jan 25, 2010 1:15 pm

I checked your domain IP and hosts IP and couldnt find them in spamhaus, so not sure where you are getting blacklisted reports from.
It may be an idea to get your outgoing mail log to see the content thats being sent to find the content of this mail.
if you are a shared IP then it will no doubt affect all your hosts customers and eventually them.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

stanko75
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Oct 11, 2007 11:13 am
Location: Ljubljana
Contact:

Re: com_mailto used for spam.

Post by stanko75 » Mon Jan 25, 2010 2:40 pm

I am blacklisted in the SORBS-SPAM, I was using this link to check my self:

http://www.mxtoolbox.com/SuperTool.aspx ... ilosev.com

I am on shared IP, I know, there is possibility that someone is also spaming, but I suspect that problem is at me, because I already changed host server, where I also had problems with spam.

I still didn't report it, since I want to check once again on a clean install, just to be sure, before reporting it as a security issue.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14773
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: com_mailto used for spam.

Post by mandville » Mon Jan 25, 2010 3:40 pm

i would contact your host to get them to get the flags removed. or go direct to 3ix who i think are the actually upstream host. You could try and get a delist yourself
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

stanko75
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Oct 11, 2007 11:13 am
Location: Ljubljana
Contact:

Re: com_mailto used for spam.

Post by stanko75 » Mon Jan 25, 2010 3:44 pm

I already tried all that :) First time it was about 7 days ago, and last time, again, about two days ago, and this morning I realized that until now anyone could send an e - mail through my web page...

stanko75
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Oct 11, 2007 11:13 am
Location: Ljubljana
Contact:

Re: com_mailto used for spam.

Post by stanko75 » Mon Jan 25, 2010 7:33 pm

My apologize, now I checked all, and problem was:

6. Use proper permissions on files and directories. They should be max permissions of 644 for files & 755 for folders with no exceptions.

I am sorry.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14773
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: com_mailto used for spam.

Post by mandville » Mon Jan 25, 2010 7:38 pm

just to confirm there is no confusion, were your permissions set as something dirfferent?
was a phishing/mail script installed ?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

stanko75
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Oct 11, 2007 11:13 am
Location: Ljubljana
Contact:

Re: com_mailto used for spam.

Post by stanko75 » Mon Jan 25, 2010 7:59 pm

I am not completely sure. I installed clean Joomla! and tested, then I realized that link which I posted is not working, then I changed permissions and I could send an e-mail.

For sure, before I deleted com_mailto I could sent an e-mail, now I can't.

Is there easy way to check if phishing/mail script is installed? Or I have to look my logs?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14773
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: com_mailto used for spam.

Post by mandville » Mon Jan 25, 2010 8:14 pm

get your host to show you how to check your mail server logs. Only you now what was on the server.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

stanko75
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Oct 11, 2007 11:13 am
Location: Ljubljana
Contact:

Re: com_mailto used for spam.

Post by stanko75 » Mon Jan 25, 2010 8:43 pm

Thank you, I sent support ticket to my host.

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: com_mailto used for spam.

Post by jeffchannell » Wed Jan 19, 2011 7:21 pm

http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι


Locked

Return to “Security in Joomla! 1.5”