Scritpt sending spam - joomla 3.9

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
bmassaer
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Sun Jul 26, 2015 7:34 pm

Scritpt sending spam - joomla 3.9

Post by bmassaer » Tue Apr 09, 2019 3:06 pm

Hello,

I've received a message from the domain host that, on my site sintpietersbuiten.be, a script is sending spam.
They've put the site offline. I'm using Joomla 3.9.
How can I fix this - with the back-end not active?

This is the mail:

Infected script that is sending spam:
/home/bartmof280/domains/sintpietersbuiten.be/public_html/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php

*Possible solutions:*
Install reCaptcha when class.phpmailer.php is used see "Infected script that is sending spam"

You can install the reCaptcha plugin to your website and add the captcha on every page where your website is using the mail function.

Amount of spam emails that have been sent:
755

Detection date and time:
09-Apr-2019 08:30:30

Log:
[09-Apr-2019 08:30:30 Europe/Amsterdam] mail() on [/home/bartmof280/domains/sintpietersbuiten.be/public_html/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php:702]: To: hellothere2345@live.com.au -- Headers: Date: Tue, 9 Apr 2019 08:30:30 +0200 From: Werkgroep Sint-Pieters-Buiten <stpietersbuiten@gmail.com> Reply-To: hellothere2345 <hellothere2345@live.com.au> Message-ID: <f78829ef2ed801d80475095eae02a1e1@sintpietersbuiten.be> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 -- Subject: Kopie van: Hello cute---90319:2019-04-09 08:26:44 1hDkDU-00DL9s-J8 <= stpietersbuiten@gmail.com U=bartmof280 P=local S=980 id=32a3c84e4634942bd45736f6c05befec@sintpietersbuiten.be T='Werkgroep Sint-Pieters-Buiten: Hello' from <stpietersbuiten@gmail.com> for info@sintpietersbuiten.be

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 22322
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, The Netherlands
Contact:

Re: Scritpt sending spam - joomla 3.9

Post by pe7er » Tue Apr 09, 2019 3:56 pm

Are you using Joomla's default Contacts (com_contact) ?

If not, could you add index.php?option=com_contact&view=contact&id=1 behind the domain name of your website?
If the contact form has the "Send Copy" option enabled, spammers can craft the URL and use your contact form.
Instead of their own email address, they will use the address of the victim that gets a "copy" of their form input (which is spam).
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
Co-developer of d2 Content https://data2site.com/joomla-extensions/d2-content

kmedri
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Oct 08, 2009 5:03 pm

Re: Scritpt sending spam - joomla 3.9

Post by kmedri » Wed Apr 10, 2019 11:35 pm

I have just started getting issues with this spammers method, however I do not create any contacts in our websites. Is the contact&id=1 with email test@test.com a default contact created within Joomla! on installation?
Many thanks Kevin

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 22322
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, The Netherlands
Contact:

Re: Scritpt sending spam - joomla 3.9

Post by pe7er » Thu Apr 11, 2019 6:41 am

kmedri wrote:
Wed Apr 10, 2019 11:35 pm
Is the contact&id=1 with email test@test.com a default contact created within Joomla! on installation?
A default Joomla installation without sample content does not contain any record in the contacts table.
However, if you installed Joomla with the "Learn Joomla" sample data,
or if you used a Quick Install version from a 3rd party (e.g. template club)
then you might have sample records in your Components > Contact component.

On sites I do not use "Contacts", I disable the component:
Extensions > Manage > Manage > [Search Tools] button
filter on: Unprotected + Administrator + Component
Disable all components that you don't use (e.g. Contacts, Newsfeeds)
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
Co-developer of d2 Content https://data2site.com/joomla-extensions/d2-content

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37452
Joined: Sat Apr 05, 2008 9:58 pm

Re: Scritpt sending spam - joomla 3.9

Post by Webdongle » Fri Apr 12, 2019 5:55 pm

http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein


Post Reply

Return to “Security in Joomla! 3.x”