Mobile app version of vmapp.org
Login or Join
Shanna517

: Where would a spam bot be located? I have a hosted website using a free hosting service, I received an email this afternoon saying that I have been suspended because my account has been compromised.

@Shanna517

Posted in: #Email #Spam

I have a hosted website using a free hosting service, I received an email this afternoon saying that I have been suspended because my account has been compromised.

Basically, someone is using my email account to mass send spam. I've changed all the passwords and everything but when my Gmail pulls the emails from the host it's still downloading loads of spam messages that show like this:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

fi.nadiamonti@gmail.com
SMTP error from remote mail server after end of data:
host 198.91.80.251 [198.91.80.251]: 554 5.6.0 id=23634-03 - Rejected by MTA on relaying, from MTA([127.0.0.1]:10030):
554 Error: This email address has lost rights to send email from the system

------ This is a copy of the message, including all the headers. ------

Return-path: <admin@TIMFORDSWEBSITE.COM>
Received: from keenesystems.com ([66.135.33.211]:2370 helo=server211)
by absolut.x10hosting.com with esmtpsa (TLSv1:RC4-MD5:128)
(Exim 4.77)
(envelope-from <admin@TIMFORDSWEBSITE.COM>)
id 1TGwSW-002hHe-Lc
for fi.nadiamonti@gmail.com; Wed, 26 Sep 2012 13:35:44 -0500
MIME-Version: 1.0
Date: Wed, 26 Sep 2012 13:35:43 -0500
X-Priority: 3 (Normal)
X-Mailer: Ximian Evolution 3.9.9 (8.5.3-6)
Subject: New staff members wanted at Auction It Online
From: admin@TIMFORDSWEBSITE.com
Reply-To: Marie.Glorioso@rjauctiondropoff.com
To: "Nadia Monti" <fi.nadiamonti@gmail.com>
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Message-ID: <OUTLOOK-IDM-9aed7054-6a3e-e1a4-1d5c-3e73377652a6@server211>

Date : 26 September 2012=0ATime : 13:35=0ASender : Dennise Halcomb Head =
Office Manager of RJ Auction Drop-Off Int.=0A=0ANice to meet you Nadia M=
onti=0A=0ARJ ADO Ltd., a USA based company, offers a significant amount =
of goods worldwide for our customers on eBay and other auction venues. =
Our company's main target is to provide a suitable and cost-effective se=
rvice for any person, company or fundraising company. The main purpose o=
f the administrative assistant / sales support representative is to cont=
ribute to the sales force and add convenience to our cost-effective serv=
ice dedicated to individuals, businesses, and organizations worldwide. O=
ur HR department obtained your resume from one of the various job-orient=
ed websites just to offer you this post.=0A=0AWorking Schedule: This is =
a part time and home-based offer. You won't need to spend more than 3 ho=
urs each day. Your =0Aschedule will be flexible.=0A=0ASalary: At the end=
of the trial period (it lasts for 1 month) you will be paid 1,800 EUR. =
With the average volume of clients your overall income will raise up to =
3,000 EUR per month. After the trial period is over your base salary wil=
l grow up to 2,500 EUR per month, so you will earn 5% commission from th=
e transactions completed.=0A=0AWhere?: Italy Wide. As it is a stay at ho=
me position all the communication will be carried out via email and via =
phone.=0A=0ARequirements: Access to the internet during the workday and =
basic microsoft office skills are needed. Basic knowledge of English is =
required (most of the contacts will be in English).=0A=0ACosts and Fees:=
There are NO costs at any time for our employees. All fees related to t=
his position are covered by the RJ ADO Co. Ltd..=0A=0AFurther Hiring Pro=
cess: If you are interested in position we offer, please reply to this e=
mail and send us the copy of your resume for verification.=0A=0AAfter re=
viewing all of the received applications we will reply to successful app=
licants only. Then we'll offer to these successful applicants a position=
within our firm on a trial period basis for one month beginning from th=
e date you sign a trial agreement. During this trial period you will rec=
eive full guidance and support. Employees on a one monthly trial period =
are evaluated at least one week prior to the end of their trial. During =
the trial, your supervisor can recommend termination. At the end of the =
trial period, the supervisor can offer continued employment, extension o=
f trial period, or termination. After the trial period you may ask for m=
ore hours or continue full-time.=0A=0AIf you are interested in this posi=
tion, just reply to this email and send any questions you have and the c=
opy of your resume for verification.=0A=0AThank You,=0AHR-Manager of RJ =
ADO Co. Ltd.=0A=0APermission Settings=0AYou have been referred to RJ Auc=
tion Drop-Off If you feel you received this email in error or do not wis=
h to receive future messages, please reply to this message with "remove"=
in the subject field. We will immediately update our database according=
ly. =0AWe apologize for any inconvenience caused.=0A=0ARJ Auction Drop-O=
ff Co. Ltd.


I'm not aware of how this has happened. I'm not sure how anyone could have got hold of my password. It's a simple wordpress install, at some point recently my host went down and there was a fresh install of wordpress with default admin accounts, I have a feeling it could be something to do with this. My question is, even though I've changed all my passwords it's all still happening, is there annywhere in paticular this script would be stored on my host. I really can't deal with having my hosting account suspended and my email account sending all this spam.

10.03% popularity Vote Up Vote Down


Login to follow query

More posts by @Shanna517

3 Comments

Sorted by latest first Latest Oldest Best

 

@Becky754

Back up the database and files and then wipe the files and reinstall the app(?). Then restore the database and migrate the files you know aren't compromised, like CSS, images etc. You might have to redo some work but its probably your safest bet.

10% popularity Vote Up Vote Down


 

@Jessie594

Hiding forms won't solve the problem most bots will continue posting to the forms even if they are hidden. If you're running a blog and have been compromised through cross site scripting changes are a rogue php file may have been placed into your file system which will be difficult to detect. A free host is probably not going to scan your files for you like most credible shared hosting providers.

Upgrade your software, change your passwords. Review all folders and files on your site to ensure they are clean and haven't been placed there. Review your log files, if you're still infected make a backup then delete everything and re-install your software using the latest versions.

10% popularity Vote Up Vote Down


 

@Vandalay111

Just to lock everything down, start by temporarily removing all areas for user input. In other words, if you have a blog, hide the comment fields as well as any other places that a user can input data. Even if all they type in is a phone number, hide it.

Furthermore, if you are using public wifi to access the admin area of the site, stop.

The two most likely problems are injection (someone types in malicious code in a user input area that can access all information stored on your server) or session hijacking (happens when you are using public wifi without SSL.)

Once you get it locked down, you need to beef up your wordpress site with security. I think you might want to start here. Once you get that sorted, you can try opening up the user input areas again, but be careful.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme