[HCoop-Help] wordpress spam, failed mail delivery notices.

Jesse Shumway layline at hcoop.net
Fri May 17 18:21:30 EDT 2013 

Hello,

You can until Clinton, or one of the other admins has a chance to take a look at it. Or, you can look at my suggestions while you wait - for what they're worth.

I'm not an admin nor do I have any knowledge of PHP or wordpress for that matter. With these shortcomings revealed, I'd suggest you drill down into your wordprss PHP scripts. It might be the source of the PHP injection attack that turns your wordpress instance into a spam machine. Is 10924 your user id?

> X-PHP-Originating-Script: 10924:akismet.php(32) : runtime-created function(9) : eval()'d code(1) : eval()'d code


The X-Originating-IP field could be spoofed, but ask yourself: does the address 89.28.14.25 seem reasonable? It's a dynamic IP address belonging to the Starnet ISP in Moldova.

> X-Originating-IP: 89.28.14.35


I'm sure there's a log somewhere of outbound email, but you might need some admin permissions to view it. You could search it by the 'To:'  and 'Message-Id:' fields you're seeing in this bounce summaries. This would tell you if indeed your site is originating the spam.

Have you searched to see of any PHP injection attacks against this version of wordpress? Ones with a locus of line 32 in akismet.php. Here's one I just stumbled across with a simple google search…

  http://wordpress.org/support/topic/site-hacked-through-akismet

This forum post above might have some provocative insights for you, short of shutting down your site.

Good luck and have fun!

-- Jesse Shumway  <layline AT hcoop.net>

On May 17, 2013, at 3:02 PM, Yagnesh Raghava Yakkala <yagnesh at hcoop.net> wrote:

> 
> Hello all,
> 
> My inbox is getting filled with mail delivery failure notices today (similar
> to the attached mail). It looks like it has something to do with akismet spam
> filter on my wordpress site (sapporoindians.com). I don't understand the
> problem.
> 
> Any insights would great on:
> - how to know which program is initiating mail delivery
> - how to stop receiving failure notices to my inbox
> 
> FYI, I haven't touched anything on my site for a long while now.
> 
> Thanks.
> 
> 
> From: Mail Delivery System <Mailer-Daemon at deleuze.hcoop.net>
> Subject: Mail delivery failed: returning message to sender
> Date: May 17, 2013 2:40:50 PM EDT
> To: yagnesh at hcoop.net
> 
> 
> This message was created automatically by mail delivery software.
> 
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
> 
>  peb756 at aol.com
>    SMTP error from remote mail server after RCPT TO:<peb756 at aol.com>:
>    host mailin-03.mx.aol.com [205.188.156.193]: 550 5.1.1 <peb756 at aol.com>:
>    Recipient address rejected: aol.com
> 
> ------ This is a copy of the message, including all the headers. ------
> 
> Return-path: <yagnesh at hcoop.net>
> Received: from navajos.hcoop.net ([69.90.123.70] ident=yagnesh)
> 	by deleuze.hcoop.net with smtp (Exim 4.63)
> 	(envelope-from <yagnesh at hcoop.net>)
> 	id 1UdPa8-0007IJ-Ot
> 	for peb756 at aol.com; Fri, 17 May 2013 14:40:45 -0400
> Received: by navajos.hcoop.net (sSMTP sendmail emulation); Fri, 17 May 2013 14:40:44 -0400
> From: "yagnesh" <yagnesh at hcoop.net>
> X-Originating-IP: 89.28.14.35
> Date: Fri, 17 May 2013 14:40:44 -0400
> To: peb756 at aol.com
> Subject: Celebrate the May with 10% off for All Brands and Generics in our Store
> X-PHP-Originating-Script: 10924:akismet.php(32) : runtime-created function(9) : eval()'d code(1) : eval()'d code
> Message-Id: <1307461067.1496 at sapporoindians.com>
> MIME-Version: 1.0
> Content-Type: text/html
> Content-Transfer-Encoding: 8bit
> 
> 
> 
> Dear Peter,<br />
> <br />
> Celebrate the May with 10% off for all Brands and Generics in our Store - use <b>Your 10% discount code: 7728315</b> at checkout for big savings.<br />
> <a href='http://fenstercamp.com/counter.php?936fb43bcac53278bf834a76f'>By reordering with us</a> you always getting best price for genuine quality and great customer service.<br />
> All goods are delivered in 7-10 business days or sooner, with live package tracking. Nothing gets lost or we will reship at no additional cost to you.<br />
> <br />
> Best regards,<br />
> RxDiler<br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> DISCLAIMER:<br />
> ……


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hcoop.net/pipermail/hcoop-help/attachments/20130517/b902250a/attachment.htm

More information about the HCoop-Help mailing list