This morning I found 3000 bounce messages in my spam folder. They were being sent from a script running on a customer's account. I dove into it. Keep in mind I'm kinda a linux newb.
The customer is using Joomla (the only joomla install on my VPS)
The script had an owner of nobody, and I did not find anything in the FTP log. Customer says he has not touched the site in a year. This tells me it was some sort of web based attack, not an account compromise.
The script was found in /modules/mod_osdonate/elements/murmur
The other file was a obfuscated but simple php file that allowed the contents of a POST to the file to be eval'd.
I started looking around and found this in the log:
This entry has the same timestamp as the mod_osdonate directory. It's the only one in the log with that IP, and there were no other log entries for 3 hour before and 12 hours after. The IP is a comcast IP.
The entries continue until I killed it nearly 10 hours later. IP is from Malaysia.
So now what? Any ideas on figuring out how they got in?
cPanel cron checks for scripts that send mail,but to me finding scripts that eval are much worse. Anyone know what script does the searching for mail (newmailcgi) in the cron so I can update it to search for eval? Or any other tips? Anyone see this before? This is my first compromise and it makes me feel like I shouldn't be running a VPS. lol.
@turbo2ltr erase the malicious script or consider a fresh reinstall of Joomla.Tell your customer that he must use strong ftp passwords.Furthermore install Clamav on the server and perform a recursive scanning of directories.Cheers.
I got the same link in a spam email, linking to /modules/mod_osdonate/bookmark.php The thing is the compromised website (a small static info site for a brick-and-mortar business) had no donate buttons anywhere. So I'm not sure if this module has been on there before and was then exploited or if the hack injected this module or code disguised as this module.
I reached out the the makers of osdonate to see if the module was compromised or if it was just completely replaced and just using the name, but they never got back to me. My customer wasn't using it either.