I've been getting some failed mail delivery reports at my catch-all email address on my server. Finding this weird, I had a feeling there was spam coming out of it.
Connecting through FTP, I found some definitely odd files.
1. A file violin.php which let the spammers send mail out of my server and domain through POST parameters.
2. Three obscure, randomly named html files which were empty except for small obfuscated javascript that redirected to spam/adult websites and pop ups.
3. One file in cgi-bin, "mhstchk.cgi" which seems to be the first file they put on the server. It seems to gather information about the server in order for them to decide whether it'll work for their spammer needs. Here's a few lines from the beginning:
my $smtp = 'smtp.yandex.ru';
my $dns = '194.173.175.100';
my $fpart = "hello_my_little_friend._You_have_download_this_page_and_see_this_source.";
my $lpart = "_We_do_not_delete_anything_only_upload_change_your_passwords_and_do_not_say_it_to_anybody";
And then it goes on to print "uname -a", test Perl modules, the SMTP server, some DNS tests, etc.
Now I'm wondering how they got the files on the server. Exploit of apache? Do I need to tell my hosting company to check for cracks in this shared server? Brute forcing my PHP password? Exploit in wordpress?
Anyone see this before?
EDIT: Just found them in my FTP access logs. So did they just brute force my password? It seems there were more files they put in my cgi folder that they since deleted. Also it seems that cgi file was there for a long time.
Connecting through FTP, I found some definitely odd files.
1. A file violin.php which let the spammers send mail out of my server and domain through POST parameters.
2. Three obscure, randomly named html files which were empty except for small obfuscated javascript that redirected to spam/adult websites and pop ups.
3. One file in cgi-bin, "mhstchk.cgi" which seems to be the first file they put on the server. It seems to gather information about the server in order for them to decide whether it'll work for their spammer needs. Here's a few lines from the beginning:
my $smtp = 'smtp.yandex.ru';
my $dns = '194.173.175.100';
my $fpart = "hello_my_little_friend._You_have_download_this_page_and_see_this_source.";
my $lpart = "_We_do_not_delete_anything_only_upload_change_your_passwords_and_do_not_say_it_to_anybody";
And then it goes on to print "uname -a", test Perl modules, the SMTP server, some DNS tests, etc.
Now I'm wondering how they got the files on the server. Exploit of apache? Do I need to tell my hosting company to check for cracks in this shared server? Brute forcing my PHP password? Exploit in wordpress?
Anyone see this before?
EDIT: Just found them in my FTP access logs. So did they just brute force my password? It seems there were more files they put in my cgi folder that they since deleted. Also it seems that cgi file was there for a long time.
