Page 1 of 1

hacked, mail relay

Posted: 02 Jun 2018, 13:43
by rlerner
I had a Joomla site hacked last night, they relayed some emails. Trying to figure out how they got in. Looks like they used sendmail. Here are the CSF notifications (without actual domain name or email addresses). The configuration.php file referred to as possible script is the Joomla file last updated 2016. Don't think that was part of issue, but they probably used it to pull the title of the site. in their relayed mail, The hack was served from the Phillipines. Account is currently suspended. Would appreciate any help interpreting these logs or tips on what to look for or harden:

Time: Fri Jun 1 22:40:43 2018 -0400
Path: '/home/CpanelID/public_html'
Count: 151 emails sent

Sample of the first 10 emails:

2018-06-01 22:25:43 cwd=/home/CpanelID/public_html 4 args: /usr/sbin/sendmail -t -i -f mysendmail@domain.com
2018-06-01 22:25:43 cwd=/home/CpanelID/public_html 4 args: /usr/sbin/sendmail -t -i -f mysendmail@domain.com
2018-06-01 22:27:38 cwd=/home/CpanelID/public_html 4 args: /usr/sbin/sendmail -t -i -f mysendmail@domain.com
2018-06-01 22:27:39 cwd=/home/CpanelID/public_html 4 args: /usr/sbin/sendmail -t -i -f mysendmail@domain.com
2018-06-01 22:28:06 cwd=/home/CpanelID/public_html 4 args: /usr/sbin/sendmail -t -i -f mysendmail@domain.com
2018-06-01 22:28:06 cwd=/home/CpanelID/public_html 4 args: /usr/sbin/sendmail -t -i -f mysendmail@domain.com
2018-06-01 22:29:59 cwd=/home/CpanelID/public_html 4 args: /usr/sbin/sendmail -t -i -f mysendmail@domain.com
2018-06-01 22:29:59 cwd=/home/CpanelID/public_html 4 args: /usr/sbin/sendmail -t -i -f mysendmail@domain.com
2018-06-01 22:30:07 cwd=/home/CpanelID/public_html 4 args: /usr/sbin/sendmail -t -i -f mysendmail@domain.com
2018-06-01 22:30:07 cwd=/home/CpanelID/public_html 4 args: /usr/sbin/sendmail -t -i -f mysendmail@domain.com


Possible Scripts:

'/home/CpanelID/public_html/configuration.php'

Time: Fri Jun 1 22:44:14 2018 -0400
Type: LOCALRELAY, Local Account - mycpanelID
Count: 101 emails relayed
Blocked: No

Sample of the first 10 emails:

2018-06-01 22:36:45 1fOwPN-0005fl-Tf <= mysendmail@domain.com U= mycpanelID P=local S=1057 id=7ca41646f9d3a9c7b48b45eb9f188595@domain.com T="Copy of: \347\214\252\345\206\212\345\256\213\350\217\234\351\221\25318\345\217\257\346\217\220" for 1123699120@qq.com
2018-06-01 22:36:55 1fOwPW-0005g9-Vq <= mysendmail@domain.com U= mycpanelID P=local S=1004 id=46d706937d7e5e468c47c414f977e81c@domain.com T="Title of Site: \347\214\252\345\206\212\345\256\213\350\217\234\351\221\25318\345\217\257\346\217\220" for myemail@domain.com
2018-06-01 22:36:55 1fOwPX-0005gC-1e <= mysendmail@domain.com U= mycpanelID P=local S=1053 id=546a68211cb9e347b0115a0be1f3a107@domain.com T="Copy of: \347\214\252\345\206\212\345\256\213\350\217\234\351\221\25318\345\217\257\346\217\220" for 281456259@qq.com
2018-06-01 22:37:03 1fOwPf-0005gQ-1w <= mysendmail@domain.com U= mycpanelID P=local S=1012 id=1166677413b477a6db458a4c904e0ddf@domain.com T="Title of Site: \347\214\252\345\206\212\345\256\213\350\217\234\351\221\25318\345\217\257\346\217\220" for myemail@domain.com
2018-06-01 22:37:03 1fOwPf-0005gT-4X <= mysendmail@domain.com U= mycpanelID P=local S=1069 id=85f3101b37438b09e24bc3504a9e56f9@domain.com T="Copy of: \347\214\252\345\206\212\345\256\213\350\217\234\351\221\25318\345\217\257\346\217\220" for lizhu1995412@163.com
2018-06-01 22:37:11 1fOwPn-0005gg-54 <= mysendmail@domain.com U= mycpanelID P=local S=1004 id=d62cdbc19b45ea33e2bb0456cfbde4cf@domain.com T="Title of Site: \347\214\252\345\206\212\345\256\213\350\217\234\351\221\25318\345\217\257\346\217\220" for myemail@domain.com
2018-06-01 22:37:11 1fOwPn-0005gj-7q <= mysendmail@domain.com U= mycpanelID P=local S=1053 id=ba1d5a733da20cc9ec10f0c37079a2e3@domain.com T="Copy of: \347\214\252\345\206\212\345\256\213\350\217\234\351\221\25318\345\217\257\346\217\220" for 413977617@qq.com
2018-06-01 22:37:27 1fOwQ3-0005h4-CV <= mysendmail@domain.com U= mycpanelID P=local S=1006 id=2726955600febad1adc8f0f5e5e0547a@domain.com T="Title of Site: \347\214\252\345\206\212\345\256\213\350\217\234\351\221\25318\345\217\257\346\217\220" for myemail@domain.com
2018-06-01 22:37:27 1fOwQ3-0005h9-G0 <= mysendmail@domain.com U= mycpanelID P=local S=1057 id=3c11cb7392e95d4962ef9eea30f379cd@domain.com T="Copy of: \347\214\252\345\206\212\345\256\213\350\217\234\351\221\25318\345\217\257\346\217\220" for 1904371554@qq.com
2018-06-01 22:37:35 1fOwQB-0005hP-GH <= mysendmail@domain.com U= mycpanelID P=local S=1006 id=56cecc198cdecaf50edbb91125a3bb64@domain.com T="Title of Site: \347\214\252\345\206\212\345\256\213\350\217\234\351\221\25318\345\217\257\346\217\220" for myemail@domain.com

Re: hacked, mail relay

Posted: 02 Jun 2018, 14:05
by rlerner
The logs show a series of GET/POST attempts using the built-in contact page in Joomla which I would think is fairly secure, although the site was on 3.8.6, updated this morning to 3.8.8:

120.28.41.123 - - [01/Jun/2018:22:52:42 -0400] "GET /index.php/contact/5-steam-parent-leader HTTP/1.1" 200 17679 "http://domain.com/index.php/contact/5-s ... ent-leader" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36"

120.28.41.123 - - [01/Jun/2018:22:52:46 -0400] "POST /index.php/contact HTTP/1.1" 404 1317 "http://domain.com/index.php/contact/5-s ... ent-leader" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36"