Security Exploit & mail bombing

Hi There,

I was just warned by my Internet provider that my Website has bee used to send a bunch of emails.

Are you aware of that kind of issues ?

Thanks,

In the logs I see that kind of lines like this :

mail() on [/srv/data/web/vhosts/etoele.com/htdocs/wp-content/plugins/events-and-bookings/lib/widgets/config.php:1]: To: haval.rojan@gmail.com — Headers: From: “Bobbi Rice” <bobbi_rice@etoele.com> Reply-To:”Bobbi Rice” <bobbi_rice@etoele.com> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset=”iso-8859-1″ Content-Transfer-Encoding: 8bit

mail() on [/srv/data/web/vhosts/etoele.com/htdocs/wp-content/plugins/events-and-bookings/lib/widgets/config.php:1]: To: haval.rojhalaty@gmil.com — Headers: From: “Bobbi Rice” <bobbi_rice@etoele.com> Reply-To:”Bobbi Rice” <bobbi_rice@etoele.com> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset=”iso-8859-1″ Content-Transfer-Encoding: 8bit

mail() on [/srv/data/web/vhosts/etoele.com/htdocs/wp-content/plugins/events-and-bookings/lib/widgets/config.php:1]: To: haval2014hawlery@gmail.com — Headers: From: “Bobbi Rice” <bobbi_rice@etoele.com> Reply-To:”Bobbi Rice” <bobbi_rice@etoele.com> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset=”iso-8859-1″ Content-Transfer-Encoding: 8bit

mail() on [/srv/data/web/vhosts/etoele.com/htdocs/wp-content/plugins/events-and-bookings/lib/widgets/config.php:1]: To: haval82@live.com — Headers: From: “Bobbi Rice” <bobbi_rice@etoele.com> Reply-To:”Bobbi Rice” <bobbi_rice@etoele.com> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset=”iso-8859-1″ Content-Transfer-Encoding: 8bit

mail() on [/srv/data/web/vhosts/etoele.com/htdocs/wp-content/plugins/events-and-bookings/lib/widgets/config.php:1]: To: haval@live.at — Headers: From: “Bobbi Rice” <bobbi_rice@etoele.com> Reply-To:”Bobbi Rice” <bobbi_rice@etoele.com> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset=”iso-8859-1″ Content-Transfer-Encoding: 8bit

mail() on [/srv/data/web/vhosts/etoele.com/htdocs/wp-content/plugins/events-and-bookings/lib/widgets/config.php:1]: To: haval_zaaxo75@hotmail.com — Headers: From: “Bobbi Rice” <bobbi_rice@etoele.com> Reply-To:”Bobbi Rice” <bobbi_rice@etoele.com> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset=”iso-8859-1″ Content-Transfer-Encoding: 8bit

mail() on [/srv/data/web/vhosts/etoele.com/htdocs/wp-content/plugins/events-and-bookings/lib/widgets/config.php:1]: To: havala@yahoo.com — Headers: From: “Bobbi Rice” <bobbi_rice@etoele.com> Reply-To:”Bobbi Rice” <bobbi_rice@etoele.com> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset=”iso-8859-1″ Content-Transfer-Encoding: 8bit

mail() on [/srv/data/web/vhosts/etoele.com/htdocs/wp-content/plugins/events-and-bookings/lib/widgets/config.php:1]: To: havalahidalgo485@yahoo.com — Headers: From: “Bobbi Rice” <bobbi_rice@etoele.com> Reply-To:”Bobbi Rice” <bobbi_rice@etoele.com> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset=”iso-8859-1″ Content-Transfer-Encoding: 8bit

mail() on [/srv/data/web/vhosts/etoele.com/htdocs/wp-content/plugins/events-and-bookings/lib/widgets/config.php:1]: To: havalbeboy@yahoo.com — Headers: From: “Bobbi Rice” <bobbi_rice@etoele.com> Reply-To:”Bobbi Rice”

Wed, 11 Jun 2014 7:28:24

Jack Kitterhing
- Code Norris
- 13,199 pts: Hero points 20,416 pts: Rep. points LEVEL 30
Hi there @jean_baptiste_heren,

Hope you’re well today and thanks for your question.

We haven’t had any other reports of this, do you recognise the email address that have been used?

Have you noticed any other issues at all with the site? :slight_smile:

I’m here to help.

Thanks!

Kind Regards

Jack.
jean_baptiste_heren
- WPMU DEV Initiate
- 53 pts: Hero points 20 pts: Rep. points LEVEL 1
Hi,

It seems quite clear that there an issue with the mail() function that is part of the plugins/events-and-bookings/lib/widgets/config.php.

None of those addresses exist in fact. this is exploited for spamming.

I should not be possible to send emails without being logged as an admin….

For now I have removed the extension.
Vaughan
- Ex Staff
- 3,412 pts: Hero points 23,618 pts: Rep. points LEVEL 30
Hi,

I have just asked one of developers to have a look into this. However, did you have your events as free events without requiring login?

Maybe a spambot just submitted the RSVP for events you had listed, it’s a little hard to be sure, did you see any RSVP’s on any of your events?

Thanks
Vladislav
- Dead Eye Dev
- 999 pts: Hero points 3,791 pts: Rep. points LEVEL 19
Hello,

Actually, there is no config.php file in the events-and-bookings/lib/widgets/ directory of the plugin (more precisely, there is no config.php file anywhere in the plugin distributable). Furthermore, Events+ doesn’t even use the PHP mail() function directly – it uses the WordPress wp_mail() abstraction instead.This means that the file is some sort of third party code, and was added there in some other way, possibly suggesting that your site is compromised. Can you please check and make sure that all your directories are write-protected? There are also some other immediate steps you can take, perhaps these links could be useful: http://codex.wordpress.org/FAQ_My_site_was_hacked http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

How do you rate me?

Thank you for rating your experience!