The MU forums have moved to WordPress.org

Kinda important: Spam being sent through wp-comments-post.php (8 posts)

  1. Farms2
    Member
    Posted 15 years ago #

    Eeek, am having a bit of trouble with spam email being sent through wp-comments-post.php on WPMU 1.0 - see below for description from my hosts:

    ---------------------------------------------

    YESTERDAY: "================================================
    server: server.edublogs.org
    domain: edublogs.org
    script: /home/edublogs/public_html/wp-comments-post.php

    action: script disabled, mail queue cleaned
    reason: gay porno spam

    additional info: ~12.000 emails were injected into the mail queue, spam examples with full headers are located under /root/spam/1/ folder.
    ================================================"

    TODAY: "It looks like spam is being sent out of your server using the following script: /home/edublogs/public_html/wp-comments-post.php script

    There are ~20.000 emails about casino/poker which caused server load to go up to 50. The reason we suspect it's spam is because of the email addresses that the message is being sent to are Some_Garbage_Symbols@domain.com (like mru6v3r82@sixthcoyb.com for example)."

    ---------------------------------------------

    Now... I have *no* idea how this could be being caused apart from a sneaking suspicion that subscribe to comments 2.0 (in mu-plugins) coudl have a role to play... as that (I think) invokes email 'stuff' - to use the technical term ;) - in the comments area.

    Has anyone else experienced this, does anyone have any advice?

    Cheers, James

  2. lunabyte
    Member
    Posted 15 years ago #

    How old is your version? That might be an issue?

    Although I'm not sure how someone could inject THAT much to it.

    It would have to be a bot, going directly to the source. Which shouldn't allowed?

    The quickest thing would be to add some sort of captcha, which definitely prevents auto-posting directly to that file.

    There can be several other possibilities through session vars as well. Setting one in the comments file (or adding it in through a hook), and the modifying wp-comments-post.php to verify the session var. There isn't anything passed that can be read in the source, and it's tied to the users session, so it would probably work. No session var generated from the comment page loading, no posting of anything.

    If it's a bot going directly to that file, then there wouldn't be a session var set.

  3. Farms2
    Member
    Posted 15 years ago #

    WPMU 1.0 plus patches.

    What should my permissions be on public_html again (dozy question I know but just want to double check)?

  4. lunabyte
    Member
    Posted 15 years ago #

    755

    If it's being exploited, dig in the logs and see what you can find. Also, might wanna bring it to Donncha's attention, and Matt as well. They have a special security related submission thing for things like that. Even without specific initial details, as soon of a heads up as possible would be better I'd think.

    Then again, it may have been something that was fixed between October and January as well.

    I'd at least make a backup copy of that file locally, then update that file with the most current one from trac. If you already have it, then code up that session variable thing as a quick and temporary fix.

    If you need some help with it, drop me an email.

  5. Farms2
    Member
    Posted 15 years ago #

    Thanx - I'll carry on looking at this and see what I can work out.

    James

  6. lunabyte
    Member
    Posted 15 years ago #

    Okie dokie.

  7. donncha
    Key Master
    Posted 15 years ago #

    Have you updated Subscribe to Comments? What happened to you is rather serious! Looks like that plugin is up to 2.1 now - http://txfx.net/code/wordpress/subscribe-to-comments/

  8. Farms2
    Member
    Posted 15 years ago #

    Yeh - I think it was the new version... I've just wiped it to be safe.... we shall see!

About this Topic