This morning I just found that my cPanel server sent me a notice by email saying there is a new uploaded CGI/script file trying to use the sendmail function. The file is data_.php
This related to one of my website that I have not been updating recently, so I quickly ftp into my server and check it.
I found that this data_.php script is use for GETTING HTTP POSTS from some where and then it will MAIL it out, so, my server will become the email server for the SPAMMER. Luckily I notice about it earlier now and saw this stupid spammer write different php style than me, so I can sure this is not the script that I wrote for myself (lol, I have to deal with thousand of scripts always)
I have report this to the datacentre admin, they are checking for me now that whether where is the security hole. Stay tuned!!
You must be logged in to post a comment.
Hello.
I recieved an e-mail from our server administrator this morning, that he suspended an account because it was abused by a spammer. He sent me the names of php scripts which the spammer might used to send e-mails. And one of the files was, belive it or not data_.php.
I checked the script and quickly noticed that the code wansn't written in my style. And same as in your case, the script was getting POSTS from some whre and then mailed it out using php mail function.
I was wondering if you found the security hole. Oh and by the way, the site I'm talking about is using Joomla! for it's framework.
hi Tomsi,
I have not yet found the problem. From the administrator in the datacentre told me that the script was uploaded through "ftp". I wonder is it the anonymous "ftp".
Yesterday we have 4 websites got hacked with this data_.php and we manage to stop it at once, though it already sent 4000+ emails.
I did a system and control panel software update now plus disable the anonymous "ftp" for the whole server and all accounts.
Still checking now, once found any updates will post here 😉
I had exactly the same problem a couple of weeks ago. I first thought it was happening with domains hosted in my account, but then I realised that domains hosted in other servers had been hacked too.
The only thing in common between this accounts is that they were stored with its respective passwords in my Windows CuteFTP.
Previously to this, I had to format my hard drive because of a virus. Maybe it stole the accounts information from CuteFTP and use it to spam. It is possible?
What I did is update every password and obviously delete the data_.php files.
Well, I hope we reach whatever is causing this problem.
Thanks!
hi bawd, after my post here last time, I disable the anonymous FTP (by default my webserver cpanel seems enable it) and I have no problem anymore...
I guess this is not that username and password got stolen. You better update and upgrade the server system and software, especially the Apache and PHP version if you have those 😉 good luck!!!