Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.I have had an email from my hosting company that my site is being exploited to send out Spam and that I need to upgrade to latest version. However I am running Drupal 5.1 with latest versions of any modules I have installed. Its not even down to having any old files left over as deleted everything off the space and uploaded from scratch when upgraded from 4.7.5 to 5.1. Anyone know what is or could be exploited. The email from hosting company is below.
Hello Adam,
Please upgrade your drupal. It has been repeatedly exploited by spammers to send out spam.
Mainly due to old version of your xmlrpc.php
Please ugrade immediately.
Thank you!
John
JavaPipe
Here is evidence of email bounced back with online drugstore spam:
244P Received: from [84.40.23.88] (helo=www.daihatsu-drivers.co.uk)
by secure02.dhserver.net with esmtpa (Exim 4.63)
(envelope-from <trashcan@daihatsu-drivers.co.uk>-)
id 1HwqW6-0003VA-P7
for imck0311@yahoo.co.uk; Fri, 08 Jun 2007 20:17:26 -0600
037 Date: Fri, 8 Jun 2007 20:17:26 -0600
045* Return-Path: trashcan@daihatsu-drivers.co.uk
025T To: imck0311@yahoo.co.uk
062F From: Daihatsu Drivers Club <trashcan@daihatsu-drivers.co.uk>
058 Subject: [<em>Daihatsu Drivers Club</em>] Account removed
074I Message-ID: <30a67cc8bf88969dfc2ccc0d62299078@www.daihatsu-drivers.co.uk>
014 X-Priority: 3
035 X-Mailer: PHPMailer [version 1.73]
008 Array:
018 MIME-Version: 1.0
032 Content-Transfer-Encoding: 8bit
042 Content-Type: text/plain; charset="utf-8"
1HwrK6-0004qD-JV-D
<html>
<body>
Good morning!<br><br>
Please check our new Canadian drugstore and find all the meds available with great prices.<br><br>
- alI the meds are FDA approved!<br>
- low prices<br>
_______________________
John Larsen
Storm's i Solutions, LLC.
http://www.stormsi.com
http://www.javapipe.com
----------------------------------------
The ID of my xmlrpc.php file is // $Id: xmlrpc.php,v 1.15 2005/12/10 19:26:47 dries Exp $ which matches the one shipped with Drupal.
Comments
Alerting others
I'll post this to the experts.
Nancy W.
Drupal Cookbook (for New Drupallers)
Adding Hidden Design or How To notes in your database
NancyDru
More detail
More detail would be helpful. The example has nothing that points to Drupal, but there is a line referring to phpMailer, which is not part of Drupal. What modules did you install that might have included phpMailer?
Did you examine your raw server logfiles to see whether XMLRPC was actually being invoked?
If you're not using the XMLRPC blogging interface, you can safely remove that file.
I use the smtp.module which
I use the smtp.module which sends all Drupal emails through authenticated SMTP which uses phpMailer. I have just looked through the Raw logs and xmlrpc.php only gets invoked once by 140.211.166.61 which is fine.
Looking at Raw logs and the timestamp on the example email, it was triggered by the cron.php running. The modules I currently have running are as follows.
The subject line the example email looks same as one the inactive user module uses. I have disabled it until get any other suggestions.
Looking through Drupal to
Looking through Drupal to see whats been happening userwise as nothing spectacular was jumping up in the Raw logs. Drupal Logs show bursts of user logging in at same time from different IP's resolving to different addresses all around the world. Some examples are which happened in the space before the cron which seemed to send the mail..
Type user
Date Saturday, 9 June, 2007 - 00:34
User qwyghxh
Location http://www.daihatsu-drivers.co.uk/node/3987?destination=node%2F3987
Referrer http://www.google.com/
Message Session opened for qwyghxh.
Severity notice
Hostname 72.15.94.88
Type user
Date Saturday, 9 June, 2007 - 00:33
User qwyghxh
Location http://www.daihatsu-drivers.co.uk/node/3003?destination=node%2F3003
Referrer http://www.google.com/
Message Session opened for qwyghxh.
Severity notice
Hostname 68.200.115.227
Type user
Date Saturday, 9 June, 2007 - 00:33
User qwyghxh
Location http://www.daihatsu-drivers.co.uk/classifieds/forsale?destination=ed-cla...
Referrer http://www.google.com/
Message Session opened for qwyghxh.
Severity notice
Hostname 210.131.1.71
I also have a block a couple of hours earlier with 15 all in 1 go, with different IP's. I have also now blocked that user as a precaution to slow things down if was using a user login to help use whatever exploit they are using.
Contact spam
This may be contact module spam. If you enable the Drupal contact module, you have to keep a pretty close eye on user registrations.
The 'user' qwyghxh is a bot, probably a botnet running on virus-infected Windows PCs. Botnet attacks are increasing in frequency and severity. Even when they don't succeed, they can consume significant resources and drag your site to a near-halt.
If you have control of the server, you should find all the IP addresses from which the attack has been mounted and block them using iptables rules. If you do not have root access, you should try the same approach using additions to the .htaccess file. See http://drupal.org/node/150550 for some examples.
Also, it may help to forbid creation of accounts based on some email rules, blocking all .info, .biz and Russian freemail hosts.
Contact module and spam
Yes, we also had similar problems with spam being sent via our contact module. We exposed the public site-wide contact form, but unforetunately - forwarding the messages to our own email address resulted to blocked outgoing mail (by the ISP) without notice. Finally we solved the situation by patching the contact.module, to send site-wide contacts to admin's private messages (and no copy elsewhere - first of all!). We're on 4.7.3, but the spam issue is not version-related, I think.
But, looking at your list above, the contact module seems not to be there?
contact.module isn't enabled
contact.module isn't enabled tho....
bookmark
bookmark
Pimp your Drupal 8 Toolbar - make it badass.
Adaptivetheme - theming system for people who don't code.
Hi, There are more than 1
Hi,
There are more than 1 million pages about qwyghxh on google. Must be a bot. Most of them are user profiles on different websites - a lot of them drupal based.
Read this also: http://drupal.org/node/146176
Good luck
Inaemailsend-activex & cgint.exe
I have noticed that about the same time qwyghxh (was sdail.biz, now czups.info) Spam attacks started occurring, that the Admin log also had multiple new "page not found" occurrences. Many logs had “inaemailsend-activex”, which is a product by Inabyte that can send mail via an SMTP Server. I also noticed an executable file “cgint.exe” which Google search indicates it seems to generate newsletters.
If anyone knows anything about these programs and methods to combat, please reply.
is akismet and http:bl not
is akismet and http:bl not working? i'm seeing this from drupal for the first time so i've been looking at my sites but doesn't appear to be affected yet.
bookmark
akismet won't catch whoever
akismet won't catch whoever or whatever is using whatever flaw is in my site to send out emails. Even with inactive user module disabled, the user qwyghxh blocked, and xmlrpc.php deleted. My site suddenly sent out tons of email at the cron.php run at 14:15 GMT.
=-=
-tracking-
Tracking
.......
tracking
.....
tracking
.....
New contributed module
There is a relatively new contributed module called Gotcha that helps to block contact form spam.
Nancy W.
Drupal Cookbook (for New Drupallers)
Adding Hidden Design or How To notes in your database
NancyDru