email injection – help!

  • Is there a new email injection vulnerability? A new batch of spam recently started flowing through our server, and not getting caught by our filters. Some email log analysis yielded two data points:
    – the spam was originating from our web server process
    – the spam had from: containing the domain name of one of our wordpress sites
    Pretty obvious conclusion: somebody found a way to inject email through or wordpress installation

    Looks like this is still happening after upgrading from 3.3 to 3.3.3

    Is this a known vulnerability? Any suggestions?

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)

  • Try scanning your site: https://sucuri.net/

    See if Sucuri catches anything on your site.

    Thread Starter mfidelman

    (@mfidelman)

    Doesn’t find anything. Whatever is doing this seems to be POSTING something to / , and it ends up passed to postfix/pickup. After turning off the site for a while, the attacker seems to have gone away. If it comes back, I’ve turned on Apache’s DumpIOInput module to capture the post data – but right now, I have no further insight into what’s going on, other than that there is a vulnerability of some sort.

    I would upgrade to the latest version of WordPress, see if it’s still happening, and if it is, contact your web host to see if they can help figure out what’s going on.

    Thread Starter mfidelman

    (@mfidelman)

    Umm… HAVE upgraded (see initial post), still happening. I AM my hosting provider.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘email injection – help!’ is closed to new replies.