Spam Attack Vulnerability

  • Hi. I’ve been running subscribe2 for several years. Last week spammers were able to use the executable to spew 25,000 junk mails from our server using the exim mail utility. Here is an entry from the /var/log/exim_mainlog:

    2015-08-06 07:41:00 cwd=/home/gowhn/public_html/blog-subdir/wp-content/plugins/subscribe2 4 args: /usr/sbin/sendmail -t -i [email protected]
    2015-08-06 07:41:00 1ZNLPo-0002rw-6Q <= [email protected] U=gowhn P=local S=1415 [email protected] T=”Re:Adorable blonde strips spreads” from <[email protected]> for [email protected]

    Please evaluate the security vulnerability by assuring that it is wordpress that is calling the script, or preventing the script from activation from the mail via naked SMTP with a cmd= parameter.

    Presentation of the arguments to the script enabled the script to run, and then stuffed my mail server with messages at the whim of the calling program. All the hacker had to do was “guess” the directory where subscribe2 was installed. Subscribe2 was disabled at the time the exploit occurred.

    https://www.ads-software.com/plugins/subscribe2/

Viewing 1 replies (of 1 total)

  • @squibm

    As far as I can tell none of the core Subscribe2 files can be called directly as they employ the recommended WordPress security fail safes of ensuring WordPress is running first.

    Additionally, all email functionality within Subscribe2 is performed via the core WordPress wp_mail() function so any attempt to directly call the plugin files would fail if WordPress has not been called as the core functions wouldn’t be available.

    I suspect your site was compromised some other way and the spammers had access to the admin area of your site at the time of the email creation.

Viewing 1 replies (of 1 total)
  • The topic ‘Spam Attack Vulnerability’ is closed to new replies.