Thread

Well, that’s good, actually. Can you ask your host to elaborate on the “spam” connection? From what we’ve seen so far this looks more like an automated scanning for vulnerable files or a known exploit in some application that also uses an index.php file. If that is the case, this would be a false alarm: even though somebody did try to exploit your index.php, EE would only have given them

Invalid GET Data - Array

. The logs only show that a “200” status was returned, which would be consistent with this hypothesis.

If, on the other hand, they have evidence or proof that actual (spam) email was sent using that file, this would change things. Please ask them to clarify.

Here’s the reply from MediaTemple:

Unfortunately, we do not have a specific spam email available as evidence. We sent this notice because your domain was exceeding the 500 email/hour limits on hte (gs)Grid-Service, and a scan of your logs turned up this evidence of attack. After disabling your script we found that you were no longer sending email at a rate beyond this limit.

If you have a newsletter or something similar scheduled to be sent by your Expression Engine application then please make sure to stay within our published limits for shared email services. Please visit http://kb.mediatemple.net/questions/66/ to learn more about the outgoing email limits.

If you do not expect your Expression Engine to be sending mail then it is most definitely sending spam. Please ask the developers to dig a little deeper.

500 e-mail an hour? This should be 0.

can you ask them if they can show you logs for evidence of the emails going out?

Also, have you had a chance to update ExpressionEngine yet?

Do you have commenting, forums, tell-a-friend, or contact forms on your site?  Or has someone sent emails via the Communicate tab in the control panel?  Your best bet to track this down is going to be from the email logs, as Greg suggests.

Do you have commenting, forums, tell-a-friend, or contact forms on your site?  Or has someone sent emails via the Communicate tab in the control panel?  Your best bet to track this down is going to be from the email logs, as Greg suggests.

Commenting, Mailing-list, tell-a-friend are not used anywhere on the site, forums is not installed and there are no contact forms either.

Here’s a reply from MT:

Yes, lacaserne.net was monitored sending over 500 emails an hour. The
only logs available are the access logs, located in the /logs directory.
Generally, system administrators would be able to grep the exim logs
when the spam is being sent however since this is no longer happening,
we have little to go on. When the permissions were set to 200 on the
index.php and the spam stopped, we can infer that the spam was being
sent using this index page.

I should be able to update within the next two weeks.

Thanks

Generally, system administrators would be able to grep the exim logs when the spam is being sent however since this is no longer happening, we have little to go on.

Hm, does that mean they aren’t keeping any logs? Well, not much we can do about it. In fact the only piece of advice I can give you at this point, really, is to upgrade to the latest version with due haste, and keep an eye on things. Also, since you are not sending any mail, ask your host to notify you immediately (and keep server logs!) if they think it’s happening again; let us know without further delay in this case.

That includes replacing the index.php file with a fresh copy from the most recent download, in case yours was somehow compromised.

Just updated to 1.6.4 and will update to 1.6.7 as soon as my client renews its support license.

deckard97,

Thanks for the update. I will close this for now. If you run into any issue with your upgrade please feel free to start a new thread and as Ingmar says, let us know without further delay if this behaviour appears again.