Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

[Raffaele Morelli <raffaele.morelli@gmail.com>]

2013/12/12 Lukasz Szybalski <szybalski@gmail.com>

Hello,

After I sent this I found this post:
http://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/

Which says:

With these in place your emails will have the following headers

X-PHP-Originating-Script: 33:ok.php
The 33 is the UID, the ok.php was the script sending me the spam.

So I did

mailq

#then to display one of the emails:
postcat -vq A2729AE31F
....

#I found the X-PHP-Originating-Script:

X-PHP-Originating-Script: 33:checkoutDj4.php

#then

updatedb

locate checkoutDj4.php

and here it is:
/usr/share/wordpress/wp-content/themes/itheme/checkoutDj4.php

I deleted this file and others who were created there on Dec 5th. Now how were they able to save a file in there?

They've uploaded the script using a bug/hole in wordpress (google around for your version and you will surely found a security report by the wordpress comunity).

Same thing happened to a collegue of mine using an outdated joomla release.

www-data should not have write permission on every folder BTW it's a common (quite safe) practice to throw a chmod -R 750 on top of your sites document root.

Back to the point, you can block or limit POST request on a directory basis using apache .htaccess using mod_rewrite so nobody can upload and execute scripts in your folders.

in your case, put this in an .htaccess file under /usr/share/wordpress/wp-content/themes/  

RewriteCond %{REQUEST_METHOD} POST  # if request method is POST

RewriteCond %{REMOTE_ADDR} !127.0.0.1  # if the IP address the request is coming from is not local

RewriteCond %{REMOTE_ADDR} !10.   # if the IP address the request is coming from is not in a LAN

RewriteRule ^ / [R,L]  # then redirect to the website's root

/raffaele