Jamit Software Forum

Jamit Job Board Customers => User-to-User Support => Topic started by: SecureAspects on October 17, 2011, 04:52:32 am



Title: My site has been Hacked!
Post by: SecureAspects on October 17, 2011, 04:52:32 am
My site is sending out thousands of these e-mails Everything has worked fine with NO problems at all for 5 years  :

Template ID:    46
To Name:    [email protected]
To Address:    [email protected]
From Name:    Secure Aspects Group Job Board
From Address:    [email protected]
Subject:    (NEW) $134,382 on auto-pilot & only 22-years old...
Message (text)    

To: [email protected] <[email protected]>
From: Kieth  <[email protected]>

I thought you'd be interested in this page from Secure Aspects Group Job Board

Link:
http://secureaspects.com/...... [We are sorry, Jamit has censored this content because it contained SPAM links.]



Title: Re: My site has been Hacked!
Post by: Imran on October 17, 2011, 05:58:06 am
You should monitor which script is sending emails, most probably there some script which is compromised you should remove that script.


Title: Re: My site has been Hacked!
Post by: SecureAspects on October 17, 2011, 11:05:32 am
How do I monitor and determine which script?


Title: Re: My site has been Hacked!
Post by: Imran on October 17, 2011, 12:03:51 pm
You might want to read this thread: webhostingtalk.com/showthread.php?t=128839


Title: Re: My site has been Hacked!
Post by: SecureAspects on October 17, 2011, 12:23:45 pm
Thanks Imram, that has no application to my problem. I have tried everything including security scan, my host is doing their own security system scan and yet the emails keep generating. I have everything thing shut down at this point so no e-mails can be sent from the system.


Title: Re: My site has been Hacked!
Post by: SecureAspects on October 17, 2011, 01:16:00 pm
Found it, phpshell script.  Dont know where it came from or how it got there, will be doing a complete system evaluation and scrub.


Title: Re: My site has been Hacked!
Post by: Imran on October 17, 2011, 02:05:12 pm
Glad your problem is solved, some times a third part script with in appropriate permissions results in downloading of unwanted scripts or we upload scripts without testing and know what they actually do.


Title: Re: My site has been Hacked!
Post by: SecureAspects on October 17, 2011, 02:07:25 pm
Well the problem is back and it appears that the job board is being used as a mailer, the spam being sent is also addressed to non-members and emails not associated with anyone on the site, which I am hoping means that they do not have access to the DB.


Title: Re: My site has been Hacked!
Post by: CompuDave on October 17, 2011, 02:31:28 pm
It seems to be using your "Email this job" feature to send from. How many are being sent?


Title: Re: My site has been Hacked!
Post by: SecureAspects on October 17, 2011, 02:39:40 pm
I shut that feature off and only made it available to members, there were 67 thousand emails in que and they were not addressed to members of the site, thankfully. That was last night. I disabled the smtp mailing and when I got back on this morning there were 14 thousand in que. I have been through everything on my site and it is much cleaner now than it ever was ;) I am just glad they did not get into the DB. Non registered visitors seem to legitimately use the email job feature and putting a captcha on it may be a good idea to keep it from being exploited?


Title: Re: My site has been Hacked!
Post by: Imran on October 17, 2011, 04:00:01 pm
I suggest you to put Face book Send button feature for sending jobs to user's friends, this way facebook will take care about the sending emails to friends...


Title: Re: My site has been Hacked!
Post by: SecureAspects on October 17, 2011, 05:37:48 pm
Is that one of their developer aps?


Title: Re: My site has been Hacked!
Post by: Imran on October 17, 2011, 05:49:49 pm
You can get it here http://developers.facebook.com/docs/reference/plugins/send/
You can leave url field blank so that it picks up from address bar


Title: Re: My site has been Hacked!
Post by: SecureAspects on October 17, 2011, 08:51:37 pm
Thats great, thanks. I am still sending out sporadic mailings and do not know how they can keep being generated.


Title: Re: My site has been Hacked!
Post by: Peter on October 18, 2011, 02:16:35 am
One of the things that will avoid this from happening is to get TRAFFIC COP and UA POLICE PRO before your site gets compromised.  ;)


Title: Re: My site has been Hacked!
Post by: SecureAspects on October 18, 2011, 12:15:52 pm
Haha Real funny Peter. Well I got on this morning and another 58 thousand e-mails in que, There are several strange things about it, the post that it is referring to has been deleted and the template id#46 does not exist? I just don't know where else to look my next step will be to replace all the 3.6.11 files.

Template ID:    46
To Name:    [email protected]
To Address:    [email protected]
From Name:    Secure Aspects Group Job Board
From Address:    [email protected]
Subject:    Learn How I Made $537,217.96 With 100% FREE Traffic!"
Message (text)    

To: [email protected] <[email protected]>
From: Kieth  <[email protected]>

I thought you'd be interested in this page from Secure Aspects Group Job Board

Link:
http://secureaspects.com/jobboard/index.php?post_id=6421

Comments:


Title: Re: My site has been Hacked!
Post by: SecureAspects on October 18, 2011, 12:42:30 pm
Ok I deleted the entire Mail folder in include>lib and replaced it with a fresh one that I just unzipped, so far so good, the spam instantly stopped generating. I hope that did it.


Title: Re: My site has been Hacked!
Post by: CompuDave on October 18, 2011, 12:47:59 pm
Good luck with that, hope it works.

Template #46 belongs to the Email Job function. You need to check the email_job_window.php file. You could also try removing this file if the previous attempt does not work.


Title: Re: My site has been Hacked!
Post by: SecureAspects on October 18, 2011, 01:25:00 pm
Funny you should mention that I just removed that file and so far so good. Maybe I will try to replace it, I just don't have a good understanding of how a file like that would be corrupted?


Title: Re: My site has been Hacked!
Post by: SecureAspects on October 18, 2011, 02:16:48 pm
I removed the email_job_window.php file and replaced it with the Face Book recommend and send buttons. So far no problems.


Title: Re: My site has been Hacked!
Post by: SecureAspects on October 19, 2011, 02:30:07 pm
No more problems, that was the file that was letting all those e-mails get sent. How frustrating makes me want to conduct extreme violence against people that do that crap.


Title: Re: My site has been Hacked!
Post by: Peter on October 20, 2011, 02:26:54 am
The soultion would be to remove the file email_job_window.php from the main directory.


Title: Re: My site has been Hacked!
Post by: steve on October 22, 2011, 02:18:29 am
Something else you can do is delete your website. Download a clean version of jamit, unzip it, upload it, then install it using the old database. I had to do this at one time. Or, if you don't want to do that just overwrite your website with a clean version.

It seems that your website has a virus in it that is doing all the maliciousness. I'm not sure, but that is what it seems like.

Make sure the computer you are working from is virus free, adware free, malware free... etc.