Joomla Website Hacked and Sending Spam Emails. How to Fix?

Joomla is a highly robust CMS with some great community support. Moreover, it is highly customizable as sites running on Joomla vary from personal pages to the government sites. Its widespread popularity can be attributed to more than 90+ language support it offers. However, being popular also makes it a target for spammers and hackers. Often users complain about their Joomla hacked sending spam on the community forums. These attacks are fairly common due to the sheer bulk of users affected. Often the spam emails contain pharma ads selling viagra. According to the book Joomla Web Security,

Servers such as yours that are hacked into are often used to sell “time” by organized criminals around the world. They are selling time on desktops and servers by the minute, hour, purpose, speed available, and other attributes. The reason for their sale is to send out SPAM (unsolicited bulk email), to use as denial of service attack points, or for any other unintended purpose.

Signs That Joomla Hacked Sending Spam

Discovery of a spam email attack typically takes a few hours to days. The latency occurs due to the fact that emails take time to propagate. Therefore it is detected when a user notifies you regarding spam email. However, in some cases, the web admin is notified if he/she uses online services to check for spam before sending. These services might reveal that the domain has been blacklisted for spam. Although certain online security solutions can notify the users well in advance regarding such threats.

In some cases, it has been observed that the spam attack may choke the bandwidth. Thereafter your ISP may notify you regarding the outflux of spam emails. The Internet has plenty of resources which maintain online spam list. In case your Joomla hacked and sending spam, your server IP would be blacklisted. Once one service blacklists you, it propagates through all such blacklists. Thereafter search engines like Google blacklist your site for spam. So, when the users visit, they might be greeted with a page like this.

Joomla Blacklisted

After noticing the large-scale distribution of spam emails from the site, Google has listed it as an attack page. This page warns users against proceeding on the site. If your site shows these symptoms it may be due to Joomla hacked sending spam!

Joomla Hacked Sending Spam Examples

The issue of Joomla hacked sending spam is fairly widespread. Multiple users complain regarding this issue in the community forums. Some even get reinfected! Here are a few such examples from the Joomla community forums.

Joomla hacked sending spam email example
Spam email issue

Your website powered by Joomla hacked sending spam? Drop us a message on the chat widget and we’d be happy to help you. Fix my Joomla website now.

Joomla Hacked Sending Spam: Causes

SQL Injection

The Joomla database is very often targeted. Pertaining to the fact that SQL injection is fairly common around the web. Thereby inducting it into one of the OWASP Top 10 vulnerabilities. Once the attacker gets hold of the database, SQL statements can be used to determine tables containing signup email. After the list is obtained, the attacker could use it to spam a large number of users. Therefore, it is crucial to keep the database secure.

For instance, Joomla has an extension named Jimtawl. It is can be used to run a radio station on the web. However, this component was found vulnerable to an SQLi. The vulnerable parameter wasid. The complete URL looks like:

http://localhost/[PATH]/index.php?option=com_jimtawl&view=user&task=user.edit&id=[SQL]

The component allowed unsanitized user input leading to SQLi. Here, by appending SQL statements afterid, the attackers could read contents of the database. For example, to reveal the database version and user, the following query can be executed.

' AND EXTRACTVALUE(66,CONCAT(0x5c,(SELECT (ELT(66=66,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())))-- VerAyari

The apostrophe mark here ends the input of the previous statement. Thereafter the OR clause executes the next  SQL statement. This statement fetches the user and database version. The exploit for this has already been released. Moreover, the attacker could use automated tools to speed up the attack. From here on the attacker can search for all the emails stored in the database.

In some cases where the site is Stack Based SQLi vulnerable, the attacker can execute commands. These commands are executed through the database service running on the local server. Using these commands, the Joomla hacked sending spam issue could occur. Therefore the spam may originate from the local SMTP server itself. Apart from Joomla hacked sending spam, the attacker can also use the database info to conduct other attacks on the site!

Weak Credentials

It is quite possible that the attacker may have brute forced the login to your SMTP server. Using default or weak passwords makes the site susceptible to these kinds of attacks. When the SMTP server is under control of the attacker, it could lead to Joomla hacked sending spam.

Open Ports

Open ports can give away the site to the attacker. SMTP uses default port 25. However, avoid using this port as it is often targeted by spammers. In some cases, the ISPs themselves block this port. Port 587 is a better alternative. As this port supports TLS encryption. Port 25 is a primary target for malware and spam. An attacker can break through open ports which leads to Joomla hacked sending spam. Exposing port 25 to the internet can result in a large amount of inbound spam!

Scripts Uploads

Generally, the attackers exploit the server using above given known techniques. Thereafter in order to optimize Joomla hacked sending spam, automation is used. PHP scripts can accomplish this task very efficiently. These scripts are used to make a connection to the SMTP server or MX servers in some cases. A typical script would contain code like this:

Joomla spam email script

Clearly, code obfuscation techniques have been used. However, when this script is decoded, it translates to something like

Joomla hacked sending spam script decoded

As seen from the code, the script uses the eval() construct. This command processes an input string into PHP code. Safe coding practices suggest avoiding the use of eval(). As it helps the attackers to execute arbitrary code on the server. Moreover, eval() can be used to store code in a database. This code is later executed and makes Joomla hacked sending spam. These scripts can pump mass spam in two ways:

  1. MTA Queue Spam: Message Transfer Agent(MTA) is responsible for delivering mail from your Joomla site to the recipient. At times the exploiting scripts inject a huge amount of spam emails in the MTA queues. This could lead to warning messages like “MTA Queue is too large!“. After reaching a certain limit, the emails may be blocked by the ISPs too. Therefore the scripts sometimes make a direct-to-MX connection.
  2. Direct to MX Spam: Direct to MX allows us to bypass the ISPs as a middle agent. Direct to MX is a legitimate service which allows delivering mail directly to the recipient Mail eXchange server. This avoids emails from reaching the ISPs SMTP server. Scripts exploit this feature to inject spam directly to the recipient. This is done to avoid detection in the MTA queues.

Sharing Webspace

Often cheap hosting may cost you heavy. The infection spreads quickly when multiple sites share the same space. So Joomla hacked sending spam may be due to infection from other sites. This makes it difficult to detect that which site is generating spam!

Need professional help in securing server after Joomla hacked sending spam? Drop us a message on the chat widget and we’d be happy to help you. Fix my Joomla spam email now.

Receiving Spam Emails

Registration Spam

Often Joomla hacked sending spam scenarios have been observed. But sometimes, sites might themselves become targets of spam. A large number of fake signups could be targeted towards your site. Joomla suffered from a vulnerability where the users could submit email even while the form was disabled. It was caused due to a vulnerable component calledcom_contact. This vulnerability was dubbed as CVE-2018-17859. By exploiting this, an attacker could submit large number of spam emails. In that scenario, if proper checks and balances are not placed, bots can wreak havoc. Automatically filling up the signup tables. In the end, it would get difficult to differentiate which emails are original signups and which ones are bots!

Apart from that, some sites enable notifications regarding each new signup. In that case, signup spam may generate multiple notifications. In case these notifications reach a certain limit, the service provider would flag it as spam. Thereby blocking your account and preventing new signup notifications. Apart from signup, the notifications may also be generated when the site is under attack. Therefore when the limit of notifications exceeds, the same procedure will be followed.

Non-Delivery Reports Spam

The SMTP protocol is designed such a way that the “From” and “To” fields can be manipulated by anyone. Even by the normal users. Spammers routinely exploit this by putting your domain in the “From” field. This is done in the following ways:

  • Step1: The bot generates a list of fake emails (emails which do not exist).
  • Step2: Your email admin@example.com is used as the sender in the option “From“.
  • Step3: The bot sends the email to non-existing accounts.
  • Step4: The delivery of emails fails.
  • Step5: The non-delivery reports emails return to your account(admin@example.com). This results in a massive influx of spam email.

How to Stop Spam Emails in Joomla: Fixes

Fixing Inbound Spam

Sender Policy Framework

The SMTP protocol has its own limitations. As it is not possible to stop someone from using your domain in the “From” option. However, there are certain fixes. The mail servers could be notified regarding which IPs are allowed to send mail on behalf of your domain. Thus, SPF is a type of DNS TXT record which accomplishes this task. Following steps can be taken to implement SPF:

  1. Firstly visit the DNS Management page.
  2. Thereafter visit Records section. Click Add and select TXT from the menu.
  3. Now fill the following fields:
      • Host: This argument needs the hostname. For instance, type @ to map the record directly to your domain name.
      • TXT Value – Input the value you wish to assign.
  4. Finally, Click on Save.

In the end, it would look something likeYourDomain.com.  IN TXT “v=spf1 mx ip4:123.123.123.123 -all”.

This states thatYourDomain.com have only two valid sources of email. One is the Mail Exchange servers. MX servers define the domains which are the recipient for your email. And another is the server at 123.123.123.123. Rest all E-mails would be treated as spam. However, it is noteworthy here that just like robots.txt this is a convention. Most mail servers may follow this while some may not!

Consult Astra security experts now for immediate malware clean up. Our powerful Firewall safeguards your website from XSS, LFI, RFI, SQL Injection, Bad bots, Automated Vulnerability Scanners, and 80+ security threats. Secure my Joomla website now.

Fixing Outbound Spam

Identify and Remove Spam Scripts

Step 1: First it is necessary to identify the scripts which are generating spam. Therefore login to the mail server with admin rights(SUDO).

Step 2: In order to capture the outbound emails by scripts, ensure that yourPHP.ini file has the following codemail.add_x_header = On. Once this is accomplished proceed to inspect your mail queue.

Step 3: This can be done by the commandmailq. This command would list all the emails in the queue. From here on, note the ID of the email whose source you wish to track.

Step 4: Now the “grep” and “postcat” commands would come in handy. Run the following command:postcat -q   <ID obtained from mailq> | grep X-PHP-Originating-Script

Step 5: This command would give an output like,X-PHP-Originating-Script: 45:SPAMmailer.php. Here, 45 is the UID of the SPAMmailer.php script. This command has successfully found the Joomla hacked sending spam script. Also, its local id on the server. Remove the script and clean the installation.

However, in case Step 4 doesn’t give any output then it is likely that the account has been compromised. Change the password to a secure one to prevent Joomla hacked sending spam!

Other Precautions

  • Clean and submit your site for a review in case it has been blacklisted by Google.
  • Block direct-to-MX unless there is a dire need.
  • Avoid using port 25 for SMTP. Instead, a better option is the port 587.
  • Try to use dedicated VPS hosting. As this reduces the chance of spreading Joomla hacked sending spam infection.
  • Manage the read, write, execute permissions to the folders wisely. As it can prevent code execution even when the spam mailer script has been uploaded.
  • Install reputed extensions. Avoid using unknown or null extensions.
  • Limit the authentication attempts on the SMTP server. This can prevent brute force attacks.
  • Update Update Update!

Conclusion

Joomla hacked sending spam can seriously affect the reputation of your site. The best possible precaution is to use a security solution. A great number of security solutions with firewall and IDS are available online today. Security solutions like Astra are highly scalable. It caters to the needs of personal blogs as well to the large businesses.

Get a demo now!

Consult Astra security experts now for immediate malware clean up. Our powerful Firewall safeguards your website from XSS, LFI, RFI, SQL Injection, Bad bots, Automated Vulnerability Scanners, and 80+ security threats. Secure my website now.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Yash Mehta

Yash Mehta is an Information Security Intern at Astra. Passionate about Cybersecurity from a young age, he has helped 100+ companies secure their IT infrastructure.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close