Hi,

A Client running v7.3.3 has been advised by one of his cutomers that:

I received a spam email today which came from your server:

Received: from hmonline by luna.solardns.com with local (Exim 4.94.2) (envelope-from <hmonline@luna.solardns.com>) id 1mxwxL-004Bgs-6B for jonathan.clark@setfiremedia.com; Thu, 16 Dec 2021 20:02:23 +0000
To: jonathan.clark@setfiremedia.com
Subject: FWD:Onhold Delivery - 959094214490668
X-PHP-Script: www.hm-online.co.uk/xxxxx/adminmailinglist.php for 105.106.66.207
X-PHP-Filename: /home/hmonline/public_html/xxxxx/adminmailinglist.php REMOTE_ADDR: 105.106.66.207
MIME-Version: 1.0
From: "elliot@house-martin.com" <elliot@house-martin.com>

Your mail-list script is being used to send out phishing emails (see below). I suggest you get it modified to stop this.

Best wishes,

This is just one (albeit detailed) complaint that he's had in recent days.

I've checked adminmailinglist.php on the server and it's dated 20/05/2021, which matches other files in the folder and was possibly the date that the site upgraded to v7.3.3.

The order reference given in the message is nothing like the range used by the site, however, these emails are going out to customers who have previously ordered from the site, suggesting someone/somebot, has gained access to the database.

Could anyone shed any light on this please?

Hi there
If someone has gotten access to the store admin then sure, they could send their own emails out to the mailing list. It's curious though that there seems to be a hidden vsadmin directory (I've changed the location) so they would have needed server level access to even see which directory to use. I would inform your host, change the FTP and admin logins and check for any suspicious scripts on the server.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Thanks Vince. The hosting company have found nothing malicious. I've updated passwords and upgraded to v7.3.8 and will monitor for now.