I have received the following from my Host, and would like any tips on moving forward!
I have requested access to or copies of the mail log.
We found that the
astrabridal.co.nz container was being used to send spam as can be seen from the mail logs found in
/container/logs/rsyslog/mail.log. To protect our SMTP server’s IP reputation, we disabled SMTP on the container so it won’t be able to send any more spam emails.
We had a look at the Apache access logs and found a lot of POST requests similar to these ones coming from various IP addresses:
184.108.40.206 - - [04/Jul/2023:04:00:12 +1200] "POST /assets/components/pdotools/connector.php HTTP/1.1" 200 1731 "https://www.astrabridal.co.nz/ab16/" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.1 Mobile/15E148 Safari/604.1"
We suspect that this end-point was being exploited so we would recommend reviewing if any changes such as updates are needed to shore this up. Once you feel confident that you have addressed the vulnerability, please let us know and we can re-enable SMTP on the container for you.
Mod 2.8.5 (Just upgraded from 2.8.4 right now)
This is a site that’s been in development / upgrades over the last 12 years. I haven’t attempted an upgrade to Modx 3 as I am having upgrade issues on other sites.