Email issues - Spam

I have received the following from my Host, and would like any tips on moving forward!
I have requested access to or copies of the mail log.

We found that the container was being used to send spam as can be seen from the mail logs found in /container/logs/rsyslog/mail.log. To protect our SMTP server’s IP reputation, we disabled SMTP on the container so it won’t be able to send any more spam emails.

We had a look at the Apache access logs and found a lot of POST requests similar to these ones coming from various IP addresses: - - [04/Jul/2023:04:00:12 +1200] "POST /assets/components/pdotools/connector.php HTTP/1.1" 200 1731 "" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.1 Mobile/15E148 Safari/604.1"

We suspect that this end-point was being exploited so we would recommend reviewing if any changes such as updates are needed to shore this up. Once you feel confident that you have addressed the vulnerability, please let us know and we can re-enable SMTP on the container for you.

Mod 2.8.5 (Just upgraded from 2.8.4 right now)

This is a site that’s been in development / upgrades over the last 12 years. I haven’t attempted an upgrade to Modx 3 as I am having upgrade issues on other sites.

The file /assets/components/pdotools/connector.php is from the pdoTools extra. (I think it’s used for pdoPage to load more data via AJAX.)
Is that extra up-to-date?

Thanks. It wasn’t - I have just updated it and 3 or 4 extras that also have updates.

I managed to get into the logs, and it was a completely diferent issue, on another page. I had a send to a friend form with FormIt that was being accessed. Still not sure HOW, but have deleted the form as it was barely used, which has solved the issue for now.

1 Like