Mailwizz compromised

[darrylinca]

Hello,

If anyone can help with this issue please reply.

Yesterday got mailwizz up and running on my privately owned Linux server running Centos with the latest version also mailwizz is the latest version as well. I'm running Cpanel SMTP as my mail preference system.
Today I received an email from my ISP that a device on my network is sending infected malware and so on since then I disabled the mailwizz script and all is well again once I checked my mail queue manager and again I checked it two hours later still no problems.

I am wondering if anyone else have experience this problem on their server and can offer some advice would be appreciated.

 

[Vpul Shah]

Did you add any 3rd party code in campaign HTML ?

 

[darrylinca]

Hello,

Thank you for the reply. The only thing I have added was a email template package awhile back which uses HTML.

 

[OptiBiz1]

... and if you do at fresh install without that?

Also, since it is your own server, install Letsencrypt Certbot and generate a cert so that you can access MW via https.

 

[darrylinca]

Hello,

Yesterday I suspended the account from the server and all had gone back to normal, but later on the same day I enabled the account again and all had seem to be working well until today the emails have started again.

I deleted the html emails as well I guess that wasn't the problem so now I will suspend the account again and wait on the developer to answer my support ticket.

Update: The second I suspended the account all emails stop.

 

[frm.mwz]

running Cpanel SMTP as my mail preference system

What exactly do you mean by 'cpanel smtp' and 'mail preference system'?

email from my ISP that a device on my network is sending infected malware

Did they specify what kind of malware was sent?
Maybe there is some campaign/autoresponder set to continuously send (it happened before)
or some sql injection happened or someone found a clever way to run mailings via URL (there was some similar incident if I remember correctly and it was reported on the forum but I cannot find it, however, it was resolved afaik).
If it was me, I would have a look through all mwz settings and set them to default and save, then see. If all seems normal, then set again as you wish and see what happens, so 'debug' step by step.

added was a email template package awhile back which uses HTML

What kind of package is that? If the source is good there should be normally no problem. Have you scanned it perhaps at virustotal.com? It is highly unlikely that just adding template to the template repository would create such a problem. If it is just one template, you could check what happens when you insert it manually into the html email editor (ckeditor) in the campaign setup.

Yesterday I suspended the account from the server and all had gone back to normal, but later on the same day I enabled the account again and all had seem to be working well until today the emails have started again.

Maybe it is the server that is compromised, not mwz.
When you say 'account', do you mean 'cpanel webhosting account'?
Feel free to PM me if you want me to have a look at it.

Please do get back with as much detail as possible, so we can figure this out asap.

 

[darrylinca]

What is that exactly 'cpanel smtp' and 'mail preference system'?


Did they specify what kind of malware was sent?
Maybe there is some campaign/autoresponder set to continuously send (it happened before)
or some sql injection happened or someone found a clever way to run mailings via URL (there was some similar incident if I remember correctly and it was reported on the forum but I cannot find it, however, it was resolved afaik).
If it was me, I would have a look through all mwz settings and set them to default and save, then see. If all seems normal, then set again as you wish and see what happens, so 'debug' step by step.


What kind of package is that? If the source is good there should be normally no problem. Have you scanned it perhaps at virustotal.com? It is highly unlikely that just adding template to the template repository would create such a problem. If it is just one template, you could check what happens when you insert it manually into the html email editor (ckeditor) in the campaign setup.

Please do get back with as much detail as possible, so we can figure this out asap.

Thank you for the reply and very good suggestions.

Here is what I found so far, the email templates is not the problem I uninstalled them before enabling the account again. The emails are spam and could possibly have malware attached I don't know other than what the ISP is stating. I have other accounts on my server this account with mailwizz installed is the only one effected. I do have autoresponder enabled on one email I sent out as a test only created within mailwizz no third party template. As far as the Cpanel smtp and mail preference system it is only one account that have been compromised so I am willing to say it is in mailwizz settings or script. I will do as you say and set if back to default and see what happens.

It's crazy because as soon as I enable the account the emails start automatically, but let me do as you suggested on the default and I will get back to ya. Thanks again

 

[frm.mwz]

what the ISP is stating

Would be good to know exactly what they say (also re server security, as sometimes fresh servers get hacked before the new owner logs in or after mail transitions through a few disreputable providers), and also have a sample of the spam emails (incl full headers).

I do have autoresponder enabled on one email I sent out as a test only

Can you try and disable that for a while and see if the error still comes up?

the Cpanel smtp and mail preference system

What do you mean by those two?

only one account that have been compromised

Perhaps you can (as mwz has not been used much as it seems from what you write), delete that cpanel account and create a new one and reinstall mwz and see if the error still comes up?
Also, is the mwz install source downloaded from the members area or from somewhere else?

as soon as I enable the account

What do you mean here (cpanel account, email account created in cpanel, user/customer account in mwz, delivery server in mwz, or else)?

The more specifics you supply, the easier it is to resolve. Also, please post screen shots or anything else as far as possible (you can redact private info).

 

[OptiBiz1]

Pls PM me the IP of your server + the domain of the MW installation and I will do a port scan on it (to check what ports are open). Since you mentioned that this is your own server, I think your problem is related to that.

 

[frm.mwz]

Pls PM me the IP of your server + the domain of the MW installation and I will do a port scan on it (to check what ports are open). Since you mentioned that this is your own server, I think your problem is related to that.

It is most likely a server security issue...I was just about to post it!

 

[darrylinca]

Would be good to know exactly what they say (also re server security, as sometimes fresh servers get hacked before the new owner logs in or after mail transitions through a few disreputable providers), and also have a sample of the spam emails (incl full headers).


Can you try and disable that for a while and see if the error still comes up?


What do you mean by those two?


Perhaps you can (as mwz has not been used much as it seems from what you write), delete that cpanel account and create a new one and reinstall mwz and see if the error still comes up?
Also, is the mwz install source downloaded from the members area or from somewhere else?


What do you mean here (cpanel account, email account created in cpanel, user/customer account in mwz, delivery server in mwz, or else)?

The more specifics you supply, the easier it is to resolve. Also, please post screen shots or anything else as far as possible (you can redact private info).

"Would be good to know exactly what they say"
Haven't got a chance to view any emails yet

"sometimes fresh servers get hacked"
This server have been in operation for over 5 years.

"Can you try and disable that for a while and see if the error still comes up?"
Everything is disabled

"What do you mean by those two?"
Don't understand the question

"Perhaps you can (as mwz has not been used much as it seems from what you write), delete that cpanel account and create a new one and reinstall mwz and see if the error still comes up?
Also, is the mwz install source downloaded from the members area or from somewhere else?"
I can do this but please let me here back from the developer first

"What do you mean here (cpanel account, email account created in cpanel, user/customer account in mwz, delivery server in mwz, or else)?"
What I meant was I have many accounts on my server using Cpanel if you were thinking I only had that one account with MW or just MW installed on the server. What I meant about the email was I created a test email in MW to send out that's all.

 

[frm.mwz]

Haven't got a chance to view any emails yet

Well, it may be advisable to know these details asap as it is a compromised operation, and posting for help without sufficient detail means help comes slower to you

This server have been in operation for over 5 years.

Then one would assume tight server security with well-adjusted firewall, brute force protection, etc. What is actually in use?
For cPanel server, if you don't have it already, take CSF and tighten that as well as cpHulk and if adjusted well, you should be fine in most circumstances.

"What do you mean by those two?"
Don't understand the question

That is re the two terms you are using "Cpanel SMTP" and "mail preference system", so in order to understand you better (and the problem deeper), I try find out what you mean by those two quoted phrases.

 

[twisted1919]

@darrylinca - if you've opened a ticket i'll have a look at this as soon as i reach to the ticket.
Today i started with the forums posts so i will reach the tickets a bit later.