Our client's Web site is Hosted at Hostway. They sent us an email regarding the site breach. They gave us this.
Infected Files:
Disabled:
/home/14/11/1011114/web/backup-Sept-15-2015/modules/nuSOAP/lang:
---------- 1 root root 154976 Mar 24 13:48 info13.php
/home/14/11/1011114/web/wp-content/themes/twentyfifteen:
---------- 1 root root 448988 Mar 27 12:40 404.php
/home/14/11/1011114/web/losa-app-download/includes:
---------- 1 root root 10496 Mar 24 13:48 test95.php
/home/14/11/1011114/web/backup-Sept-15-2015/losa/admin:
---------- 1 root root 10816 Mar 24 13:48 session43.php
Evidence:
Spam Example:
204P Received: from sample0con by lsh1018.lsh.siteprotect.com with local (Exim 4.80)
(envelope-from <josephine_fox@sample-consulting.com>)
id 1akYj1-00033B-O3
for mrc24@aol.com; Mon, 28 Mar 2016 10:05:03 -0500 018T To: mrc24@aol.com
039 Subject: Quickie With a Girl Next Door
038 Date: Mon, 28 Mar 2016 10:05:03 -0500 056F From: Josephine Fox <josephine_fox@sample-consulting.com>
067I Message-ID: df8f0ea4b44afb61b35b27009c59c745@sample-consulting.com
014 X-Priority: 3
068 X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
018 MIME-Version: 1.0
085 Content-Type: multipart/alternative;
boundary="b1_df8f0ea4b44afb61b35b27009c59c745"
032 Content-Transfer-Encoding: 8bit
1akZPP-0006KC-2P-H
pcms0con 1011114 1011114
<arlene_mann@sample-consulting.com>
1459180131 0
-ident pcms0con
-received_protocol local
-body_linecount 36
-max_received_linelength 119
-auth_id pcms0con
-auth_sender sample0con@lsh1018.lsh.siteprotect.com
-allow_unqualified_recipient
-allow_unqualified_sender
-local
-sender_set_untrusted
XX
1
wahid.rotormas@gmail.com
I guess our site was hacked and it is now sending spam. The email contains
Subject: Quickie With a Girl Next Door
Date: Mon, 28 Mar 2016 10:05:03 -0500
From: Josephine Fox <"josephine_fox@sample-consulting.com">
We don't have any user that name and email. Also, They gave us logs like below.
Access Logs:
85.128.142.15 - - [28/Mar/2016:11:17:11 -0500] "POST /backup-Sept-15-2015/modules/nuSOAP/lang/info13.php HTTP/1.0" 200 69
50.87.144.56 - - [28/Mar/2016:11:17:46 -0500] "POST /backup-Sept-15-2015/modules/nuSOAP/lang/info13.php HTTP/1.0" 200 69
72.167.190.158 - - [28/Mar/2016:11:19:15 -0500] "POST /backup-Sept-15-2015/modules/nuSOAP/lang/info13.php HTTP/1.0" 200 69
173.254.28.126 - - [28/Mar/2016:11:21:21 -0500] "POST /backup-Sept-15-2015/modules/nuSOAP/lang/info13.php HTTP/1.0" 200 69
199.182.223.68 - - [28/Mar/2016:11:23:26 -0500] "POST /backup-Sept-15-2015/modules/nuSOAP/lang/info13.php HTTP/1.0" 200 69
184.168.193.208 - - [28/Mar/2016:11:25:30 -0500] "POST /backup-Sept-15-2015/modules/nuSOAP/lang/info13.php HTTP/1.0" 200 69
93.125.99.15 - - [28/Mar/2016:11:25:40 -0500] "POST /backup-Sept-15-2015/modules/nuSOAP/lang/info13.php HTTP/1.0" 200 69
184.168.200.158 - - [28/Mar/2016:11:25:56 -0500] "POST /backup-Sept-15-2015/modules/nuSOAP/lang/info13.php HTTP/1.0" 403 15
81.17.254.94 - - [28/Mar/2016:11:27:34 -0500] "POST /backup-Sept-15-2015/modules/nuSOAP/lang/info13.php HTTP/1.0" 403 15
217.16.9.212 - - [28/Mar/2016:11:29:39 -0500] "POST /backup-Sept-15-2015/modules/nuSOAP/lang/info13.php HTTP/1.0" 403 15
This is where I need to focus. I want to know how to interpret this logs. As far as I can comprehend are as follows:
How to interpret this?
How do I know if a certain log is sending an email? Is there like a certain arrangement to notice for an email log?
Those are log entries from the http servers access log file, they describe the http requests, not email events. The requests originate from different addresses which is typical today: such zombie sites are used by distributed bot nets for their purpose. This makes identifying the people behind it much harder. The path you see in the requests is the endpoint of the API used to access the server, this looks like a SOAP API your site offers.
The question for the SMTP log is not that trivial to answer. This actually depends on how your php scripts are sending the message. 4 main variants will have to be considered:
you operate a local SMTP server on that system which might indeed give you log files for the messages. In that case the location of the log files depends on which server software you use, for example exim or postfix. You will have to check the servers configuration files or simply dig around a bit under the folder where log files are kept, typically something like /var/log/.... However this variant is not very likely, since you wrote you are using some hosting company. Using a locally operated SMTP server requires to have full control over the system, so root access. If you had that you would know :-)
the messages are send using the standard route configured in php by means of phps mail() function. In that case it obviously depends on that configuration, to which SMTP relay server that route actually points, but it will most likely not be a server operated on your local system. This would mean you'd have to ge hold of the log files of that remote system operating the SMTP server. This might be a system your hosting company provides, but that is not very likely, since they would risk their systems to be placed on black lists again and again. Anyway, you'd have to check this with your hosting company.
the most likely scenario is that the messages were sent using some of the SMTP client classes available for php. Those offer a much more flexible handling of messages which is why they are usually preferred to the builtin functions. In this case the class configuration / initialization defines what SMTP server is used as a relay, so you will have to take a look into your php scripts for that information. As in option 2 this will almost certainly not be a locally operated server, but some typical relay like GMail or Mandrill. You won't be able to get hold of the log files then, unless you have a specific contract with those companies, which, again, you would know :-)
as a variant of option 3 the attacker might overwrite or replace the given configuration and provide own connection details. This most likely is possible, since apparently the attacker succeeded in executing injected code in your system. So he could do more or less what he wants. In that case you might or might not be able to find traces of those details...
However frankly I do not see why you are interested in those log entries or better in the information to what addresses those messages were sent.
Keep in mind that the typical attacker in such a case is not using addresses related to the attacked website. Instead usually a catalog of addresses is used that were collected by either scraping public web sites like forums (so arbitrary, stolen addresses), or by "guessing" addresses, so combining typical account names with known domain names freely available on the internet. You are not interested in that, since it is completely out if your control and not connected with you or your business at all.