I discovered that thousands or tens of thousands of Spam emails were going through my server, so I investigated.
After some detective work, I was lead to a file, themes/tiga/admin/css/lib.php, which doesn’t seem to be in the actual tiga style distribution – but contains obfuscated PHP code which I’m almost positive is responsible for the Spam relay.
I’ve known the user for almost ten years and I’m sure he had no idea it was there. He’s pretty technically savvy, so I’m curious as to how it got there – was the download temporarily corrupted with this “trojan”? Did someone figure out his FTP password?
Regardless, I came here, searched this forum, but didn’t find anything like it, so I posted this.
I was going to post the exploit, but, well, better not, eh? But just knowing about this might help the next guy – or contact me and identify yourself if you’re interested in seeing the payload.
- The topic ‘Found a spam relay in a WordPress style on my server!’ is closed to new replies.