Woltlab user registration bots

Hi,

I recently got reports from Microsoft that my server was sending spam mails.
It turns out Woltlab (wcf) is sending these spam mails!

Hereby an excerpt from the website mail logs:

[24-Jun-2016 07:13:45 Europe/Amsterdam] mail() on [/home/username/domains/domain.com/public_html/wcf/lib/system/mail/PHPMailSender.class.php:19]: To: Labrieaq8n <dgsdzaaxdxsxccss@apocztaz.com.pl> -- Headers: X-Priority: 3 X-Mailer: WoltLab Community Framework Mail Package From: WebsiteName <webmaster@domain.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0
[24-Jun-2016 08:39:11 Europe/Amsterdam] mail() on [/home/username/domains/domain.com/public_html/wcf/lib/system/mail/PHPMailSender.class.php:19]: To: frye3376 <all@azuma81106.ammuca.eu> -- Headers: X-Priority: 3 X-Mailer: WoltLab Community Framework Mail Package From: WebsiteName <webmaster@domain.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0
[24-Jun-2016 09:46:01 Europe/Amsterdam] mail() on [/home/username/domains/domain.com/public_html/wcf/lib/system/mail/PHPMailSender.class.php:19]: To: Viviengmt <qrhneduj@gmail4u.eu> -- Headers: X-Priority: 3 X-Mailer: WoltLab Community Framework Mail Package From: WebsiteName <webmaster@domain.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0
[24-Jun-2016 10:17:35 Europe/Amsterdam] mail() on [/home/username/domains/domain.com/public_html/wcf/lib/system/mail/PHPMailSender.class.php:19]: To: Donaldmqjx <bettyann@randox.securemail.co.pl> -- Headers: X-Priority: 3 X-Mailer: WoltLab Community Framework Mail Package From: WebsiteName <webmaster@domain.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0

I also found some files created in /tmp by the woltlab user!
Eg:
/tmp/phpSexPxI /tmp/phpmhWxZ8 /tmp/phpWggxkh /tmp/phpLgF77K /tmp/phpsjg6Jv /tmp/phpTxQNvJ /tmp/phpFf8MW6 /tmp/phpHXIEck

All these files where base64 encoded php scripts.
Eg: a file uploader.

No other intrusions have been found, nor any rootkits.
No weird server logins have been done.

The hack looks like it came via woltlab.

Now, in order to make woltlab a nice and secure environment, I think it would be good if I could work together with the Woltlab team to find out which script or package is unsecure.
This allows Woltlab to remove this package from the store or to fix the issue.

Questions:
1) What is the best way to find out which script is sending these mails? Do I need to add some logging somewhere?
2) Is there still a way to save my current Woltlab installation and make it secure again?

Many thanks!

Hi,

- I just took some random parts from the mail logs, it just happens to not contain any hotmail/outlook mail addresses.

- I do find those email addresses inside the users list.
So maybe the spam issue and the mail logs are different issues?

162.158.202.75 - - [24/Jun/2016:09:46:02 +0200] "POST /Register/? HTTP/1.1" 200 10413 "https://www.domain.com/Register/?l=2" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"

162.158.202.100 - - [24/Jun/2016:10:17:36 +0200] "POST /Register/? HTTP/1.1" 200 10420 "https://www.domain.com/Register/?l=2" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"

And a bit later they visit the RegisterActivation page.

So looks like this is not the issue then, it's just registration bots.
Strange, reCaptcha clearly isn't enough then...

- The reported spam is real spam, with images and actual sales messages.
Not a registration mail.
So probably need to dig a bit deeper.

Tx for the help!