Email spam generators (PHP) found amongst module files.
Posted by brad.curnow on October 27, 2014 at 1:56am
Hi All,
I recently received an email from my host (Arvixe) stating that they had disabled a script on one of my D7 sandbox sites due to large quantities of spam email emanating from there.
Upon investigation I found an encrypted PHP file called "sql91.php" in my modules/field/modules/options folder. I later discovered a second bogus file called "sraynr.php" in a different folder. Both of these files have been called from Russian IP addresses:
146.185.239.52
146.185.239.51