Rich Wales wrote:
> If the problem were in fact due to a hijacked PHP page, btw, would this
> necessarily require the page to be using e-mail or TCP connections
> already for its own legitimate purposes, but being co-opted by a hacker
> to nefarious ends? Or could *any* PHP script theoretically be infected
> in a way that would cause this misbehaviour?
*If* the host is running a site, such as Wordpress but there are also
many other possibilities, and if it is not absolutely up to date with
security upgrades current as of *TODAY*, then it is very likely that
the site has been compromised.
That's just the history of WP and other similar frameworks! They are
allowed to do brain surgery on themselves without restriction and they
consist of a community of thousands and thousands of inexperienced
developers all submitting modules without a security focus. When I
read John Fawcett's suggestion that it might be a web server
compromise I thought immediately, "Oh good suggestion!", since that is
so often a typical compromise case!
The default PHP "mail()" method sends mail by using the system's
/usr/sbin/sendmail interface rather than SMTP.
https://www.php.net/manual/en/mail.requirements.php
https://www.php.net/manual/en/function.mail.php
Bob
