Found it.
Tuesday, November 24, 2015 - 06:36
There was an old, unused test Drupal instance that was sitting on the server unpatched, with a couple of PHP scripts sitting in the files directory, including one that was meant to send outgoing mail. I've removed the test instance in question and started the mail server back up. It's always possible that I didn't get everything, so please let me know here in a comment (or in a private message) if you receive any more suspicious emails from OGA.
Thanks,
Bart
Comments
Ah thanks for fixing it!
Yay! Thanks for fixing this!
So it was just somebody remotely exploiting a PHP script to send garbage emails and not someone gaining login on the server itself?
Just curious, and it's ok if you can't or don't want to answer! ;)
In other words, the attackers had access to email addresses and the mail server, but not passwords?
You should send a mass email to all affected email addresses, and to advise them to ignore emails and definitely not to click any links purporting to be from OGA during the attack. Simply posting this on the front page is going to miss a lot of people.
The old compromised test install. If I had a dollar for everytime I saw that in my line of work... I agree with congusbongus about sending the mails to the effected. Not sure what your level of experience is with SysAdmining, but a little bash-fu on the mail server's logs should help in determining who was sent the phishing mails, if you haven't already handled it. You find any PHP shells amongst the malicious files?