WordPress.org

Ready to get started?Download WordPress

Forums

Signs of an ongoing WP attack? (7 posts)

  1. anabelle
    Member
    Posted 2 years ago #

    Hi,

    Since this morning I started receiving some strange emails in my inbox.

    They come from contacts, and are being sent to several contacts each, using a visible carbon copy.

    The content of the email is a single link, to an "html" file, hosted in the wp-content folder.

    I think this could indicate some kind of attack to wp spreading spam via email.

    Have anyone else got this strange email with only one link?

    Some example routes for the links are:

    /wp-content/themes/threelittlecherries/trfsf.html?dehj=ry.htm&rty=yl.gif&sgc=kzrh
    /wp-content/themes/InStyle/gmjre.html?tuj=pk.jpg&adf=yl.jpeg&egc=lgoh
    /wp-content/themes/extreme-typewriter/rofmd.html?cvb=vvb.msg&adf=fe.txt&yyl=dcjq
  2. You mean people in your contacts list are sending this email?

  3. anabelle
    Member
    Posted 2 years ago #

    Exactly,

    I got another 2 today.

    I get the email from contacts, sent to many people via CC.

    The links always pint to a wp-content/

    Today's is:

    /wp-content/themes/graphene/tifle.html?nh=vw.jieg&ohsy=mkv.we&mbn=kpdr

    The email has (no subject) and the domain for each link is alwais different, that makes me think about a massive ammount of sites hacked.

  4. Unless they all happen to have WordPress sites...

    You can check their domains at sitecheck.sucuri.net

  5. anabelle
    Member
    Posted 2 years ago #

    They are all running on WP sites, maybe this is related to the timthumb vulnerability?

  6. thewuff
    Member
    Posted 2 years ago #

    I am also getting these mails from a friend of mine, seems like his hotmail account has been hacked. The links in the mails are all clean according to sitecheck.sucuri.net. Doesn't really make sense, does it?

  7. Unlikely to be related to TimThumb. I mean, yes, possible, but...

    If hotmail's being used, it's ... well, I'd say 'impossible' but anything's possible. Reeeeealy unlikely, unless you have the same passwords ;)

    See, if it wasn't hotmail, I'd say 'It's a hack that uses WP to send the emails.'

    That it IS hotmail and that I KNOW you can't do it that way makes it super weird.

Topic Closed

This topic has been closed to new replies.

About this Topic