WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] WP malicious added script to do spam and phishing (11 posts)

  1. Mike Castro Demaria
    Member
    Posted 1 year ago #

    Hi,

    I discover today on a WP install a malicious script who use WP website as relay to send PayPal Phishing and spam. The attacker coming from Romania small local ISPs.

    To avoid or be warned about this kind of stuff, simply log your php outgoing mail and check it, you will see easily if the is a mass mailling.

    And add a specific sender's domain from your server if you are using virtualhost.

    By this 2 trick, you can't block theme immediately, but if you add a robot who check log, you can easily be warned by email of any mass outgoing mail.

    I have not found for the moment the back-door entry, but all the malicious scripts was installed in the wp-content dir as hidden files (.file) .

    FYI the script is not detected by any security on-line services I tested.

    I hope this helps,
    Mike

  2. esmi
    Forum Moderator
    Posted 1 year ago #

  3. Mike Castro Demaria
    Member
    Posted 1 year ago #

    Thanks Esim,

    But as I said site scanners not discover the crack, and for sure I removed before take time to explain it on WP forum ;-) .

    I report it just for give information about how to discover this kind of backdoor : if you have mail go out from a website.

    Your tips are useful to securize the WP, but if you discover a problem, it it's generally too late.

    That's why I'm suggesting to add log to your email going out of your website, just to have 1 more security string.

  4. esmi
    Forum Moderator
    Posted 1 year ago #

    I'm sorry but your site being hacked is not an indication of any security issues in WordPress itself. See FAQ_Security.

  5. DJDoubleXL189
    Member
    Posted 1 year ago #

    I've seen plenty of instances where security scanners don't catch the problem.

    Esmi's suggestions are useful not only to secure WP, but to fix the problem, so her tips aren't late at all.

  6. Mike Castro Demaria
    Member
    Posted 1 year ago #

    Ok, but log outgoing email are not in the common list of tips to secure it, but in fact it's really useful.

    That's why I explain it's an interesting solution to discover spamming WP (and any kind of website in fact) using the mail() php fuction.

    mail.log string
    The path to a log file that will log all mail() calls. Log entries include the full path of the script, line number, To address and headers.
  7. creativeplusplus
    Member
    Posted 1 year ago #

    Sorry, i had the same problem the email outgoing from the server . Beacuse of that my website got suspend

    Mike castro can you give tutorial step by step how to search and delete the script or hidden file and fix it thank you for your help

    thanks

    christian

  8. Mike Castro Demaria
    Member
    Posted 1 year ago #

    @creativeplusplus Witch version of PHP you use ? Do a php -v or a php page with <?php phpinfo(); ?> inside.

  9. creativeplusplus
    Member
    Posted 1 year ago #

    Hi thanks for quick reply but I must wait from hosting to unsuspended my website,

    the reason they gave me to suspend the website https://dl.dropboxusercontent.com/u/68847580/zuka-zuka.png

    Thanks

  10. creativeplusplus
    Member
    Posted 1 year ago #

    Sori Mike my PHP Version 5.3.15, please help, they already unsuspended my website

    Thanks

  11. Mike Castro Demaria
    Member
    Posted 1 year ago #

    @creativeplusplus lucky you! You can use mail.log configuration who is available since PHP 5.3.0.

    mail.log config can be set in php.ini, .htaccess, httpd.conf or .user.ini . Depending of you hosting service possibilities.

    I think you can use the .htaccess inside your wordpress root folders and add a line @ the end like : php_value error_log /location/to/your/php_mail.log (not tested)

    Mike

Topic Closed

This topic has been closed to new replies.

About this Topic