Support » Fixing WordPress » Am I being hacked?
Am I being hacked?
-
Hi there,
One of my clients reported a possible hack on their websites. I tried scanning it with Wordfence (no result), exploit scanner and antivirus, and this was the outcome.
http://postimg.org/image/b2bz21h9n/
http://postimg.org/image/csv03iysr/I have never heard of this before, but it seems that this is causing the problem. When looking more into it, I found the following two posts, although they are slightly old.
http://mashable.com/2009/09/05/wordpress-attack/#6gqDp.Ko_GqO
https://wordpress.org/support/topic/evalbase64_decode-hacked?replies=13I am looking for someone with experience regarding this topic. What should I do and what is the damage?
Thank you!
-
Hi,
Can you please post the site link which you think is hacked.
Thanks
Oops, didn’t mention it. The website is http://jagergeveltechniek.nl/
Hi,
No, your website is not hacked or compromised. It is fine.
Thanks
Thank you for looking. On what do you base this? Are the codes mentioned by Exploit Scanner nothing to worry about?
The thing is, the client reported that spam mail is being send from their email address. The strange thing is that they do not have their email account configured at any mail program, they only login through webmail. I just do not know where to start looking. Maybe it is better just to clean the whole database and host, and install everything again.
Hi,
You can check website is being hacked or not from the below link.
https://sitecheck.sucuri.net//
Also spam email are sent from client email address does not mean your website is hacked.
There is lot of things here to be checked.
1) Are the emails sent by WordPress?
2) Anyone can get an email address of a person from a forum, website etc.
3) The codes mentioned by the Exploit Scanner only tells that the functions used their have another alternative functions as now most of the php functions will get depreciated in the next version of PHP.
4) What types of emails are sent? What is the content of the email? Can you provide one example email content?
Thanks
---------- Doorgestuurd bericht ---------- Van: Mail Delivery System <Mailer-Daemon@locatel.biz> Datum: 28 maart 2016 03:33:53 +02:00 Onderwerp: Mail delivery failed: returning message to sender Aan: info@jagergeveltechniek.nl This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: w.konjanan@railinfraopleidingen.nl SMTP error from remote mail server after end of data: host nospam02.detron.nl [84.41.128.243]: 550 A URL in this email (vestelkonyaservisi . com) is listed on https://spamrl.com/. Please resolve and retry ------ This is a copy of the message, including all the headers. ------ Return-path: <info@jagergeveltechniek.nl> Received: from localhost ([127.0.0.1]) by correo1.locatel.es with esmtp (Exim 4.80) (envelope-from <info@jagergeveltechniek.nl>) id 1akKu8-0003oQ-Mc; Mon, 28 Mar 2016 02:19:36 +0200 X-Virus-Scanned: amavisd-new at locatel.biz Received: from correo1.locatel.es ([127.0.0.1]) by localhost (correo1.locatel.es [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6sVSnTLhLyC; Mon, 28 Mar 2016 02:19:25 +0200 (CEST) Received: from [1.240.222.6] (helo=euvkt.org) by correo1.locatel.es with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <info@jagergeveltechniek.nl>) id 1akKtw-0001ZF-Id; Mon, 28 Mar 2016 02:19:25 +0200 From: <info@jagergeveltechniek.nl> To: "viadennis.nl" <info@viadennis.nl>, "vinseubring" <vinseubring@live.nl>, "w.konjanan" <w.konjanan@b-t-c.nl>, "w.konjanan" <w.konjanan@railinfraopleidingen.nl>, "w.vandenberg" <w.vandenberg@bamutiliteitsbouw.nl> Subject: Fw: new important message Date: Mon, 28 Mar 2016 03:19:18 +0300 Message-ID: <000076e8fd89$c93916e9$68ba4ac0$@jagergeveltechniek.nl> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_2D06967E.72B26C7A" X-Mailer: Microsoft Outlook 15.0 Thread-Index: AdF8SoWYzu+qyjqeIul5kDGYkR91GQ== Content-Language: en-us This is a multipart message in MIME format. ------=_NextPart_000_0001_2D06967E.72B26C7A Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello! New message, please read <http://vestelkonyaservisi.com/cousin.php?m2od3> info@jagergeveltechniek.nl ------=_NextPart_000_0001_2D06967E.72B26C7A Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas= -microsoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:off= ice:word" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"= xmlns=3D"http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV=3D"C= ontent-Type" CONTENT=3D"text/html; charset=3Dus-ascii"><meta name=3DGe= nerator content=3D"Microsoft Word 15 (filtered medium)"><style><!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-fareast-language:EN-US;} a:link, span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:"Calibri",sans-serif; color:windowtext;} =2EMsoChpDefault {mso-style-type:export-only; font-family:"Calibri",sans-serif; mso-fareast-language:EN-US;} @page WordSection1 {size:612.0pt 792.0pt; margin:2.0cm 42.5pt 2.0cm 3.0cm;} div.WordSection1 {page:WordSection1;} --></style><!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--></head><body lang=3DEN link=3D"#0563= C1" vlink=3D"#954F72"><div class=3DWordSection1><p class=3DMsoNormal><= span lang=3DEN-US>Hello!<o:p></o:p></span></p><p class=3DMsoNormal><sp= an lang=3DEN-US><o:p> </o:p></span></p><p class=3DMsoNormal><span= lang=3DEN-US><b>New message, please read</b> <a href=3D"http://vestel= konyaservisi.com/cousin.php?m2od3">http://vestelkonyaservisi.com/cousi= n.php</a><o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US= <o:p> </o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US>i= nfo@jagergeveltechniek.nl<o:p></o:p></span></p></div></body></html> ------=_NextPart_000_0001_2D06967E.72B26C7A--
Hi,
This email is not sent by WordPress.
To confirm is the emails are actually sent by WordPress change the email address of the admin user from the admin settings.
Currently the email is sent by info@jagergeveltechniek.nl address
Change the address to something else in the WordPress admin settings and then see the emails sent.
If the email sent after changing the email address contains the new email address then we can say that your site may be compromised and needs to be checked.
But if the email still contains the old email address then it will confirm that the emails are not sent by the WordPress website but someone have got your client’s email address and is using to send spam messages may be using a marketing tool.
Thanks
Thank you for the great help.
I will change the email address in WP-Admin.The client changed his password for the email address so I will check the host for strange scripts as well.
ok sure.
And yes you can also take the help of your hosting support to check if the emails are really sent through the server where your website is hosted.
Thanks
- The topic ‘Am I being hacked?’ is closed to new replies.