Support » Fixing WordPress » Am I being hacked?

Viewing 9 replies - 1 through 9 (of 9 total)
  • Hi,

    Can you please post the site link which you think is hacked.

    Thanks

    Thread Starter Hindrik

    (@hindrik)

    Oops, didn’t mention it. The website is http://jagergeveltechniek.nl/

    Hi,

    No, your website is not hacked or compromised. It is fine.

    Thanks

    Thread Starter Hindrik

    (@hindrik)

    Thank you for looking. On what do you base this? Are the codes mentioned by Exploit Scanner nothing to worry about?

    The thing is, the client reported that spam mail is being send from their email address. The strange thing is that they do not have their email account configured at any mail program, they only login through webmail. I just do not know where to start looking. Maybe it is better just to clean the whole database and host, and install everything again.

    Hi,

    You can check website is being hacked or not from the below link.

    https://sitecheck.sucuri.net//

    Also spam email are sent from client email address does not mean your website is hacked.

    There is lot of things here to be checked.

    1) Are the emails sent by WordPress?

    2) Anyone can get an email address of a person from a forum, website etc.

    3) The codes mentioned by the Exploit Scanner only tells that the functions used their have another alternative functions as now most of the php functions will get depreciated in the next version of PHP.

    4) What types of emails are sent? What is the content of the email? Can you provide one example email content?

    Thanks

    Thread Starter Hindrik

    (@hindrik)

    ---------- Doorgestuurd bericht ----------
    Van: Mail Delivery System <Mailer-Daemon@locatel.biz>
    Datum: 28 maart 2016 03:33:53 +02:00
    Onderwerp: Mail delivery failed: returning message to sender
    Aan: info@jagergeveltechniek.nl
    
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
    w.konjanan@railinfraopleidingen.nl
    SMTP error from remote mail server after end of data:
    host nospam02.detron.nl [84.41.128.243]: 550 A URL in this email (vestelkonyaservisi . com) is listed on https://spamrl.com/. Please resolve and retry
    
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <info@jagergeveltechniek.nl>
    Received: from localhost ([127.0.0.1])
    by correo1.locatel.es with esmtp (Exim 4.80)
    (envelope-from <info@jagergeveltechniek.nl>)
    id 1akKu8-0003oQ-Mc; Mon, 28 Mar 2016 02:19:36 +0200
    X-Virus-Scanned: amavisd-new at locatel.biz
    Received: from correo1.locatel.es ([127.0.0.1])
    by localhost (correo1.locatel.es [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id C6sVSnTLhLyC; Mon, 28 Mar 2016 02:19:25 +0200 (CEST)
    Received: from [1.240.222.6] (helo=euvkt.org)
    by correo1.locatel.es with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
    (Exim 4.80)
    (envelope-from <info@jagergeveltechniek.nl>)
    id 1akKtw-0001ZF-Id; Mon, 28 Mar 2016 02:19:25 +0200
    From: <info@jagergeveltechniek.nl>
    To: "viadennis.nl" <info@viadennis.nl>, "vinseubring" <vinseubring@live.nl>,
    "w.konjanan" <w.konjanan@b-t-c.nl>, "w.konjanan"
    <w.konjanan@railinfraopleidingen.nl>, "w.vandenberg"
    <w.vandenberg@bamutiliteitsbouw.nl>
    Subject: Fw: new important message
    Date: Mon, 28 Mar 2016 03:19:18 +0300
    Message-ID: <000076e8fd89$c93916e9$68ba4ac0$@jagergeveltechniek.nl>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0001_2D06967E.72B26C7A"
    X-Mailer: Microsoft Outlook 15.0
    Thread-Index: AdF8SoWYzu+qyjqeIul5kDGYkR91GQ==
    Content-Language: en-us
    
    This is a multipart message in MIME format.
    
    ------=_NextPart_000_0001_2D06967E.72B26C7A
    Content-Type: text/plain; charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    
    Hello!
    
    New message, please read <http://vestelkonyaservisi.com/cousin.php?m2od3>
    
    info@jagergeveltechniek.nl
    
    ------=_NextPart_000_0001_2D06967E.72B26C7A
    Content-Type: text/html; charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    
    <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas=
    -microsoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:off=
    ice:word" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"=
    xmlns=3D"http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV=3D"C=
    ontent-Type" CONTENT=3D"text/html; charset=3Dus-ascii"><meta name=3DGe=
    nerator content=3D"Microsoft Word 15 (filtered medium)"><style><!--
    /* Font Definitions */
    @font-face
    {font-family:"Cambria Math";
    panose-1:2 4 5 3 5 4 6 3 2 4;}
    @font-face
    {font-family:Calibri;
    panose-1:2 15 5 2 2 2 4 3 2 4;}
    /* Style Definitions */
    p.MsoNormal, li.MsoNormal, div.MsoNormal
    {margin:0cm;
    margin-bottom:.0001pt;
    font-size:11.0pt;
    font-family:"Calibri",sans-serif;
    mso-fareast-language:EN-US;}
    a:link, span.MsoHyperlink
    {mso-style-priority:99;
    color:#0563C1;
    text-decoration:underline;}
    a:visited, span.MsoHyperlinkFollowed
    {mso-style-priority:99;
    color:#954F72;
    text-decoration:underline;}
    span.EmailStyle17
    {mso-style-type:personal-compose;
    font-family:"Calibri",sans-serif;
    color:windowtext;}
    =2EMsoChpDefault
    {mso-style-type:export-only;
    font-family:"Calibri",sans-serif;
    mso-fareast-language:EN-US;}
    @page WordSection1
    {size:612.0pt 792.0pt;
    margin:2.0cm 42.5pt 2.0cm 3.0cm;}
    div.WordSection1
    {page:WordSection1;}
    --></style><!--[if gte mso 9]><xml>
    <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
    </xml><![endif]--><!--[if gte mso 9]><xml>
    <o:shapelayout v:ext=3D"edit">
    <o:idmap v:ext=3D"edit" data=3D"1" />
    </o:shapelayout></xml><![endif]--></head><body lang=3DEN link=3D"#0563=
    C1" vlink=3D"#954F72"><div class=3DWordSection1><p class=3DMsoNormal><=
    span lang=3DEN-US>Hello!<o:p></o:p></span></p><p class=3DMsoNormal><sp=
    an lang=3DEN-US><o:p> </o:p></span></p><p class=3DMsoNormal><span=
    lang=3DEN-US><b>New message, please read</b> <a href=3D"http://vestel=
    konyaservisi.com/cousin.php?m2od3">http://vestelkonyaservisi.com/cousi=
    n.php</a><o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US=
    <o:p> </o:p></span></p><p class=3DMsoNormal><span lang=3DEN-US>i=
    nfo@jagergeveltechniek.nl<o:p></o:p></span></p></div></body></html>
    
    ------=_NextPart_000_0001_2D06967E.72B26C7A--

    Hi,

    This email is not sent by WordPress.

    To confirm is the emails are actually sent by WordPress change the email address of the admin user from the admin settings.

    Currently the email is sent by info@jagergeveltechniek.nl address

    Change the address to something else in the WordPress admin settings and then see the emails sent.

    If the email sent after changing the email address contains the new email address then we can say that your site may be compromised and needs to be checked.

    But if the email still contains the old email address then it will confirm that the emails are not sent by the WordPress website but someone have got your client’s email address and is using to send spam messages may be using a marketing tool.

    Thanks

    Thread Starter Hindrik

    (@hindrik)

    Thank you for the great help.
    I will change the email address in WP-Admin.

    The client changed his password for the email address so I will check the host for strange scripts as well.

    ok sure.

    And yes you can also take the help of your hosting support to check if the emails are really sent through the server where your website is hosted.

    Thanks

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Am I being hacked?’ is closed to new replies.