Support » Fixing WordPress » New exploit? sma.php sending spam emails

  • URGENT HELP needed – new exploit?
    Hi there,

    on Monday our webhosting ISP had notified me that spam was being sent from our WP site using a php script named sma.php. This script seems to contain a compressed and binary encoded phpmailer.

    What I did:
    – We were using WP 4.5.1 at that time. So I upgraded to 4.5.2 and also upgraded all plugins.
    – Deleted sma.php (it was in the root of the WP site)
    – changed FTP passwords

    Our Plugins we use (all latest version):
    – Akismet
    – Contact Form Builder
    – NextGen Gallery
    – TinyMCE Advanced
    – WOW Slider

    PROBLEM:
    – Today I checked again via FTP and noticed that sma.php had reappeared again – it was created yesterday afternoon.

    HELP URGENTLY NEEDED:
    What else can I do ?
    (I can provide a copy of the sma.php)

    This is what the beginning of the sma.php looks like:
    <? eval(gzuncompress(base64_decode(‘eNrtfW1727a…….

    This was an email header of one of the spam mails:

    Received: by ourISPsmtpserver (Postfix, from userid 10028)
    id 0F181E83F4; Tue, 17 May 2016 19:32:47 +0200 (CEST)
    To: hookup@resume.freemegaspace.com
    Subject: RE:Hi.. h a y today it is my photos!!!
    X-PHP-Originating-Script: 10028:sma.php(1) : eval()’d code
    Date: Tue, 17 May 2016 19:32:47 +0200
    From: Nadezhda <Drasticplasticrecords.Fountas@europe.com>
    Message-ID: <638e453905cf44cad746abc450083f17@meinke-gmbh.de>
    X-Priority: 3
    X-Mailer: PHPMailer 5.2.2 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=”b1_638e453905cf44cad746abc450083f17″

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    HELP URGENTLY NEEDED:
    What else can I do ?
    (I can provide a copy of the sma.php)

    A copy isn’t necessary. Your site is compromised.

    Please remain calm and carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Thanks Jan,
    I have already been working with those guides, but I did not find a possible attach entry point yet.
    We are running multiple WP sites on one web server and only one WP site has been affected so far.All our WP sites run pretty much same setup with same plugins, strong username/password combinations etc.

    For the affected site however the difference is we are using the theme Silvia (https://de.wordpress.org/themes/silvia/). So I am beginning to wonder if that Silvia theme could have a vulnerability that is being exploited.

    I will now also enable some additional logging on the web server and hopefully catch some hints as to how this sma.php gets dropped.

    Hi,
    I had the same problem: an “sma.php” mysteriously created on the root directory of my personal website, with the same content – an encoded spamming phpmailer. I deleted it with ftp, but it reappeared one week later!
    BUT… I am not using word press at all on this site. It is 100% hand-coded in html and php, with no CMS! (i use phpmyadmin, though)
    so this is not a wordpress problem.
    However… it is a serious problem. Any clue ?

    @serdj

    The file might not be connected to single type of hack, so trying to determine how the website was hacked by looking at other websites that had the same file placed on them might not help much.

    One starting place to try to determine how it got on there is to review any log files that are available, most often that would be logs of HTTP and or FTP activity, to see if they show any evidence of the cause.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘New exploit? sma.php sending spam emails’ is closed to new replies.