Support » Fixing WordPress » Real post-5.2 “technical issue” email, or scam?

  • OsakaWebbie

    (@osakawebbie)


    I received an email that looked legit (as far as I can tell it even really came from my server), but I’m concerned that foul play is involved.

    It looks like emails others have been getting since version 5.2 when a plugin throws an error:

    Howdy!

    Since WordPress 5.2 there is a built-in feature that detects when a plugin or theme causes a fatal error on your site, and notifies you with this automated email.

    In this case, WordPress caught an error with one of your plugins, 3D FlipBook – Light Edition.

    It continued with reasonable advice, like checking the front-end and back-end. Indeed I was getting a PHP fatal error when I tried to access either. The email went on to say:

    If your site appears broken and you can’t access your dashboard normally, WordPress now has a special “recovery mode”. This lets you safely login to your dashboard and investigate further.

    https://land.buyittraffic.com/click?/wp-login_php&action=enter_recovery_mode&rm_token=5BfZRVYe2hhkapSKQcqW3w&rm_key=ystIma0Me1XIHV36wtPdbx

    To keep your site safe, this link will expire in 1 day. Don’t worry about that, though: a new link will be emailed to you if the error occurs again after it expires.

    Notice the link: “land.buyittraffic.com”???! Unfortunately I clicked on it before I noticed the weird domain, and I was redirected to someplace strange (https://actraffic.com/?p=gzqwiztegm5gi3bpha2dg&sub1=Ayaana&sub2=tony.v2). I quickly closed the tab. Sometime in this process (I can’t remember the exact order of actions), I connected via FTP and renamed the folder of the plugin that was originally throwing an error. But then WordPress attempted to run and send me to my home page, but it was sent through a series of redirects and eventually to a very similar page, and that time Avast announced that it had blocked a threat and aborted a connection to scripts.trasnaltemyrecords.com because it was infected with JS:Downloader-GGQ [Trj]. At that point I completely replaced my index.php with a message to my visitors and will attempt to restore an old version of my site from backup tomorrow.

    I can’t find anyone else reporting that WordPress 5.2 “technical issue” email as being malware, but that link sure looks strange – did I screw up my site worse by clicking on it?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator Steve Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    That sure reads like the legit message. I suspect your site may have been hacked. Try submitting it at sitecheck.sucuri.net for a quick, external look at what may be happening.

    What do do?

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter OsakaWebbie

    (@osakawebbie)

    Do the legit messages have a recovery mode link that is on a random mystery domain like buyittraffic.com? I would expect such a link to be on the same domain as the site with the error.

    Moderator Steve Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    Well, if your site has been hacked, it’s all up for grabs.

    Thread Starter OsakaWebbie

    (@osakawebbie)

    I understand that. But you said the email looked legit, so I was curious what sort of link shows up in that part of the email for normal un-hacked sites.

    As for checking the site with something like Sucuri, I assume I would have to re-enable index.php, which I’m not sure I want to do, because I don’t want it to infect innocent visitors. (My site is extremely quiet, so I might not actually get any real visitors in a short time, but if I did, I wouldn’t want them to get hurt.)

    Tomorrow (I don’t have time tonight) I’ll try spinning up a two-week-old server backup and restoring the site files from that – there were no changes to the site in that time (except perhaps automatic updates, which I could just redo). I’ll move the infected set of files somewhere safer to do forensics.

    Moderator Steve Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    Here’s one I got from one of the sites I maintain:

    owdy!
    
    Since WordPress 5.2 there is a built-in feature that detects when a plugin or theme causes a fatal error on your site, and notifies you with this automated email.
    
    In this case, WordPress caught an error with one of your plugins, BackWPup.
    
    First, visit your website (https://example.com/) and check for any visible issues. Next, visit the page where the error was caught (https://example.com/wp-admin/update-core.php) and check for any visible issues.
    
    Please contact your host for assistance with investigating this issue further.
    
    If your site appears broken and you can't access your dashboard normally, WordPress now has a special "recovery mode". This lets you safely login to your dashboard and investigate further.
    
    https://example.com/wp-login.php?action=enter_recovery_mode&rm_token=xxx&rm_key=xxx
    
    To keep your site safe, this link will expire in 1 day. Don't worry about that, though: a new link will be emailed to you if the error occurs again after it expires.
    
    Error Details
    =============
    An error of type E_ERROR was caused in line 27 of the file /home/xxx/example.com/wp-content/plugins/backwpup/inc/Notice/PromoterUpdater.php. Error message: Uncaught Error: Call to undefined function Inpsyde\BackWPup\Notice\json_last_error() in /home/xxx/example.com/wp-content/plugins/backwpup/inc/Notice/PromoterUpdater.php:27
    Stack trace:
    #0 /home/xxx/example.com/wp-content/plugins/backwpup/backwpup.php(113): Inpsyde\BackWPup\Notice\PromoterUpdater->update()
    #1 /home/xxx/example.com/wp-includes/class-wp-hook.php(288): BackWPup->{closure}(Object(stdClass))
    #2 /home/xxx/example.com/wp-includes/plugin.php(208): WP_Hook->apply_filters(Object(stdClass), Array)
    #3 /home/xxx/example.com/wp-includes/option.php(1815): apply_filters('pre_set_site_tr...', Object(stdClass), 'update_plugins')
    #4 /home/xxx/example.com/wp-includes/update.php(332): set_site_transient('update_plugins', Object(stdClass))
    #5 /home/xxx/example.com/wp-includes/class-wp-hook.php(286): wp_update_plugins('')
    #6 /home/xxx/example.com/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters('', Array)
    #7 /ho
    hackrepair

    (@hackrepair)

    While doing research for other clients with a similar hacking situation, I stumbled onto this discussion today.

    Sorry, but to put it simply, your site has been hacked and hackers added the redirect to your code. This will need to be cleaned and secured by someone to remedy the actual issue (hacker code removal).

    Has no relation to WordPress versions, et al.

    • This reply was modified 2 years ago by hackrepair.
    gmex1292

    (@gmex1292)

    I had a similar hack. I had infected files but most prominently it was a change in my site URL in WP_options and every single page/post had injected javascript in it.

    If you can, go into PhpMyAdmin and run the query:
    SELECT * FROM wp_posts WHERE post_content like ‘%land.buy%’

    …and see how many posts may have been affected. Then you can run a query to clean it up but you may have to understand how that happened in the first place: outdated plugins, wordpress etc.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Real post-5.2 “technical issue” email, or scam?’ is closed to new replies.