Support » Everything else WordPress » Signs of an ongoing WP attack?

  • Hi,

    Since this morning I started receiving some strange emails in my inbox.

    They come from contacts, and are being sent to several contacts each, using a visible carbon copy.

    The content of the email is a single link, to an “html” file, hosted in the wp-content folder.

    I think this could indicate some kind of attack to wp spreading spam via email.

    Have anyone else got this strange email with only one link?

    Some example routes for the links are:

    /wp-content/themes/threelittlecherries/trfsf.html?dehj=ry.htm&rty=yl.gif&sgc=kzrh
    /wp-content/themes/InStyle/gmjre.html?tuj=pk.jpg&adf=yl.jpeg&egc=lgoh
    /wp-content/themes/extreme-typewriter/rofmd.html?cvb=vvb.msg&adf=fe.txt&yyl=dcjq
Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    You mean people in your contacts list are sending this email?

    Exactly,

    I got another 2 today.

    I get the email from contacts, sent to many people via CC.

    The links always pint to a wp-content/

    Today’s is:

    /wp-content/themes/graphene/tifle.html?nh=vw.jieg&ohsy=mkv.we&mbn=kpdr

    The email has (no subject) and the domain for each link is alwais different, that makes me think about a massive ammount of sites hacked.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    Unless they all happen to have WordPress sites…

    You can check their domains at sitecheck.sucuri.net

    They are all running on WP sites, maybe this is related to the timthumb vulnerability?

    I am also getting these mails from a friend of mine, seems like his hotmail account has been hacked. The links in the mails are all clean according to sitecheck.sucuri.net. Doesn’t really make sense, does it?

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    Unlikely to be related to TimThumb. I mean, yes, possible, but…

    If hotmail’s being used, it’s … well, I’d say ‘impossible’ but anything’s possible. Reeeeealy unlikely, unless you have the same passwords 😉

    See, if it wasn’t hotmail, I’d say ‘It’s a hack that uses WP to send the emails.’

    That it IS hotmail and that I KNOW you can’t do it that way makes it super weird.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Signs of an ongoing WP attack?’ is closed to new replies.