Spam emails coming from SImplePie plugin

  • nurit.lerner

    (@nuritlerner)


    8 years, 7 months ago

    Hello. New here. I’ve search everywhere but couldn’t find anything on the subject. My site has been hacked. Extra content was created (not from the CMS but there where folders created on my root directory that contained extra pages) also lots of spam emails bounce back to me since they are sent to unexisting usernames with my site’s domain: fakeuser@mywebsite.com

    I’ve deleted the whole thing, exported the post/pages/etc and imported them back to a fresh install of WP. Ran Avast to check if any files were compromised. Installed fresh plugins and everything. Added extra code to httacces on root, wp-includes and uploads

    Today I dont have any extra content, WordFence didnt throw any warnings but I keep getting the bounced emails. Hosting support replied this:

    So i have traced the script that is generating the spam emails and it is the below script:
    /var/www/vhosts/site.com/httpdocs/wp-includes/SimplePie/Cache.php

    Yourself or your developer will need to edit/delete the file to stop your server sending spam.

    Anybody faced this problem before? Thanks
    WORDFENCE warning
    Your DNS records have changed

    Old DNS records: false
    New DNS records: site.com points to 217.xxx.46
    Severity: Warning
    Status New

    We have detected a change in the A records of your DNS configuration that may affect the domain site.com. An A record is a record in DNS that points a domain name to an IP address. A change in your DNS records may indicate that a hacker has hacked into your DNS administration system and has pointed your email or website to their own server for malicious purposes. It could also indicate that your domain has expired. If you made this change yourself you can mark it ‘resolved’ and safely ignore it.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter nurit.lerner

    (@nuritlerner)

    8 years, 7 months ago

    More Data: Wordfence gave me this warning:

    Your DNS records have changed

    Old DNS records: false
    New DNS records: site.com points to 217.xxx.xxx.46
    Severity: Warning
    Status New

    We have detected a change in the A records of your DNS configuration that may affect the domain summitandblue.com. An A record is a record in DNS that points a domain name to an IP address. A change in your DNS records may indicate that a hacker has hacked into your DNS administration system and has pointed your email or website to their own server for malicious purposes. It could also indicate that your domain has expired. If you made this change yourself you can mark it ‘resolved’ and safely ignore it.

    hayrican

    (@hayrican)

    8 years, 4 months ago

    Hello ,
    I have same problem right now and myhosting support told me to change file permissions from 777 to 755 on ftp server.
    If you solved this problem maybe you can light me ?

    Thread Starter nurit.lerner

    (@nuritlerner)

    8 years, 4 months ago

    So all file permissions should be 777?
    What I did at the end with that website was to make a clean install, blocked access to wp-admin folder and installed WordFence. No problems reported since then.I try to keep it as upgraded as possible (WordFence sends me emails every time a plugin is out-of-date).
    I dont know if this is what made the difference or the clean install did. But for now, all is good

    I used every single security tutorial I could find online.
    On the wp-config I added this code:

    putenv('TMPDIR=' . ini_get('upload_tmp_dir'));
define('FS_CHMOD_DIR', (0755 & ~ umask()));
define('FS_CHMOD_FILE', (0644 & ~ umask()));
define('AUTOSAVE_INTERVAL', 120);
define('WP_POST_REVISIONS', 5);
define('EMPTY_TRASH_DAYS', 7 );
define('DISALLOW_FILE_EDIT', true);

    To the htaccess added this at the end;

    # END WordPress

# Disable directory browsing
Options All -Indexes

# Disable access to all file types except the following
<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
Allow from all
</Files>

<files wp-config.php>
order allow,deny
deny from all
</files>
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
<FilesMatch ".(ttf|otf|eot|woff)$">
  <IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
  </IfModule>
</FilesMatch>
# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

    I added another .htacces onto the wp-content folder with this:

    # Disable access to all file types except the following
Order deny,allow
Deny from all
<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar|ttf|otf|eot|woff)$">
Allow from all
</Files>

    And another onto wp-includes folder:

    <Files *.php>
deny from all
</Files>
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Spam emails coming from SImplePie plugin’ is closed to new replies.

Tags