Forums » Plugin: Wordfence Security - Firewall, Malware Scan, and Login Security » spam emails originating from index.php ?

  • Resolved p4rker

    (@p4rker)


    Hey,
    thanks for this awesome plugin.
    My host (fatcow) sent me a notification that the index.php file of my wordpress site is at the source of bulk / spam email.
    To my knowledge, there would be no reason to use the index.php file for mailing at all, so I assume it might be hacked.
    A – HIGH SENSITIVITY – Wordfence scan did not detect any modified files, the result of the scan is not showing ANY issues.
    The only modified file I prompted the scan to ignore is the theme’s favico.ico.
    Is my host tripping?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support wfphil

    (@wfphil)

    Hello,

    Can I ask you to double check please that on the “Options” page that you have enabled the scan option “Scan core files against repository versions for changes”

    If it is not enabled then please enable it and run another scan.

    If it is already enabled can you do the following please:

    1. Email me a copy of the index.php file.
    2. Also forward the email from your hosting provider to me.

    Please add your user forum name to the subject field of the email

    Send to phil [@] wordfence [dot]com

    Thank you.

    Thread Starter p4rker

    (@p4rker)

    Hi Phil,

    after spending quite some time with fatcow’s support staff i figured out that thay had disabled ALL the rights on index.php, so it was – probably – invisible / unreadable to wordfence as well. Personally, I could not even see it using cyberduck ftp anymore.
    through the fatcow ftp file manager I was able to see it (looked unsuspicious to me, and stated it had not been changed for almost 3 years), change all the permissions and – just to make sure (that there was no twist I have ignored) – replaced the entire content with the code of a new file.
    happy to send you my host’s email anyway. thanks!

    Thread Starter p4rker

    (@p4rker)

    PS: I did enable the scan option “Scan core files against repository versions for changes” after I have had a similar issue a couple of weeks ago. At that initial point Wordfence did detect – and fix – a couple of changed files.

    Plugin Support wfphil

    (@wfphil)

    Hello,

    Sorry for the delay in getting back to you. Thank you for sending the communication with your hosting provider.

    Did adding a fresh index.php file solve the problem for you?

    Did the modified file repair that you did after enabling the extra scan setting solve the problem for you?

    If not can you makes sure the following scan options are enabled and run a new scan please:

    Scan public facing site for vulnerabilities
    Scan for publicly accessible configuration, backup, or log files
    Scan for publicly accessible quarantined files
    Scan core files against repository versions for changes
    Scan theme files against repository versions for changes
    Scan plugin files against repository versions for changes
    Scan wp-admin and wp-includes for files not bundled with WordPress
    Scan for signatures of known malicious files
    Scan file contents for backdoors, trojans and suspicious code
    Scan posts for known dangerous URLs and suspicious content
    Scan comments for known dangerous URLs and suspicious content
    Scan for out of date plugins, themes and WordPress versions
    Scan for admin users created outside of WordPress
    Check the strength of passwords
    Scan for unauthorized DNS changes
    Scan files outside your WordPress installation
    Scan images, binary, and other files as if they were executable
    Enable HIGH SENSITIVITY scanning (may give false positives)
    Use low resource scanning (reduces server load by lengthening the scan duration)

    Thread Starter p4rker

    (@p4rker)

    Hi Phil,

    thanks – yes, all options were activated, and in the meantime it got even more weird. While I was hoping / expecting that the fresh index.php would fix it, my host insisted that one particular post would keep on sending bulk email (truthfully I was unable to understand how a post would “send” spam).
    After I deleted the post in question and logged out, WordPress kept on sending me to the install.php script (which I did not run, because I did not want to nuke the install). Bizarrely, everything went back to normal after I downloaded all the contents of the site via cyberduck ftp, without having to run install.php or even changing any of the other files.
    I think the issue is impossible to reproduce at this point (also the responses fatcow is giving me vary strongly, depending on the support team members), and I will just close the thread as “resolved”… Thanks for your help.

    Plugin Support wfphil

    (@wfphil)

    Hello,

    You’re welcome!

    One common cause of the WordPress install page appearing is a corrupt database so you may be able to do a database integrity check in you hosting control panel.

    If you do run into the same issues then please open the topic again and we will be happy to help.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘spam emails originating from index.php ?’ is closed to new replies.