Support » Everything else WordPress » My Site Exploited by Spammers

  • Resolved Mangoma

    (@mangoma)


    Hi all,

    I have a WordPress 4.1 website, hosted on Plesk Windows server (one of around 100), all plugins are up to date, as is the theme.

    As of today, my postmaster account started getting bombarded with delivery failure messages. I managed to track this down to this particular WordPress Website.

    I sniffed around and found a bunch of PHP files across the whole folder structure containing script like this:

    [ Maleware redacted ]

    I found some information about this exploit here:

    http://somewebgeek.com/2014/wordpress-remote-code-execution-base64_decode/

    But I don’t understand how it has happened?
    Also – I have deleted all of the PHP files from the vhost and SPAM continues to be sent.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Hey James,

    Thanks for the post. I’m happy to say that I identified the particular issue. An outdated version of the RevSlider plugin led to the site getting hit by the SoakSoak exploit.

    Alas, the only way to be certain that I had eradicated it was to delete the entire WordPress folder – excepting the wp-config.php file and the /wp-content/ folder which I checked manually and replace them with a fresh download. I then manually installed the latest RevSlider.js and the site is back up and running.

    Unfortunately, this has broken the admin section with errors like:

    WordPress database error Multiple primary key defined for query ALTER TABLE 29Br3Tq7_revslider_sliders ADD PRIMARY KEY (id) made by require_once

    Deleting the RevSlider plugin immediately restores functionality, replacing it brings back the above error.

    I think I’m just going to rebuild the site from scratch – very annoying as there was no update notification for this plugin.

    Bob

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Before you rebuild everything, you might want to contact their support.

    Since it is a commercial plugin, please go to their official support channel. In order to be good stewards of the WordPress community, and encourage innovation and progress, we feel it’s important to direct people to those official locations.

    http://themepunch.ticksy.com/

    Forum volunteers are also not given access to commercial products, so they would not know why your commercial plugin is not working properly. This is one other reason why volunteers forward you to the commercial product’s vendors. The vendors are responsible for supporting their commercial product.

    Hey James,

    Many thanks! I’ve contacted them and we’ll see what they say!

    Bob

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    You’re welcome!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘My Site Exploited by Spammers’ is closed to new replies.