Results 1 to 7 of 7
  1. #1
    Join Date
    Apr 2012
    Posts
    174

    spam from my server

    hello i installed wordpress on one of my domain and i can see that they are doing spam from my website i paid an company to check from where and they said
    {HEX}php.base64.v23au.185 : public_html/wp-content/plugins/akismet/_inc/page23.php
    {HEX}php.cmdshell.unclassed.359 :public_html/wp-content/themes/twentyfourteen/system.php
    {HEX}php.cmdshell.unclassed.359 : public_html/wp-content/themes/bootcake/index.php
    {HEX}php.base64.v23au.185 : public_html/wp-admin/includes/test85.php
    {HEX}php.generic.cav7.410 : public_html/wp-linki.php

    how can i check what they are spamming and how this can come from and official theme of wordpress i installed wordpress from softaculous , what i need to do to stop this

  2. #2
    First off, hopefully you didn't pay that company too much for something as trivial as just running a scan, and not actually cleaning the infection as well.

    how can i check what they are spamming
    Check the queue?

    how this can come from and official theme of wordpress
    Just because the spamming script resides in an official theme, doesn't necessarily mean that theme was exploited. Once the attackers exploit any script from your wordpress installation and they upload a shell script of their own they can basically implement scripts anywhere in your account.

    what i need to do to stop this
    Clean the infection, update and keep updated all of your themes, plugins and wordpress core... and last but not least, secure your wordpress: http://codex.wordpress.org/Hardening_WordPress

    Best of luck.
    Uptime Monitor - Minimize your downtime by being the first to know about it!

    Blacklist Monitor - Are any of your IPs or Domains blacklisted? Find out before it gets to affect you or your clients.

  3. #3
    Join Date
    Apr 2012
    Posts
    174
    Quote Originally Posted by Andei View Post
    First off, hopefully you didn't pay that company too much for something as trivial as just running a scan, and not actually cleaning the infection as well.


    Check the queue?


    Just because the spamming script resides in an official theme, doesn't necessarily mean that theme was exploited. Once the attackers exploit any script from your wordpress installation and they upload a shell script of their own they can basically implement scripts anywhere in your account.


    Clean the infection, update and keep updated all of your themes, plugins and wordpress core... and last but not least, secure your wordpress: http://codex.wordpress.org/Hardening_WordPress

    Best of luck.
    i dont know to much about servers how can i Check the queue?

    should i install some plugins that can hide that im using wordpress?
    Last edited by cenii; 01-11-2016 at 12:39 PM.

  4. #4
    Join Date
    Jul 2005
    Posts
    489
    Quote Originally Posted by cenii View Post
    i dont know to much about servers how can i Check the queue?
    Use cpanel's mail queue manager, see https://documentation.cpanel.net/dis...+Queue+Manager
    From the message headers you will be able to see the abuse script. Also check the mail server logs at /var/log/exim_mainlog and you might be able to find more details.

    should i install some plugins that can hide that im using wordpress?
    http://codex.wordpress.org/Hardening_WordPress will help to some extent.

  5. #5
    Join Date
    Aug 2015
    Location
    Melbourne, Australia
    Posts
    17
    I'd also recommend install ConfigServer eXploit Scanner as way of find anymore potential issues with your wordpress sites,
    This will save you having to pay an external company each time you need to run a check.

    ConfigServer eXploit Scanner - configserver.com/cp/cxs.html

    Good Luck!

    Tom

  6. #6
    Join Date
    Feb 2015
    Posts
    571
    In addition to the steps mentioned above,

    1) Immediately reset your control panel and FTP passwords to strong ones. If you are using cpanel, use the password generator option there.

    2) Remove all infected files. If you have a good working copy which is not infected, remove all files from the website and start afresh from the working copy

    3) Set a strong password for you wordpress admin area

    4) Password protect your admin area, so that the hackers will have to crack two passwords to gain access

    5) Restrict access to admin area to your IP Address alone.

    6) Disable/remove unnecessary plugins
    Hope Web Host, Fully Managed cPanel Hosting ||
    Shared Web Hosting Reseller Hosting ||
    █ CMS Hosting || Virtual Private Servers ||
    Customer Friendly Staff and Management || 24/7/365 Technical Support

  7. #7
    Join Date
    Nov 2014
    Posts
    298
    Hello,

    Since most spammings are not intentional, its very difficult to go and tell every customer that to take care the themes every time. So its better to audit your server regularly and inform the respective clients after blocking the spam script file or folder. So from next time onward the client we will more careful while choosing the themes or plugins. You can use the following commands to find out the spammers,

    >> Below script will displays the total count of emails sent and the corresponding directory/location,

    grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n

    >> To find top 5 mail sending user,

    grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5

    >> To find the script path,

    awk '{ if ($0 "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

    >> To get a sorted list of email sender in exim mail queue. It will show the number of mails send by each one,

    exim -bpr | grep "<" | awk {'print $4'} | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -n

    Let me know if it helps.
    █ WebHostRepo.com
    █ Linux | Windows | VPS | Cloud
    █ Outsourced Technical Support since 2009
    sales@webhostrepo.com

Similar Threads

  1. SPAM from my server, I can't identify the sender!
    By junglecat in forum Hosting Security and Technology
    Replies: 11
    Last Post: 03-19-2006, 02:18 PM
  2. SPAM from my server
    By smilesinblues in forum Hosting Security and Technology
    Replies: 6
    Last Post: 05-27-2005, 08:25 AM
  3. some one do spam from my server :( :(
    By loverboy in forum Hosting Security and Technology
    Replies: 5
    Last Post: 05-05-2005, 01:49 PM
  4. Help! spammer using Local to send spam from my server
    By creativesolu in forum Hosting Security and Technology
    Replies: 3
    Last Post: 02-02-2004, 03:24 PM
  5. Spam from my server! How? Please help.
    By labrocca in forum Hosting Security and Technology
    Replies: 15
    Last Post: 09-23-2003, 10:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •