• one the of the accounts on a server I help manage is sending spam. From the email headers, I am able to see that it is coming from one WordPress site in particular. This is a photo blog about horses and I know they arent personally sending out tons of mail informing people they are lotto winners. But I’m not sure what the next step is.
    I dont have access to their dashboard but I do have root access on the server. I looked for suspicious files but didnt look at every single php file. Does anyone have any suggestions on where I should look or something I should grep for? Are there any command line tools or outside the server scanners that might help me pinpoint and stop the spam?

    Thanks
    kd

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Link please? A WordPress installation wouldn’t send out spam unless it was hacked or you intentionally are doing it.

    Since you’re asking for help, I think we can cross off the intentional part from the list. ??

    Thread Starter kdelayed

    (@kdelayed)

    oops, its not the horse photo blog, its the wedding photo blog:

    https://www.photographybybilal.com/

    however, i still know they are not sending this spam on purpose. i’m assuming it was hacked. i’ve run the site through some online site scanners like urlvoid and sucuri.net but both say the site is clean. I’ve been manually looking at .php files for suspicious code in the sites home directory but thats not efficient and i dont even know if i’d know a malicious script if i saw it.

    this may be unrelated or taking off on a tangent, but in my googling on this issue, i came across info about the timthumb exploit. (https://www.exploit-db.com/wordpress-timthumb-exploitation/). I ran the suggested find command on this specific site’s directory:
    find . | grep php | xargs grep -s timthumb
    and didn’t find anything. But when I moved up to the /home directory, I found 3 other sites with timthumb. Running those 3 through sucuri.net confirmed they contained infected code. I deleted the infected images and changed the permissions on the upload directory so no one can use it. I dont know if this could be related to the fact that a different site on the server is sending spam or a separate problem.

    Also, are there more tools/scanners/scripts/whatever that can be run on the all the directories on the server to check for issues or am I mostly limited to going through each site site one at a time?
    I did a write a little bash script that lists the directory and version of wordpress (and am quite proud of myself too) but this is not really my thing and i would imagine its a common need, but brief searching didnt find anything.

    kd

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘site is sending spam, how to stop it’ is closed to new replies.