Suspected attack against Mailpoet 3 plugin

  • Resolved ecollart

    (@ecollart)


    7 years, 3 months ago

    Hello,

    I know Mailpoet is not certified with WordPress 4.9 but I have it installed on a backup/staging site and that stopped working yesterday midnight and it’s not a hosting problem.
    I have Mailpoet 2 not de-activated on the same site.
    I have also WordFence on that site and I need to restore a wflogs folder to get the site restarted for a few minutes then it goes down again.
    Trying to find what’s going on, I noticed an abnormally high number of request coming from a IANA owned IP (WordFence refuses to block that one) and hitting a Malpoet URL.
    Below what I captured from WordFence log:
    An unknown location at IP 10.1.3.82 left https://blog.ecollart.org/?mailpoet_router&endpoint=cron_daemon&action=run&data=eyJ0b2tlbiI6IjJhZjA0In0 and visitedhttps://blog.ecollart.org/?mailpoet_router&endpoint=cron_daemon&action=run&data=eyJ0b2tlbiI6IjJhZjA0In0
    21/11/2017 13:20:42 (2 minutes ago) IP: 10.1.3.82 [block] Hostname: cl3-webng3.intra
    Browser: undefined
    MailPoet Cron

    Any help appreciated

    Eric Collart

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter ecollart

    (@ecollart)

    I de-activated Mailpoet 3 plugin and get no more hit from that IP address but starts to get from others (that hopefully I can block via WordFence up to now).
    That backup site is not indexed and not referenced anywhere and have normally no traffic …

    Eric Collart

    Thread Starter ecollart

    (@ecollart)

    correction on first post: Mailpoet 2 IS deactivated on that site since several days.

    Sorry for overhead but I can’t find how to edit a published post…

    Eric Collart

    That IP is your own website accessing itself to keep your sending queue working (it’s MailPoet 3 own task scheduler): https://beta.docs.mailpoet.com/article/129-what-is-the-newsletter-task-scheduler

    Thread Starter ecollart

    (@ecollart)

    Wow ! I see ! Good to know such activity is normal…
    So wrong analysis and knowledge improving !

    It looks anyway strange to me that I also had 2 hits from external IPs with exactly the same target:

    United States Ashburn, United States visited https://blog.ecollart.org/?mailpoet_router&endpoint=cron_daemon&action=run&data=eyJ0b2tlbiI6IjJhZjA0In0
    21/11/2017 13:32:52 (39 minutes ago) IP: 52.91.184.228 [unblock] Hostname: ec2-52-91-184-228.compute-1.amazonaws.com
    Browser: undefined
    Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)

    and

    United States Ashburn, United States visited https://blog.ecollart.org/?mailpoet_router&endpoint=cron_daemon&action=run&data=eyJ0b2tlbiI6IjJhZjA0In0
    21/11/2017 13:32:52 (40 minutes ago) IP: 34.207.213.117 [unblock] Hostname: ec2-34-207-213-117.compute-1.amazonaws.com
    Browser: undefined
    Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)

    I am quite happy to know I can continue with Mailpoet but need now to at least change the secret as it looks compromised (and published here now)

    Huge thanks for your support !

    Eric Collart

    Thread Starter ecollart

    (@ecollart)

    Scratching further, it seems a Slack user fetched that page to a specialized site using a dedicated bot looking for oEmbed, Twitter Card or Open Graph info…

    A bit curious why someone did that but could be a person involved with my opened tickets because of my site down problem (here and at my web provider).

    So let’s forget about that for now and close this ticket as invalid.

    Eric Collart

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Suspected attack against Mailpoet 3 plugin’ is closed to new replies.