Security – Hacker send email via my admin-ajax.php

  • Hi,

    I face an issue since months. My site send emails dozens of times a day, to unknown recipients. After investigation, it appears that a hacker uses the file admin-ajax.php to send emails via my site.

    Log file :
    141.98.xxx.xxx mysite.com – [23/Sep/2019:01:06:01 +0200] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 25 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36”

    POST data :
    {“action”:”wysija_ajax”,
    “ajaxurl”:”http:\/\/www.mailpoet.com\/wp-admin\/admin-ajax.php”,
    “controller”:”subscribers”,
    “data”:[{“name”:”wysija[user][firstname]”,”value”:”GlSJwOSKtdrXkptf”},
    {“name”:”wysija[user][abs][firstname]”,”value”:””},
    {“name”:”wysija[user][email]”,”value”:”[email protected]”},
    {“name”:”wysija[user][abs][email]”,”value”:””},
    {“name”:”action”,”value”:”save”},
    {“name”:”controller”,”value”:”subscribers”},
    {“name”:”wysija[user_list][list_ids]”,”value”:”1″}],
    “task”:”save”}

    I used MailPoet Newsletters (wisija) V2.7.4 but this plugin is now desactivated and the name of the plugin folder has been changed (-OFF added).

    I have check my WP with Wordfence and no files has been modified.

    I have deny this IP in my HTACCESS but if the hacker change it, This will start again.

    Is there a way to fix this issue ?

    Regards

    Previous on WP support

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi Jacques

    You could install a plugin to prevent starting wordpress files from outside the site.
    Also you can add the following line at the beginning of the file
    if ( ! defined( ‘ABSPATH’ ) ) exit; // Exit if accessed directly

    This is one of many solutions
    Also I would recommend to install “WP all in one security” which is a great secrutity plugin.
    Regards,
    Peter

    Thread Starter Jacques Malgrange

    (@sojahu)

    Hi Peter,

    Thanks for your response.

    I added a test at the beginning of the admin-ajax.php file. If true => die. That works fine.

    Regards

    Hi Jaques,

    Glad to be able to help you.
    Nice to read that your problem is resolved??
    Regards,
    Peter

    Hi @sojahu,

    Please note this is the support forum for MailPoet 3 and not MailPoet 2.

    Please email our support team via support(at)mailpoet.com with the full details of what you’ve found and we’d be happy to investigate.

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Security – Hacker send email via my admin-ajax.php’ is closed to new replies.