WF password reset emails spoofed?

  • Resolved nolaflash

    (@nolaflashcom)


    7 years, 5 months ago

    Seeing what appear to be normal password reset request emails about every 48 hours from egolfplan.com site. Link URLs all look perfectly normal but the From address is listed as WordPress <[email protected]>.

    I’m assuming this is some kind of spearfishing attack but I don’t see what the vector for actually compromising me is…

    Last part of headers below. The real site is at 67.228.22.163 on a dedicated box. No other sites hosted there.

    So this is not really a support request but more info that may be useful to WF about a spoofed WF email.

    Subject: [Wordfence Alert] egolfplan.com Password recovery attempted
    X-PHP-Script: mybiznetsite.com/wp-login.php for 65.74.139.236
    Date: Fri, 20 Oct 2017 04:15:57 +0000
    From: WordPress <[email protected]>
    Message-ID: <[email protected]>
    X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
    MIME-Version: 1.0
    Content-Type: text/plain; charset=UTF-8
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname – hostname.egolfplan.com
    X-AntiAbuse: Original Domain – [mydomainhere].com
    X-AntiAbuse: Originator/Caller UID/GID – [500 501] / [47 12]
    X-AntiAbuse: Sender Address Domain – hostname.egolfplan.com
    X-Get-Message-Sender-Via: hostname.egolfplan.com: authenticated_id: egolf/only user confirmed/virtual account not confirmed
    X-Antivirus: AVG (VPS 171020-2, 10/20/2017), Inbound message
    X-Antivirus-Status: Clean
    X-Antivirus: avast! (VPS 171020-2, 10/20/2017), Inbound message
    X-Antivirus-Status: Clean

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)

  • Hi nolaflash,
    Most likely your site is set as the default host on your Apache server configuration, this makes it possible to reach your site via any domain (that does not exist on the server), and this opens up for particular exploit attempts relating to the server host variable, so I highly recommend re-checking Apache virtual hosts configurations again and make sure your site isn’t set as the default site there, you might need to check this question to get a better idea about how to get rid of requests that don’t match any of your domains.

    Thanks.

Viewing 1 replies (of 1 total)
  • The topic ‘WF password reset emails spoofed?’ is closed to new replies.