KyHello

Another suggestion. If CPhulk is not currently enabled, do enable it now and set it to notify you when there are 3 or more failed attempts. (You can set it to 1 or 2 if you wish).

I looked through records over the past 3 days and spotted hackers trying to login at some point. However the CPhulk email notification was in the frozen mails due to the tens of thousands of spam in queue.

If you do have these notifications setup, very likely the notifications were trigerred but stuck.

I found additional malicious code by checking the contents of the “frozen” status emails under Mail Queue manager in WHM.

One of the lines is “X-PHP-Script: YOURSITE.com/folder/folder/folder/list.php”. List.php was one of the virus the previous commands failed to pick up. This code got into my NON-wordpress site.

I also noticed the hackers are using “[email protected]” to send spam mails. Currently trying to search @yoursite.com in my databases, will update if I find anything.