0

I run a blog on wordpress. Recently I received a abuse complaints from the server which when verified returned this:

============================================================ 
Received: from [192.241.188.154] by usfamily.net 
(USFamily MTA v5/:PG5vcm1hX2NoYW1iZXJzQG1yaW5hbHB1cm9oaXQuY29tPjxkamtpbm5leUB1c2ZhbWlseS5uZXQ_)
with SMTP id <20140301115044001084500013> for <djkinney@usfamily.net>; 
Sat, 01 Mar 2014 11:50:44 -0600 (CST) 
(envelope-from norma_chambers@myblog.com, notifiable emailnetwork 192.241.188.) 
Received: by myprimarydomain.com (Postfix, from userid 498) 
id 1C5EE1305AE; Sat, 1 Mar 2014 17:12:39 +0000 (UTC) 
To: djkinney@usfamily.net 
Subject: FW: Good day 
X-PHP-Originating-Script: 498:sslnEn.php 
From: "Norma Chambers" <norma_chambers@myblog.com> 
Reply-To: "Norma Chambers" <norma_chambers@myblog.com> 
X-Priority: 3 (Normal) 
MIME-Version: 1.0 
Content-Type: text/html; charset="iso-8859-1" 
Message-Id: <20140301171239.1C5EE1305AE@myblog.com> 
Date: Sat, 1 Mar 2014 17:12:39 +0000 (UTC) 
Content-Transfer-Encoding: quoted-printable

<div> 
<p> 
Top Meds Website good deal <a href=3D"http://dumantarim.com/modules/mod_= 
araticlhess/rlf.html">http://dumantarim.com/modules/mod_araticlhess/rlf.h= 
tml</a> 
</p> 
</div>

============================================================

Now I assumed that it meant this: Several unsolicited emails were sent from the id norma_chambers@myblog.com. If my assumption is correct, this email id should have existed on the VPS AND user had access to the email account to send mails. Does it really means that my server (VPS) was hacked? I am not actually using any contact form on my blog as such but this may be caused by any plugin etc.??? Not sure :(

Am I on the correct path to trace this problem? Please shed some light.

beNerd
  • 117
  • 4
  • Looks like mail was sent using a PHP script (sslnEn.php) by userid 498 on host myblog.com – clement Mar 02 '14 at 16:07
  • Well I have only one wordpress blog on the server. Taking a clue from your comment, I got into the blog root directory and then grepped for searching this file: sslnEn.php but there was no such file! – beNerd Mar 02 '14 at 16:11
  • Could you add output of the "# cat /var/log/maillog | grep 1C5EE1305AE" and "cat /etc/passwd | grep 498" to the question – ALex_hha Mar 02 '14 at 16:17
  • cat /etc/passwd | grep 498 for this I got: nginx:x:498:498::/opt/nginx:/sbin/nologin. The first one returns nothing! – beNerd Mar 02 '14 at 16:18

1 Answers1

0

You haven't provided much information, but it sounds like your WordPress installation has been compromised and a spam-sending script has been uploaded and used.

The "from" address on the email doesn't necessarily mean that the account/address exists on your server, as almost all email headers can be faked. The user-id is most likely that of your web-server user, which was the system user that was used to execute the intruder's script - you can check /etc/passwd to be sure.

A detailed post on how to recover from a hack is here. At the very least, you should stop Apache on your server and scan your WordPress installation for suspicious failed, and change your account passwords.

Craig Watson
  • 9,370
  • 3
  • 30
  • 46
  • The link you provided for the recovery is more for a geneic cause. Can you point me as in how to start finding the root cause of the vulnerability in the wordpress installation? BTW, what should be the appropriate permissions to the directories in the wordpress installation? – beNerd Mar 02 '14 at 16:17
  • You can find a lot of hints for securing a WordPress installation here: http://codex.wordpress.org/Hardening_WordPress - for recovery, I would suggest finding any php files in your wp-content/uploads directory, and analysing your webserver logs for HTTP POST requests during the time period in question. – Craig Watson Mar 02 '14 at 16:25