WordPress Hacked and Used for Email Spamming

Questions regarding the Mail Server
Dovecot, Exim, RoundCube
cosmicx
Posts: 2
Joined: Tue Sep 12, 2017 6:00 pm

WordPress Hacked and Used for Email Spamming

Postby cosmicx » Thu Oct 26, 2017 7:06 pm

A WP site on my server was hacked and was used for email spamming. Now, most of the sites hosted on the server aren't able to send emails, due to the fact that the server's IP address is blacklisted.

Using this guide:
viewtopic.php?t=13892

...I was able to find the spamming script. So I decided to just take down all the files in the public_html directory.

But when I tail command /var/log/exim4/mainlog - I see fast scrolling errors.

Errors such as:
- Unroutable Address
- temporarily deferred due to user complaints

...and other logs messages saying that messages coming from the hacked WP domain was not delivered. Also I still see email address with the domain attached, but the users are not actually on the mail server. Like;

Code: Select all

helen.a@hackeddomain.ex
helen.b@hackeddomain.ex



Now, my question is - WHAT ARE THE STEPS TO FURTHER INVESTIGATE ON THE ISSUE?

UPDATE:

The fast scrolling error logs stopped after delete message queues.
Got the tip from this thread:
viewtopic.php?f=12&t=8740&p=28902&hilit=spam+assassin+disabled#p28902

Did the following command to remove mail queue:

Code: Select all

exim -bp|grep "<"|awk {'print $3'}|xargs exim -Mrm

Return to “Mail Server”



Who is online

Users browsing this forum: No registered users and 5 guests

cron