WordPress Hacked and Used for Email Spamming
Posted: Thu Oct 26, 2017 7:06 pm
A WP site on my server was hacked and was used for email spamming. Now, most of the sites hosted on the server aren't able to send emails, due to the fact that the server's IP address is blacklisted.
Using this guide:
viewtopic.php?t=13892
...I was able to find the spamming script. So I decided to just take down all the files in the public_html directory.
But when I tail command /var/log/exim4/mainlog - I see fast scrolling errors.
Errors such as:
- Unroutable Address
- temporarily deferred due to user complaints
...and other logs messages saying that messages coming from the hacked WP domain was not delivered. Also I still see email address with the domain attached, but the users are not actually on the mail server. Like;
Now, my question is - WHAT ARE THE STEPS TO FURTHER INVESTIGATE ON THE ISSUE?
UPDATE:
The fast scrolling error logs stopped after delete message queues.
Got the tip from this thread:
viewtopic.php?f=12&t=8740&p=28902&hilit ... led#p28902
Did the following command to remove mail queue:
Using this guide:
viewtopic.php?t=13892
...I was able to find the spamming script. So I decided to just take down all the files in the public_html directory.
But when I tail command /var/log/exim4/mainlog - I see fast scrolling errors.
Errors such as:
- Unroutable Address
- temporarily deferred due to user complaints
...and other logs messages saying that messages coming from the hacked WP domain was not delivered. Also I still see email address with the domain attached, but the users are not actually on the mail server. Like;
Now, my question is - WHAT ARE THE STEPS TO FURTHER INVESTIGATE ON THE ISSUE?
UPDATE:
The fast scrolling error logs stopped after delete message queues.
Got the tip from this thread:
viewtopic.php?f=12&t=8740&p=28902&hilit ... led#p28902
Did the following command to remove mail queue:
Code: Select all
exim -bp|grep "<"|awk {'print $3'}|xargs exim -Mrm