- This topic has 9 replies, 4 voices, and was last updated 8 years, 7 months ago by
.
-
Posts
-
Hallo,
today, I’ve received a message from my hosting company. They think that there is a severe security issue. Yesterday, more that 3000 emails were sent from a romanian IP through my clients website. The support told us that this was not the first time. The script involved /was wp-content/plugins/newsletter/do/subscribe.php.
Would you please check this? Thanks in advance!
Probably it’s a bot trying subscriptions. Have you enabled the anotibot feature on subscription steps panel? Your provider should be able to see if those call to the subscribe.php page are originating from the same ip.
Bye, Stefano.
Already tried Nearby Photos? Try it and see what’s happening around you!No, I did not activate this feature. How exactly does it work? I can’t see any difference in the source code after enabling the antibot.
Thanks!
Mike
It change the behavior of subscribe.php, nothing in the page.
Bye, Stefano.
Already tried Nearby Photos? Try it and see what’s happening around you!Hi Stefano,
it’s very unlikely that this is a bot trying subscription, I guess. We should then see much more non-confirmed subscribers. Our Provider told us, that more than 3000 emails were sent through subscribe.php from a romanian IP. But we had only 10 or so non-confirmed subscriptions. Very weird. We blocked the IP. That seems to do the trick. However, would be nice to know what’s going on here. The Support told us also that this problem appeared on several installations of other customers. I’ll keep you posted. Don’t get me wrong: I don’t blame the plugin for having any security issues.
MKJ have you tried to install Wordfence Plugin to do a malware scan? I had something similar happen and was able to find a lot of bad files.
Hi there,
thanks for the reply. I’ve just installed Wordfence and let it scan the site. Everything is fine. I always have file monitoring enabled on my sites. It is very unlikely that the site can be hacked without any notification. Blocking the romanian IP seems to do the trick. However, I don’t really know how the email spamming was possible.
I have had an infection as well where the newsletter plugin was also installed. It compares to what is described here: http://somewebgeek.com/2014/wordpress-remote-code-execution-base64_decode/ (attributed to the WP mailpoet plugin)
I do not have mailpoet installed, maybe somebody can confirm infection without mailpoet being installed.
Hi as far as I know there are not security problems with Newsletter, which other plugin and themes (even NOT active) have installed. Remember that not active plugins or themes does not grants that, if they have vulnerabilities, they cannot be used!
Bye, Stefano.
Already tried Nearby Photos? Try it and see what’s happening around you!
- You must be logged in to reply to this topic.