October 5, 2014 at 4:20 pm #11976
today, I’ve received a message from my hosting company. They think that there is a severe security issue. Yesterday, more that 3000 emails were sent from a romanian IP through my clients website. The support told us that this was not the first time. The script involved /was wp-content/plugins/newsletter/do/subscribe.php.
Would you please check this? Thanks in advance!October 5, 2014 at 5:28 pm #11977
Probably it’s a bot trying subscriptions. Have you enabled the anotibot feature on subscription steps panel? Your provider should be able to see if those call to the subscribe.php page are originating from the same ip.
Already tried Nearby Photos? Try it and see what’s happening around you!October 6, 2014 at 8:50 am #11991
No, I did not activate this feature. How exactly does it work? I can’t see any difference in the source code after enabling the antibot.
MikeOctober 7, 2014 at 7:08 am #12009
It change the behavior of subscribe.php, nothing in the page.
Already tried Nearby Photos? Try it and see what’s happening around you!October 11, 2014 at 11:07 am #12033
it’s very unlikely that this is a bot trying subscription, I guess. We should then see much more non-confirmed subscribers. Our Provider told us, that more than 3000 emails were sent through subscribe.php from a romanian IP. But we had only 10 or so non-confirmed subscriptions. Very weird. We blocked the IP. That seems to do the trick. However, would be nice to know what’s going on here. The Support told us also that this problem appeared on several installations of other customers. I’ll keep you posted. Don’t get me wrong: I don’t blame the plugin for having any security issues.October 11, 2014 at 12:24 pm #12035kimosogiParticipant
MKJ have you tried to install Wordfence Plugin to do a malware scan? I had something similar happen and was able to find a lot of bad files.October 13, 2014 at 10:26 am #12054
thanks for the reply. I’ve just installed Wordfence and let it scan the site. Everything is fine. I always have file monitoring enabled on my sites. It is very unlikely that the site can be hacked without any notification. Blocking the romanian IP seems to do the trick. However, I don’t really know how the email spamming was possible.October 15, 2014 at 7:11 pm #12078FrancisParticipant
I have had an infection as well where the newsletter plugin was also installed. It compares to what is described here: http://somewebgeek.com/2014/wordpress-remote-code-execution-base64_decode/ (attributed to the WP mailpoet plugin)
I do not have mailpoet installed, maybe somebody can confirm infection without mailpoet being installed.October 15, 2014 at 8:21 pm #12080
Hi as far as I know there are not security problems with Newsletter, which other plugin and themes (even NOT active) have installed. Remember that not active plugins or themes does not grants that, if they have vulnerabilities, they cannot be used!
Already tried Nearby Photos? Try it and see what’s happening around you!October 15, 2014 at 8:23 pm #12081
I didn’t say it was an infection. My installation was clean according to Wordfence and my own file scans.
- You must be logged in to reply to this topic.