1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need Help SPAM e-mail being sent from my site Wordpress

Discussion in 'BlackHat Lounge' started by drei29, May 1, 2015.

  1. drei29

    drei29 BANNED BANNED

    Joined:
    Sep 29, 2013
    Messages:
    197
    Likes Received:
    32
    Hi everyone I need your help on how to fix this php script that keeps sending spam emails using my site.
    Here's what happened. About 2-3 weeks ago I used this template http://www.blackhatworld.com/blackhat-seo/templates-themes/734132-get-divi-2-2-purchased-elegant-themes.html. Until yesterday my hosting provider sent me an email that my account is sending spam email. Check screenshot
    spam mail.png

    I already talked with my hosting support and I did locate the php file script that is sending spam e-mail. I deleted the php file after that. Guess what the next day I receive another spam email report. It's the same link where it originated. Open my cpanel and the php file is still there. I've talked with support again and they opened a ticket for me.

    Btw here's the screenshot of the php file.
    php file.png php script.jpg

    I already run a malware scan on my website but it did not find anything. Change my wordpress password and install sucuri security plugin but the php file keeps on coming back.

    Any advice on how to fix this?
     
  2. drei29

    drei29 BANNED BANNED

    Joined:
    Sep 29, 2013
    Messages:
    197
    Likes Received:
    32
    Anyone who had experienced with this? I really need some help.
     
  3. roadhamster

    roadhamster Regular Member

    Joined:
    Mar 12, 2012
    Messages:
    340
    Likes Received:
    244
    You have to clean the infected files manually, or replace them with the original php files.
    Also there could be some crap in your .htaccess file, check that one too.
    Also change your password for your wp-admin, if you haven't done that already.
     
  4. drei29

    drei29 BANNED BANNED

    Joined:
    Sep 29, 2013
    Messages:
    197
    Likes Received:
    32
    I already deleted the php file but it keeps coming back. I've check the .htaccess file and it's clean. (compared it to my other sites) Already change the wp-admin password twice. Contacted hosting support and they scanned the whole site but did not find anything. I installed the sucuri security plugin and also scanned for malwares but did not find anything. And also in my observation once i deleted the php file after like 6-10 hours it will come back.

    Btw thanks for the help.
    Anyone might want to share their input on how to fix this?
     
  5. drei29

    drei29 BANNED BANNED

    Joined:
    Sep 29, 2013
    Messages:
    197
    Likes Received:
    32
    Here's the php file and i also decode it but still don't have a clue.

    http://pastebin.com/FjxCgsB4
     
  6. Lermontov

    Lermontov Registered Member

    Joined:
    Nov 19, 2014
    Messages:
    97
    Likes Received:
    18
    Are you sure there is no cron job running? If you have deleted the php file and yet it's still sending email it means the issue is in another script or file included. Use a file editor to search through all the files and search for the php mail function to see which files references such function.
     
  7. drei29

    drei29 BANNED BANNED

    Joined:
    Sep 29, 2013
    Messages:
    197
    Likes Received:
    32

    Yes i deleted the php file but whenever I log back in on my cpanel after 5-6 hours the php file (press.php) comes back. I'm not really code savvy so bear with me. So how can i locate that file or script which created a new press.php file whenever i deleted it.
     
  8. roadhamster

    roadhamster Regular Member

    Joined:
    Mar 12, 2012
    Messages:
    340
    Likes Received:
    244
    Did you scan your pc/laptop for viruses/ malware?
    Do you use filezilla for upload files to your FTP server?
    Wordpress: disable/ remove all your plugins, reset the theme to the standard, clear cache stuff, backup your database, reinstall wordpress, check your files form beginning to end, there has to be an include() in some php file or something.
     
  9. archon10

    archon10 BANNED BANNED

    Joined:
    Oct 10, 2011
    Messages:
    1,181
    Likes Received:
    1,668
    Hacked WP site. So new and fresh and so rare.

    Since you don't know how to code, the only real answer is to reset WP back to the original install and disable plugins.

    Or, hire someone to fix it and identify the issue.

    ProTip: downloading files from a site named "blackhatworld" is probably no bueno.
     
  10. drei29

    drei29 BANNED BANNED

    Joined:
    Sep 29, 2013
    Messages:
    197
    Likes Received:
    32
    Thanks for your info guys. What i did was uninstalled all the plugins and re-installed wordpress and upload the theme again and it was fixed. It's more than a week and there is no changes on my cpanel.