Account sending emails from wordpress problem

[leonep]

Hi,
i have an account sending mails form WP website.

example:

Event: success success
Sender User: xxxx
Sender Domain: example.com
From Address: [email protected]
Sender: xxx
Sent Time: Jun 13, 2019, 9:13:09 AM
Sender Host: localhost
Sender IP: 127.0.0.1
Authentication: localuser
Spam Score: 3.5
Recipient: [email protected]
Delivered To: [email protected]
Delivery User: -remote-
Delivery Domain:
Router: dkim_lookuphost
Transport: dkim_remote_smtp
Out Time: Jun 13, 2019, 9:13:09 AM
ID: 1hbJva-0006fR-1o
Delivery Host: mx3.example.org
Delivery IP: 203.205.xxx.xx
Size: 900 bytes
Result: Accepted

Path: '/home/xxxx/public_html/wp-admin'
Count: 101 emails sent

Sample of the first 10 emails:

2019-06-13 08:20:55 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:31:34 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:31:51 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:32:09 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:32:26 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:32:37 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:32:48 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:32:59 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:33:09 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:33:20 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i

Possible Scripts:

'/home/xxx/public_html/wp-admin/user-edit.php'
'/home/xxx/public_html/wp-admin/user-new.php'
'/home/xxx/public_html/wp-admin/install.php'
'/home/xxx/public_html/wp-admin/network.php'
'/home/xxx/public_html/wp-admin/ms-delete-site.php'
'/home/xxx/public_html/wp-admin/comment.php'

I have latest version of Wp and all plugin updated. i changed user password for wp and cpanel. What can i do for this??? thanks

 

[fuzzylogic]

Most likely your website's contact form is being abused due to no captcha, weak spam protection or with challenge answer viewable in the html.

If your contact form sends using an ajax request the request will most likely POST to /wp-admin/admin-ajax.php
hence the /home/xxx/public_html/wp-admin script location.

This spam will be addressed to the website owner in most cases, but some contact forms offer the rather stupid option of sending a copy to yourself, (the spammer addresses this field to the spam victim)

I have seen WordPress themes with contact forms that print the website owners address in the html then POST that back to the server to be used for the To: header when constructing the email. (which allows simple automated abuse)

The files you listed are all names of legitimate WordPress files, but that does not mean they have not been altered.
It is also possible your site is compromised and has other code on it. If you think this is the case install Wordfence free WordPress plugin and run a scan.

 

[leonep]

yes , infact removing contact form mails flow stops . i must find a another more robust contact form plugin
thanks

 

[cPanelLauren]

Glad you were able to identify the source of the issue, maybe some others here can give you advice on which contact forms they use for their WordPress installations.