Account sending emails from wordpress problem

leonep

Well-Known Member
Nov 18, 2014
169
10
68
Pescara
cPanel Access Level
Root Administrator
Hi,
i have an account sending mails form WP website.

example:
Code:
Event: success success
Sender User: xxxx
Sender Domain: example.com
From Address: [email protected]
Sender: xxx
Sent Time: Jun 13, 2019, 9:13:09 AM
Sender Host: localhost
Sender IP: 127.0.0.1
Authentication: localuser
Spam Score: 3.5
Recipient: [email protected]
Delivered To: [email protected]
Delivery User: -remote-
Delivery Domain:
Router: dkim_lookuphost
Transport: dkim_remote_smtp
Out Time: Jun 13, 2019, 9:13:09 AM
ID: 1hbJva-0006fR-1o
Delivery Host: mx3.example.org
Delivery IP: 203.205.xxx.xx
Size: 900 bytes
Result: Accepted

Path: '/home/xxxx/public_html/wp-admin'
Count: 101 emails sent
Sample of the first 10 emails:
Code:
2019-06-13 08:20:55 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:31:34 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:31:51 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:32:09 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:32:26 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:32:37 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:32:48 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:32:59 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:33:09 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
2019-06-13 08:33:20 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
Possible Scripts:
Code:
'/home/xxx/public_html/wp-admin/user-edit.php'
'/home/xxx/public_html/wp-admin/user-new.php'
'/home/xxx/public_html/wp-admin/install.php'
'/home/xxx/public_html/wp-admin/network.php'
'/home/xxx/public_html/wp-admin/ms-delete-site.php'
'/home/xxx/public_html/wp-admin/comment.php'
I have latest version of Wp and all plugin updated. i changed user password for wp and cpanel. What can i do for this??? thanks
 
Last edited by a moderator:

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
Most likely your website's contact form is being abused due to no captcha, weak spam protection or with challenge answer viewable in the html.

If your contact form sends using an ajax request the request will most likely POST to /wp-admin/admin-ajax.php
hence the /home/xxx/public_html/wp-admin script location.

This spam will be addressed to the website owner in most cases, but some contact forms offer the rather stupid option of sending a copy to yourself, (the spammer addresses this field to the spam victim)

I have seen WordPress themes with contact forms that print the website owners address in the html then POST that back to the server to be used for the To: header when constructing the email. (which allows simple automated abuse)

The files you listed are all names of legitimate WordPress files, but that does not mean they have not been altered.
It is also possible your site is compromised and has other code on it. If you think this is the case install Wordfence free WordPress plugin and run a scan.