PHP mailer script sending spam from my domain

Hi there,

We are under attack and there is some script in our wordpress file which is sending out thousands of spam emails to people. The message is being sent from email addresses at our domain which actually doesn't exist.

Here is a sample of one such email, there are many different versions being sent out :

------ This is a copy of the message, including all the headers. ------

Return-path: <mamie_white@carmento.com>
Received: from carmento by webcloud52.au.syrahost.com with local (Exim 4.85)
(envelope-from <mamie_white@carmento.com>:wink:
id 1ZLVPJ-0010EZ-1w
for okieron@hotmail.com; Sat, 01 Aug 2015 19:56:58 +0800
To: okieron@hotmail.com
Subject: 1 Quick B00ty Match is waiting
X-PHP-Script: carmento.com/ for 127.0.0.1, 127.0.0.1
Date: Sat, 1 Aug 2015 11:56:52 +0000
From: Mamie White <mamie_white@carmento.com>
Message-ID: <aca23ed110356f83c813ee4b3708d7dd@carmento.com>
X-Priority: 3
X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_aca23ed110356f83c813ee4b3708d7dd"
Content-Transfer-Encoding: 8bit
X-OutGoing-Spam-Status: No, score=-1.9

--b1_aca23ed110356f83c813ee4b3708d7dd
Content-Type: text/plain; charset=us-ascii

Hi, would you like to talk to me about sex?

I need a passionate mature man

Some jizz would be so pleasurable right now

[ http://php-training-ahmedabad.anantitsolution.com/info.php?z=23 ] The butt on a picture wants to be spanked

Come to my house I want to say thank you in a special way

--b1_aca23ed110356f83c813ee4b3708d7dd
Content-Type: text/html; charset=us-ascii

<html>
<body>

Hi, would you like to talk to me about sex?

I need a passionate mature man

Some jizz would be so pleasurable right now

The butt on a picture wants to be spanked

Come to my house I want to say thank you in a special way

</body>
</html>

We are receiving hundreds of failed email warning emails from Mailer-Daemon@webcloud52.au.syrahost.com.

Our hosting provider is Crazy Domains and they have identified a script:

wp-content > plugins > custom-login > js > object.php

They have asked us not to delete this file but seek professional wordpress support.

I am a basic wordpress user and do not know how to proceed further.

Appreciate your responses, any suggestions.

kind regards,
Malkiat Singh

  • Sajid

    Hi @Malkiat

    Hope you are doing good today :slight_smile:

    phpmailer class does not send the spam by itself, it is being triggered probably by spamhackbots, misusing some vulnerable extension, or leftover backdoor malware scripts, or both.

    You have to make sure you do not have any unwanted script on your website that may be triggering to send emails. To scan your website I would suggest you to install WordFence or Better WordPress security plugin to find vulnerabilities.
    https://wordpress.org/plugins/wordfence/
    https://wordpress.org/plugins/better-wp-security/

    Mostly, its caused due to using out dated plugins or themes. Keeping your WordPress sites up to date helps you to not get hacked oftenly. Please update all your plugins/themes/scripts.

    Take care and have a nice day :slight_smile:

    Cheers, Sajid

  • Malkiat

    Hi Sajid,

    Thank you very much for your help. I have installed wordfence and the scan results have found out some files which are infected.

    Some of these files are the files for a plugin wpclient, which is quite important for our website. I am not sure, how I can clean this file. If I delete the file, it might break the plugin. If I delete or uninstall the plugin, I might loose the client data and files which they have uploaded (not sure, what will happen).

    Could you please advise?

    Kind regards,
    Malkiat Singh

  • Sajid

    Hi @Malkiat

    Hope you are doing good today :slight_smile:

    Is this plugin updated ? If not then updating the plugin will fix this issue. If you are your developer made changes in core files of this plugin then make sure you took backup of those files. Otherwise I don't think it will break your website or remove your clients data.

    If updated then, un-installing/deleting and installing it again, it also should not remove your clients data or files. But make sure you took backup first before updating/installing it again.

    Also post in their support forum and see what they say about updating it or follow their updating and installation guides.
    https://wp-client.com/update/

    Its also good practice to take schedule backup of your website. So you can restore to previous version is something goes wrong.

    Take care and have a nice day :slight_smile:

    Cheers, Sajid

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.