malware from spammers entering into this theme

Hi. I had a domain with your directory theme installed on a wordpress version around 4.2. The site was idle there for a couple years. Meanwhile there were several user registrations subscribers along the months, but I was completely ignoring them until now. These days I noticed strange files in the ftp folder from this theme, with a cron job made to send emails, and several emails to be sent under exim. It looks like these registered users were beeing used for some spam activity. I went today to the admin users list and there where almost 900 users there, none of them made by me. There might be an exploit somewhere ! Does anyone knows where the hackers are entering into the theme to be able to create files and run cron jobs and stuff ?

Created: October 22, 2015 at 12:59 am
  • In: Directory Theme
  • Started by: LucianaLuciana
  • 3 members left 6 comments
  • Last reply from: LucianaLuciana

  • Luciana
    October 22, 2015 at 12:59 am

  • Luciana
    October 22, 2015 at 1:02 am

    plugins installed:

    [DISPLAY] – Pricing Table
    [MISC] – Taxonomies
    [MISC] – Terms and Conditions
    Preserved Html Editor Markup
    Revolution Slider

  • sabine
    October 23, 2015 at 1:59 am

    The theme comes with an option for users to create accounts. So 900 people (or bots) registered at your page.

    As for the file changes and cron job, guess your hosting account is compromised. Maybe get your hoster on board to make the account secure.

  • Clive
    October 23, 2015 at 8:04 am

    You’ve been hacked Luciana.

    Maybe time to get decent hosting, as your existing hosts look pretty useless.

  • Luciana
    October 23, 2015 at 2:49 pm

    The host is very decent, it’s not shared and it’s managed. Based on what you say it’s useless?

    I’m saying they are using this theme to hack into, so I wonder where is the exploitable code so I can fix it.

  • Luciana
    October 23, 2015 at 2:53 pm

    They used the register option yes, but this shouldn’t itself open a door to them saving files and use those emails to send spam. The theme might have a flaw where they are entering and getting able to save a cron file, otherwise they would not using this particular theme to create emails and create the files. There might have an exploitable form somewhere with this theme. They were creating files only in this theme’s folder and there are many other wp installs over there that were not touched.

Viewing 7 posts - 1 through 7 (of 7 total)