Hello!

It seems my website has been hacked! I'm using WordPress for my blog. When registering, the hacker enters a different email address in the field, along with some strange URL for a fake site in the name field. I have the Newsletters plugin (https://www.thenewsletterplugin.com/).

There is some protection against injections in the name field. As an experiment, I tried to put in this nonsense myself and send it to my email, but it didn't go through. I checked the IP addresses from where it was sent (I wanted to block them), but they were from mobile operators like MTS, TELE2, MEGAFON. Blocking those will end up blocking all mobile users. The plugin statistics show that all subscriptions are coming from a page with the http protocol and two slashes, while I have https, and there's a redirect. Trying to access a link with http and two slashes redirects me to the main site page, so I couldn't find that page. Also, the nginx and Apache servers keep restarting a few times every hour!

Actions taken:

* I've activated the Akismet Anti-Spam plugin, which has cut down the amount of spam emails to several times; it used to be 50-60 a day, and now it's around 5-6.

* My home computer (from which I log in) was scanned for viruses, but I didn't check my mobile phone (I do use it sometimes, but not at the moment).

* The server was scanned with the AI-BOLIT tool, but nothing was found; the spam problem persists!

* I looked through the server access log and found out that the sending is being done by my script from the plugin.

* Reviewing main.log didn't show any issues either. I noticed my Gmail email (*******@gmail.com) popping up repeatedly, maybe it's been hacked along with my Google account?

* A manual check of the server files didn't show anything suspicious, I went through folders for any odd PHP scripts and checked .htaccess content.

* I ran a command via SSH in the terminal:

grep -RPn "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)" /var/www/ > /var/www/backlist.txt

The generated file was retrieved and examined, but it was empty.

* While looking at log files, it was observed that email addresses were constantly being picked from the domain by swapping in various words before the @ sign (the dog). If a name is guessed correctly, it sends mail to the target.

Proposed actions:

Changed passwords for SSH, email and DB - done!

The hacker keeps working!

QUESTIONS:

* How is such spam sent? (in general terms, if possible), has the attacker taken full control over the site?

* What's this page using the http protocol and two slashes that redirects to my main site, and how do I find it?

* Can a spammer operate through a Google account and my email ********@gmail.com?

* What might be causing the nginx and Apache servers to keep restarting, and how to investigate this?

* Should I change passwords for my Google account and from *******@gmail.com email?

* Which command can I use to check ALL the files for changes on the server in the last 2-3 months via SSH?

* Can a DOS attack be executed from outside, while the sender's email is logged, or is something actually being uploaded to the server?

Thank you so much ahead of time for a detailed response; I'd appreciate any advice and links to helpful guides!

Regarding how the spam is being sent, it's possible that the attacker has exploited a vulnerability within the plugin or your WordPress installation. WordPress sites are often targeted due to outdated plugins or themes. If the attacker can inject malicious code, they might be able to send spam directly through your website without needing full control. You should check if the Newsletters plugin is up to date and look for any known vulnerabilities.

For the issue with the page using the http protocol and two slashes, this might indicate a misconfiguration or an entry point of the attack. It sounds like the links aren't being properly sanitized. To find this page, you could try searching your logs for entries that include the strange URL structure. Monitoring the access logs closely when you suspect the activity is being conducted can help identify where the request might originate from.

As for your Google account, yes, it's possible that an attacker could use it to send spam if it has been compromised. If someone has access to your Gmail, they could potentially send emails from your account or use it to access other linked accounts, leading to even more issues.

The frequent restarts of your nginx and Apache servers could suggest that there's either an issue with the server configuration or a DoS (Denial of Service) attack happening. Check your server resource usage, focusing on CPU and memory. Look at the error logs as well; they may indicate what's causing the crashes. If you've experienced a significant increase in traffic just before the restarts, consider setting rate limiting on your server to mitigate these attempts.

Yes, it's wise to change the passwords for your Google account and any email accounts that you suspect may be compromised. It's a good security practice, especially if you see strange activities.

To check all files for changes on your server in the last 2-3 months, you can use the `find` command in your SSH session. Something along the lines of:

find /var/www/ -type f -mtime -90

This command will help you find any files modified in the last 90 days.

Lastly, regarding a DOS attack, yes, it can be executed externally. If someone is flooding your contact form or subscription API with requests, the email being logged doesn't mean they're accessing your server from inside. You might want to implement some rate limiting or a CAPTCHA form to reduce the volume of submissions.

Seek out security plugins for WordPress that can help harden your website against attacks, and consider setting up a web application firewall (WAF) to intercept malicious traffic. Also, regularly back up your site so you can restore it to a clean state if necessary.

I recall how webmasters in times gone by started by learning the basics of html and css to build their webpages. They then progressed to understand PHP, JavaScript and many other coding languages, enhancing their skills by refining the code they wrote.

Nowadays, you can just install something like Wordpress on almost any hosting platform and create yet another subpar website from it. In the midst of sifting through the mess you've created, you might find yourself posting impotent questions on forums trying to figure out what went wrong.

I have seen many people lose their minds over what they refer to as crowd marketing. It's like they believe they are way more clever than the rest of us when they share content like that. This kind of behavior makes me wonder if they understand the impact of their actions.
They're a bit out of touch, not recognizing that true engagement comes from genuine connections, not just flashy promotions. In fact, these tactics might backfire, leading to more skepticism than trust among potential customers. Such approach usually doesn't yield the desired results.