One of my servers is using the latest version of Wordpress and some plugins. My email suddenly started receiving hundreds of ‘Undelivered Mail Returned to Sender’ emails. After some investigation I traced this back to a few minutes before the emails began there was a file created in wp-content/plugins/php-execution-plugin/includes called inc.php which was sending the spam emails.
How do I find out how inc.php was created?
How do I prevent other simular files being created?
The from line of the email source is From: “Starbucks” support@mysite.com.au the “Starbucks” portion is not a valid user on my site while the support@mysite.com.au IS a vilid email address.
Is there a way to prevent email from an invalid user form being sent out?
I have done some more reading about SMTP Server Options. Would adding ‘permit_mynetworks permit_sasl_authenticated reject’ in Restrictions on sender addresses on the SMTP Server Options page stop emails being sent by an invalid user?
It’s difficult to prevent a valid user on your server from sending emails… although an invalid user somehow gained access to WordPress on your server, once they did so the system treats them as a valid user.
There’s a lot of systems on your server that expect to be able to send emails as a local user without having to authenticate with Postfix (cron, for example).
As far as how they got in – that’s difficult to say, though it may be been through a vulnerable plugin. They also could have guessed a WordPress user’s password.