Just migrated to DO with a multisite wordpress/woocommerce and have noticed some issues in my syslog

“host mx-aol.mail.gm0.yahoodns.net[98.136.101.116] said: 421 4.7.0 [TSS04] Messages from 178.62.110.117 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)
Dec 11 12:24:16 lamp-s-1vcpu-1gb-lon1-01 postfix/smtp[2255]: 8DA29407AB: lost connection with mx-aol.mail.gm0.yahoodns.net[98.136.101.116] while sending RCPT TO
Dec 11 12:24:16 lamp-s-1vcpu-1gb-lon1-01 postfix/smtp[2256]: 56114407A7: host mta5.am0.yahoodns.net[67.195.229.58] said: 421 4.7.0 [TSS04] Messages from 178.62.110.117 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)”

I have deleted all users who are spam and have not registered as woocommerce customers but my stack is still trying to send out emails to people

Any ideas what could be causing this

1 comment
  • To the owners,
    I am 46 years old. My fourth university i am still studying at YILDIZ TECHNICAL UNIVERSITY Computer Engineering program. My second year in school. You can call by phone or mail to university about me.
    Last nigth 09.05.2020 at 00:05 am i was surfing the internet. I saw a add in GITHUB PAGES about the DIGITAL OCEAN (50usd free for the github education users) and i wanted to use this opportunity. When i came into digital ocean it said to me that 100USD is free if i join. I decided to join the site.
    I did whatever the site(DIGITAL OCEAN) said to me. I gave the CREDIT CARD DETAILS. I gave My PASSPORT picture. THEN FOR THE VALIDATION i used my CAM to send them ONLINE. Then afterwards i gave my telefone(CELLULAR) number and LIVE CONNECTIN we established i gave all the details they wanted from me about me.
    APPR. 1 hour spend my time but i finihed. AFTERWARDS the screen said that THEY DİD NOT ACCEPT my APPLICATION.
    Since 46 years, i did not feel THIS KIND OF IDIOT. It was awful. I am MUSTAFA SENTURK and i am 46 years old and i am UNIVERSITY STUDENT and i am a GITHUB USER and I did every thing the DIGITAL OCEAN SITE wanted from me . ALL OF THE THINGS HAPPENED ARE RECORDED. They are also record all things happened to me. I WROTE THEM SEVERAL TIMES to answer back to me for apologize but UNFORTUNATELY. They still go back to me. Afterwards never mind, no need to back.
    THIS IS RACIZM. Totaly RACIZM. And all of my rights are secret and i will go to the international court for these disgusting behaviour.

    Mustafa Senturk

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
3 answers

Hey friend,

I would suggest that your website has been compromised and is being used to send out spam. First, you should block outbound email while you look into this. Run this:

for i in 25 587 465; do iptables -I OUTPUT -p tcp --dport $i -j DROP; done

When you’re ready to unblock later, do this:

for i in 25 587 465; do iptables -D OUTPUT -p tcp --dport $i -j DROP; done

Once you have email blocked, make sure not to panic. A compromised Wordpress site is so incredibly common that you are among friends. It happens, it’s not your fault, almost everyone who uses it has at some point placed trust in someone who let them down. That could be a plugin developer, a theme developer, or perhaps more rarely just that you never updated the base Wordpress. Something was vulnerable and was used to, most likely, upload files to your website that are being used to execute the spam.

There’s no single list of steps that I can give you to resolve it, it’s very relative. What I can do is give you great documentation that can help you to know how to repair it. Check these out:

https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
https://sucuri.net/guides/how-to-clean-hacked-wordpress
https://codex.wordpress.org/FAQ_My_site_was_hacked

I think between the three of those articles, you’re going to have all of the information that you need.

Jarland

OK thanks, I will let you know how I get on, and thanks very much for all the information and links. I am currently deep scanning my site with Wordfence and will run at least 3 different plugins on it and see what happens. I have deleted all plugins that I wasnt using and also deleted a few themes that were not being used

I cant really scan via SSH for changed files as I guess this may have been long-term. I think this because I have only never had access to my mail logs or this is the first time I have had to access them.

I just cant believe that my last host didnt pick up on this

Cheers

I have fully scanned using WORDfence, GOMIS?? and sucuri and nothing has found anything, yet my mail logs are still sending out spam

OH DEAR

  • Let’s assume you’re running Apache on Ubuntu, but know that the log file and location is going to vary on anything else. In that assumption, here’s what I’d be running:

    tail -f /var/log/apache2/access.log | grep “POST”

    What I’m assuming here is that someone is pushing emails through a PHP script on the site, and to do so they’re making a POST request to something on the site. Most people don’t have floods of POST requests unless there’s a spam-like event going on. So if you see a flood of people making POST requests to a file, I’d bet money that this file is the one responsible.

    • ter running your tail on access log and clearing the mail queue I think I might have defeated it and my server appears not to be seding out anymore spams

      Thanks to everyone on here.

      I will endeavor to help other people when ever a can

      I might write an updated article about moving a wordpress/woocommerce multisite installation in to DO and configuring all Lets encrypt certs with Apache confs etc.

Submit an Answer