Anonymous
I have been targeted a couple of time and i believe it relates to the Mailpoet hack although i could be wrong (i’ve never had Mailpoet).
It happened a few weeks ago and a theme was installed and a new user was added called Jakonda. Files were modified and spam was added to the website.
I changed passwords, deleted the theme and user and tried to clean the files and installed Wordfence.
The same thing has just happened again but this time it deleted the Wordfence install.
I have checked the server logs and this is what shows each time:
[15/Feb/2019:12:07:56 +0000] “POST /wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.1″ 200 20 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0)
from then various plugins are installed eg:
[15/Feb/2019:12:08:23 +0000] “POST /wp-content/plugins/cherry-plugin/admin/import-export/upload.php HTTP/1.1″ 404 6238 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
I have ran your scan but nothing is found.
How can i ensure that this is dealt with?
I can send the full server logs if it will help more?
Kind regards
Scott