Spam Mail Via Qmail
11.php allows a remote user to input e-mail information into fields as a one-off e-mail sender.
send.php allows e-mail information to be passed in as arguments, making it a script-based execution from the executing system.
I also noticed that 11.php would also change the time zone of my sever, and I had noticed a 1 hour shift in time.
Both files have been removed and I have executed find/locates on my server to see if any additional copies exist, and found none.
What I find strange is that I can't seem to find anything through various google searches that describe either of these files.
Anyway, if you are having issues with anonymous spam e-mails being sent, start with a find/locate of 11.php and send.php.
2 Replies
I use the Wordfence plugin to keep an eye on WordPress file changes etc - you can set it to periodically scan WordPress core files, themes and plugins against WordPress.org repository versions to check their integrity.
I made a rookie mistake and left the default admin account active on this account for a few weeks when it was initially installed. I also found some code that had been to the wp-config file, so I closed that stupid hole and reinstalled. I'm confident that was the hole that let them get in.
I am running fail2ban, have disabled ssh and basically followed many other recommendations to secure the server, so at this point I don't think anything else was compromised. Passwords have also been changed as a precaution.
The files were in an Ajax Calendar manager plugin and that plugin is simple. I have the original distro for the plugin and those files are not present, so I don't think the problem is related to the plugin itself.