grobmotoriker

@ictbeheer
That’s the same IP that spammed our customer’s server.

@lickthespoon
I would first try the IP that Maarten mentioned ?? If it’s not, I found out that IP by using the Apache’s status page and checking which IPs are accessing the same addresses over and over.

• This reply was modified 7 years, 5 months ago by grobmotoriker.

@wysija,

I’ve sent you detailed info about that over https://www.mailpoet.com/support/wordpress-forums/

Best regards

Well, in our case, the exploiting requests were originating from a single IP, yes. So, as a short term measure, you could try blocking that IP. I just checked, the IP didn’t change since the exploit started.

But of course, blocking the IP is not a safe thing, since the attack could start with a different IP at any time.

Hello @sincereblue,

I don’t have experience with the WordPress source code and the site is administrated by a different company (we are just hosting it), so I didn’t really dig into the code. For the moment, they just disabled the Mailpoet plugin.

What I can tell you is that the exploit seems to completely bypass any authentication. I tested this with two websites on two different machines: the one that was sending spam, and a different machine which didn’t send spam so far, but, as it turned out, could also be exploited successfully. There is no authentication required, I could do this by just sending a simple POST request from my PC – and I didn’t even have any credentials for those websites. I think, this is a serious issue that should be fixed quickly.

Sorry, unfortunately, I posted in a hurry. The problem I found is not a mass of signups, but spam being sent over wysija using an exploit.

Hi,
after updating to version 2.7.13, the problem apparently still exists. After dumping the HTTP traffic, I could successfully reproduce an exploit. Since it wouldn’t be pretty smart to exactly describe that here, how can I send you more information about that?