Support

Hi, I am hoping you can give some insights into the strangeness that just happened on this site.

I am fearing it has been hacked, but not sure how.

I think it might be a Siteground issue, but hoping you can help me pinpoint it.

On Friday, 9/16, Siteground sent me a message that northmooracreshoa.org was using too many CPU seconds, and if it continued, would be over the limit for the month.

I found in the WPNinja FluentSMTP logs that over 1000 emails had been sent in the past few days.

I contacted Siteground and they indicated that it was the internal WP cron job that was causing the issue, and if I just made it a Siteground cron job, all would be well.

That sort of helped, but this morning I log in and find that another 900+ emails have gone out.
I looked at the IP Blocked list and saw that the two IP's that kept coming up again and again in the FluentSMTP log were supposed blocked. Those two IP's are 173.201.191.163 and
162.55.54.35. I have added two screenshots of the FluentSMTP log, so you can see.

Thinking that the FluentSMTP software might be the problem, I told it to stop any sending emails at all. That's when the weird thing happened. It started sending emails noted at "simulated". That is one of the screenshots.

Then I deactivated FluentSMTP plugin altogether, which meant I couldn't view the log anymore. But there was still activity in the Siteground error log.

As a last resort, I added those two offending IP addresses to the Siteground Blocked IP List and the problem stopped.

But my puzzlement is to why Admin Tools was not stopping the problem. I also noticed that the graphs in Admin Tools stopped updating on 9/4/22.
I would appreciate any insights as to what I should do next. I think there is still an underlying problem.

Sincerely,
Carolyn

 

 

 

 

The ticket information has been edited by Carolyn Breninger (techgal).

Thank you for taking the time to sort this out for me.

I am very glad we had this conversation. Apparently I missed the part about the email only being used for a few days. I have taken it out of the WAF. I am puzzled what might have triggered it?

I was thinking the email needed to be in there for security notices to be sent. Thank you for correcting me on that.

 

I do have one other question, if I may - I did an outside scan with Sucuri sitecheck and it reported that it could not find a WAF in place. (Report attached). Is that a good thing?

 

The ins and outs of web security is not my strong suit. I really appreciate Akeeba Backup/Admin Tools and I tell people about them any time the question arises as to what security tools to use. :)

Thank you for your time.

 

 

 

 

Now that I know I was creating (unintentionally) my own problem, I feel more equipped to check my other installations to prevent the same from happening again.

Yes, I think Sucuri is trying to sell their own "cloud based" services and I was somewhat skeptical of their results.

Thank you so much for your explanations. :)