After installing a let’s call it “test-purposes-only” version of Social Stream plugin for wordpress (really nice, check it out), we find out at SMTP log what somewhere / something / somehow it’s caling home each minute, server relay limit was reached the first hour and clients sending hate messages (not from their usual mail accounts as might be expected), quick action needed.
Detect the problem is the easy part, all email relay attempt will produce an SMTP error and return to sender with a subject like “Mail delivery failed: returning message to sender”, inside email we should search for error code:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
SMTP error from remote mail server after initial connection:
host dedrelay.where.secureserver.net [188.8.131.52]:
554 x01.x.phx3.secureserver.net :
DED : AMx03h0dKpdu01 : DED : You've reached your daily relay quota -
We have our guilty (firstname.lastname@example.org), to find this you can access your WHM and the go to Email > Mail Delivery Reports (http://grab.by/xwzQ) and filter by the las 24 hrs., you should find lots of actovity to that account (http://grab.by/xwzU). So find where is the issue is next, use Exploit Scanner wp-plugin to find suspicious code blocks in your site (yes, this could take a while), then search for the decoded base64 (bitches love base64 to hede their ass) from that email account, using a service like http://www.base64encode.org/ now we search for the encoded value d29yZHByZXNzc2xvZ0B5YW5kZXguY29t in our Exploit Scanner results (Ctrl+F should do the job)
So, our target is in: /wp-content/plugins/wordpress-social-steam/inc/dcwp_langs.php, that file really shouldn’t be there, so for be shure lets just clean all inside, leaving only this:
/* nice try */
And thats all! Maybe if you want to reset your daily relay limit should contact your hosting provider
You should go back to WHM SMTP log, search again for the guilty account and no further messages should be sent from our server. At least, this works for my case, if you have any questions, please feel free to ask.