Removing Malicious Mailer Code From Your Site
The WordPress Security Learning Center
Removing Malicious Mailer Code From Your Site

3.6: Removing Malicious Mailer Code From Your Site

Advanced
Updated October 21, 2020

What is a Malicious Mailer?

A malicious mailer is code inserted into a website with the intent of using your site’s email functionality to send unwanted spam email messages. Malicious mailers are php scripts designed to quickly send spam. Attackers access the malicious mailer by sending the script both the email message and the target emails. As such, a malicious mailer is a fairly flexible script that can send a large number of emails based on the parameters sent to the file.

Determining if your site is infected

Site owners typically learn that their site is infected by a malicious mailer when their hosting provider notifies them that their site is sending out spam messages, or if their site is listed on a spam blacklist database.

Finding and Removing Malicious Mailers

Removal of malicious mailers requires an analysis of the site code. Mailers are typically found within php files on the web server. Most often, they are stand alone files but they can also be inserted into your core, plugin, or theme files. Malicious mailers can be found in any publicly accessible directory on your server. To remove the mailer, determine which file contains the mailing scripts and remove the file or remove the code within the valid file.

Malicious mailers are usually obfuscated (intentionally obscured to make code ambiguous). The code within a mailer is often complex as it is usually reading files that are uploaded to the server and mailing to a delimited set of email addresses.

function v78ZFAX($vJOJJ7T, $vRJ8WGX){$vM74216 = ''; 
for($i=0; $i < strlen($vJOJJ7T); $i++){$vM74216 .= isset($vRJ8WGX[$vJOJJ7T[$i]]) ? $vRJ8WGX[$vJOJJ7T[$i]] : $vJOJJ7T[$i];}
return base64_decode($vM74216);}

Looking Beyond the Malicious Mailer

If you find a malicious mailer on your web site, it is important to not only determine how that file was placed on your site, but also to find any other malicious scripts on your site. Attackers often place more than one malicious script on a site, and they often are coupled with other malicious attacks, such as backdoors and malicious file uploader.

It is also important to determine how the site was compromised. A review of the entire site is important.

If after reading this guide, you are unsure of how to remove malicious mailers, if you are looking for more answers as to how the malicious mailer was placed on your site, get help.

Did you enjoy this post? Share it!

The WordPress Security Learning Center

From WordPress security fundamentals to expert developer resources, this learning center is meant for every skill level. Get serious about WordPress Security, start right here.