We recently cleaned a real-world website infection where a hidden PHP backdoor was using the server as a spam sender. The site looked perfectly normal on the surface. No defacement, no broken pages, no visible signs of compromise. But behind the scenes, an attacker had turned it into a silent spam relay.
This is the kind of attack most site owners never notice until their server gets blacklisted and emails stop reaching inboxes.
What We Found
The infection was layered and deliberate. A malicious PHP dropper had been planted on the server, likely through an outdated plugin or a weak credential. Once in place, it did several things:
- Dropped an obfuscated script into the server's temp directory, making it harder to spot during routine file scans
- Hooked into PHP mail functions to hijack the server's email-sending capability
- Established communication with an external command-and-control (C2) server, allowing the attacker to trigger spam campaigns remotely
- Set up persistence through cron jobs, ensuring the malware would survive server restarts and basic cleanup attempts
The entire operation ran silently. The website continued to function normally for its visitors, which is exactly what the attacker wanted. A broken site gets investigated. A working site that quietly sends spam can operate for months undetected.
How the Attack Works
Understanding the attack chain helps explain why it is so effective:
1. Initial Access
The attacker gains entry through a common vulnerability — an outdated plugin with a known exploit, a weak admin password, or an unprotected file upload path. WordPress sites are frequent targets because of the sheer number of plugins and themes in the ecosystem, many of which are poorly maintained.
2. Dropper Deployment
Once inside, the attacker uploads a PHP dropper — a small script designed to download and install the actual malware payload. The dropper is usually obfuscated to bypass basic security scanners. It often uses encoding techniques like base64, variable variable names, and string concatenation to hide its true purpose.
3. Payload Installation
The dropper places the main malicious script in a temp directory or a deeply nested folder within the WordPress installation. The script hooks into PHP's mail functions (mail(), wp_mail()) or installs its own SMTP relay capability.
4. C2 Communication
The malware phones home to a command-and-control server. This allows the attacker to send instructions remotely — start a spam campaign, change the spam content, update the malware, or even deploy additional payloads. The C2 traffic is often disguised as normal HTTP requests to avoid detection.
5. Persistence
Cron jobs are added to ensure the malware restarts if removed. Some variants also inject code into legitimate WordPress files or database entries, creating multiple paths for reinfection.
Our Cleanup Process
Cleaning an infection like this requires a systematic approach. Simply deleting the obvious malicious file is not enough — you need to find and eliminate every component of the attack chain.
Finding and Quarantining the Dropper
We started by scanning the file system for recently modified files, files with suspicious encoding patterns, and scripts in locations where PHP files should not exist (like temp directories and upload folders). The malicious dropper was identified, quarantined for analysis, and removed.
Identifying Outbound C2 Traffic
We examined server logs and network connections to identify the external endpoints the malware was communicating with. This helped us understand the scope of the compromise and confirm that no additional payloads had been deployed.
Removing Persistence Mechanisms
We audited all cron jobs, checking for entries that were not part of the normal WordPress or server configuration. Several malicious cron entries were found and removed. We also checked for backdoor accounts in the WordPress user table and unauthorized SSH keys.
Rebuilding from Clean Sources
Rather than trying to patch potentially compromised files, we rebuilt WordPress core and all plugins from verified clean sources. This eliminates the risk of modified core files that might contain injected backdoor code. Theme files were manually reviewed and cleaned.
Database Cleanup
The database was scanned for injected content — malicious JavaScript in post content, spam links in options tables, and rogue user accounts. Cache tables and transient data were purged to remove any cached malicious content.
Hardening the Installation
With the infection cleaned, we locked down the site to prevent reinfection:
- Restricted PHP execution in upload directories and other folders where scripts should never run
- Disabled the built-in file editor in WordPress to prevent code modification through the admin panel
- Updated all credentials including database passwords, admin accounts, and API keys
- Implemented proper file permissions following the principle of least privilege
- Configured server-level mail restrictions to prevent unauthorized use of mail functions
Verification
Finally, we monitored the site over several days to confirm no reinfection loop was active. Server logs, outbound connections, and file integrity were all tracked to ensure the cleanup was complete.
Why This Happens
This type of attack is overwhelmingly common and usually comes down to a few root causes:
- Outdated plugins and themes — Known vulnerabilities in unpatched software are the number one entry point for WordPress compromises
- Weak credentials — Simple passwords on admin accounts, FTP, or database connections give attackers easy access
- Unsafe file upload paths — Upload directories that allow PHP execution let attackers run any code they upload
- Lack of monitoring — Without file integrity monitoring and log analysis, silent infections can run for months
- Shared hosting environments — One compromised site on a shared server can sometimes lead to cross-site contamination
Prevention Checklist for WordPress Site Owners
Keep your site safe with these practices:
- Keep everything updated — WordPress core, plugins, and themes should always run the latest versions
- Use strong, unique passwords — Enforce strong passwords for all accounts and enable two-factor authentication
- Restrict PHP execution — Add rules to prevent PHP from running in
/wp-content/uploads/and other non-essential directories - Monitor your temp directories — Set up alerts for new files appearing in
/tmp/and other temporary paths - Install a security plugin — Tools like Wordfence or Sucuri provide file integrity monitoring and firewall protection
- Regular backups — Maintain clean, tested backups so you can recover quickly if the worst happens
- Audit user accounts — Regularly review who has admin access and remove accounts that are no longer needed
- Use a Web Application Firewall (WAF) — A WAF can block many common attack patterns before they reach your site
The Bigger Picture
Silent abuse is far more common than visible defacement. Attackers do not want you to know they are there. A compromised server that sends spam, mines cryptocurrency, or serves as a proxy for other attacks is valuable precisely because it stays under the radar.
If you are running a WordPress site or any PHP-based application, treat security as an ongoing process, not a one-time setup. Patch regularly, monitor actively, and assume that if something can be exploited, someone is already trying.
At Xelent Solutions, we help businesses identify, clean, and prevent these kinds of infections. If you suspect your site has been compromised or want to strengthen your security posture, reach out to our team for a thorough assessment.
Need Help Securing Your Website?
Whether you are dealing with an active infection or want to prevent one, our team has the expertise to protect your business. From malware cleanup to ongoing security hardening, we have got you covered.