Hacked
- Thread starter Grindstone
- Start date
They rewrote the page.php file with 17K characters of code. Tried to post it but there's a 10k limit. If anyone wants to look at it, let me know.
Yeah, scanning my WP site, I see that there's TONS of crap from other plugins putting 2.9.1 everywhere. Ugh....
Thanks a lot man. Not that I'm any more secure, but they won't be able to scrape for me as easily...
^ Well, WP is what got hacked, the page.php file specifically (so far) and I was able to login to cpanel and change the password.
I don't know, this shit is breaking my mind.
What file in the WP install would I try and change the password so I can log back into wp and check for any added users?
Thanks for all the help.
I don't know, this shit is breaking my mind.
What file in the WP install would I try and change the password so I can log back into wp and check for any added users?
Thanks for all the help.
You can go directly to the MySQL database, if you find any unauthorized users, edit their password to some random data. You could also delete them, but disabling and saving their info helps you identify any patterns they may be using.
Checked that, no new users. Looking about the wp-config file, there's an unfamiliar password for the database, tried using that to log into wp-admin, no luck.
Every new WP update has more holes than swiss cheese. That's why I am sticking to older versions and I do my own security tweaks when needed.
^^^ That.
And, then do a full delete / reinstall of all of your WordPress core files. I'd also axe your theme and plugin files if you aren't sure what to look for in them to make sure it's all good in the hood.
Then, check every folder that follows the default WordPress install scheme and punch yourself in the nuts once for every folder that's set to be world writable / fuckable (chmod 777).
Last edited:
How much traffic is the site seriously getting? Check your latest visitors logs in CPanel and see what's been accessed by IP - maybe do a little banning even if they're using proxies. Does the customer need foreign traffic?
Don't forget to nuke your HDD/Flash drives when you have sorted out your logins > Darik's Boot And Nuke | Hard Drive Disk Wipe and Data Clearing
It appears you have invariably been infected with a RAT/keylogger.
Hope it works outs!
It appears you have invariably been infected with a RAT/keylogger.
Hope it works outs!
Think somebody accessing this file after first hitting /wp-admin is up to no good?
hxxp://gogorton.com/wp-admin/css/colors-fresh.css?ver=20091217
Also, if multiple IP lookups don't have info on a IP address, proxie?
Yep. All foreign traffic is going elsewhere soon.
Also, make it a strict policy that all of your clients use SFTP and not FTP.
There have been a rash of exploits the last year or so of people getting clear-text passwords from FTP clients on Windows. Big chance this was the case with your issue.
Also seen a lot of xmlrpc recently. Believe that's what got techcrunch and shoemoney? I've disabled remote posting as an extra precaution.
Good lookin' out on the version number edit. I've had it removed from my theme but that seems like a much better step.
There have been a rash of exploits the last year or so of people getting clear-text passwords from FTP clients on Windows. Big chance this was the case with your issue.
Also seen a lot of xmlrpc recently. Believe that's what got techcrunch and shoemoney? I've disabled remote posting as an extra precaution.
Good lookin' out on the version number edit. I've had it removed from my theme but that seems like a much better step.
