griffman on "My site was ambushed...need help figuring out how"
[Note: I edited this post to contain the full .js file] Tonight, while checking my site backup's sync log, I noticed a folder named "1" in the output, residing at the top level of the wp-content...
View Articlejonimueller on "My site was ambushed...need help figuring out how"
Yep, someone here on the WP forums warned about it on March 13 and posted this link: (I cannot find the original WP post right now, but I did bookmark the link.) http://seo.mhvt.net/blog/?p=268
View Articlewhooami on "My site was ambushed...need help figuring out how"
it would be useful to know what plugins you have on that site. let me guess -- you are using either wp-cache, or wp-db-backup? Or both?
View Articlemacsoft3 on "My site was ambushed...need help figuring out how"
Someone here on the WP forums warned about it on March 13... That was our story. The article is shown at p=268. So you've got the right link. So far, at least 62 or 63 WordPress blog websites are known...
View Articlegriffman on "My site was ambushed...need help figuring out how"
Plug-ins. I have a larger number installed, but only these are active (are non-active plug-ins exploitable??): Active Discussions 1.1 Addicted To Live Search 1.02 AJAX Comment Preview 1.2.1 Ajaxified...
View Articlewhooami on "My site was ambushed...need help figuring out how"
If your wp-content directory is still writable, fix that. chmod 755. That's one of the first things I would be doing. Ive argued against plugins and settings that require that for three years. As to...
View Articlemacsoft3 on "My site was ambushed...need help figuring out how"
Thanks, griffman. I got it. jonimueller refers March 13 report to the one at seo.mhvt.net. If you can answer, what is the date stamp on those files in folder 1? Is it March 12 or 13? Or around 02:58 AM...
View Articlegriffman on "My site was ambushed...need help figuring out how"
My wp-content directory is *not* generally writable, nor has it ever been generally writable. Here's what it's set up as: drwxr-xr-x Mar 16 08:42 wp-content I have removed the inactive plug-ins, and...
View Articlegriffman on "My site was ambushed...need help figuring out how"
macsoft: The files were all timestamped 2:58am on the 15th. -rob.
View Articlemacsoft3 on "My site was ambushed...need help figuring out how"
Thanks, griffman. That means they are constantly hacking WP blogs. There's an interesting code embedded in g.js. It's...
View Articlewhooami on "My site was ambushed...need help figuring out how"
great Rob .. Im looking forward to looking at them. If you like, I can provide a way for you do some more intense logging, and I HIGHLY recommend finding out if your host has mod_security compiled into...
View Articlewhooami on "My site was ambushed...need help figuring out how"
I found the exploit in your logs. Check your email in a few minutes. I will be emailing security@wordpress.org
View Articlewhooami on "My site was ambushed...need help figuring out how"
There were http_posts sent to certain files (that I pointed out in my emails). The data sent in the posts isnt going to be seen in your logs, unfortunately. The filename, however, is clear as day. You...
View Articlewhooami on "My site was ambushed...need help figuring out how"
Without divulging the file name, I should say, that I just looked through my own mod_security logs, and see a different attempt at an RFI attack, pointed at a core file that lives inside wp-includes/...
View Articlethesu on "My site was ambushed...need help figuring out how"
This happened to me, too! The file was timestamped 3/18. My wp-content folder was already set at permission 755, so I don't know how the hacker got in there. I was running wp-cache and deactivated it....
View Articlewhooami on "My site was ambushed...need help figuring out how"
this thread was resolved, thesu. I assure you that if your site was compromised at some point, they will come back. You might not see em, but they will come back. Keep in mind, that coming back doesnt...
View ArticleTheTim on "My site was ambushed...need help figuring out how"
I just discovered the same issue on my site, which is running WordPress 2.3.3. Whooami, you say that this was resolved, but I don't see any explanations of what can be done to prevent it from happening...
View Articlewhooami on "My site was ambushed...need help figuring out how"
I have blogged about what I have done in repairing previously hacked sites on my own blog. This isnt a directory permission issue, it never has been one. People that suggest otherwise, arent aware of...
View Articlemvandemar on "My site was ambushed...need help figuring out how"
"This thread was resolved because..." This thread is not actually resolved, since a clean install of 2.3.3 has this vulnerability as well. While changing the cookie names may indeed thwart whatever bot...
View Articleraygene on "My site was ambushed...need help figuring out how"
If your wp-content directory is still writable, fix that. chmod 755. That's one of the first things I would be doing. Ive argued against plugins and settings that require that for three years. OK, just...
View Article
More Pages to Explore .....