WordPress.org

Ready to get started?Download WordPress

Forums

Files being added to one of my sites (64 posts)

  1. rsconsult
    Member
    Posted 2 years ago #

    I'm hoping that someone can help me out on this. I have a site that files were added to. I had WP File Monitor added and it notified me that files were added to wp-includes/images and then a couple of files were changed. I removed them and then added WP Defender in the hopes that it would tell me if I had security setup wrong on a folder or something.

    WP Defender did find a couple of things but they were all very minor, low alerts. But whatever is going on, keeps happening. I will go through and remove/restore things and then in a day or so, they are all right back. Here is a list of the files added/changed from the WP File Monitor plugin. I'm hoping that someone here recognizes what this is and now I can fix my site to not let them in anymore.

    Files Changed:

    /wp-content/plugins/index.php
    /wp-includes/post-template.php

    Files Added:

    /wp-content/plugins/jquery-lightbox-for-native-galleries/wp-ajax-gadget.php
    /wp-content/plugins/wassup/zipper-class.php
    /wp-includes/images/list10.gif
    /wp-includes/images/list106.gif
    /wp-includes/images/list914.gif
    /wp-includes/images/list98.gif
    /wp-includes/images/nix156.doc
    /wp-includes/images/nix252.doc
    /wp-includes/images/nix380.doc
    /wp-includes/images/nix572.doc
    /wp-includes/images/nix580.doc
    /wp-includes/images/nix676.doc
    /wp-includes/images/nix732.doc
    /wp-includes/images/nix772.doc
    /wp-includes/images/nix828.doc
    /wp-includes/images/nix868.doc
    /wp-includes/images/pub281.jpg
    /wp-includes/images/pub377.jpg
    /wp-includes/images/pub608.doc
    /wp-includes/images/pub665.jpg
    /wp-includes/images/pub705.jpg
    /wp-includes/images/pub761.jpg
    /wp-includes/images/pub801.jpg
    /wp-includes/images/pub857.jpg
    /wp-includes/images/pub953.jpg
    /wp-includes/images/sched15.tar
    /wp-includes/images/sched734.gif
    /wp-includes/js/scriptaculous/query.js.php

    Has anyone else experienced this or have any idea what I can do to make this stop happening?

  2. Samuel B
    moderator
    Posted 2 years ago #

    it could be a plugin
    the only way to tell is deactivate them all and test

    if it stops re-activate one by one - testing in between

  3. Erko Risthein
    Member
    Posted 2 years ago #

    Have you figured out how they managed to add this backdoor to your site?
    I see many sites affected by this (including mine): wp-ajax-gadget.php

    Any info on this would be appreciated.

  4. rsconsult
    Member
    Posted 2 years ago #

    No, I have found no other info so far other than it is not a plugin. Hopefully some other people can chime in and offer some suggestions or info.

  5. Erko Risthein
    Member
    Posted 2 years ago #

    Are you by any chance hosted by Dreamhost?

  6. rsconsult
    Member
    Posted 2 years ago #

    Yes. That site is being hosted with Dreamhost. Although, I was having the issue way before they reset everyone's password due to the security issue. Still think it may be related?

  7. Erko Risthein
    Member
    Posted 2 years ago #

    That's the only thing I could think of.

  8. rsconsult
    Member
    Posted 2 years ago #

    I was thinking they were not related due to the time I've had issues but who knows. I've cleaned out everything and reset my shell password so we'll see if it works or not.

  9. Erko Risthein
    Member
    Posted 2 years ago #

    I have also changed all the passwords. But damn, it just happened again!

    Added:
    wp-includes/images/nix549.jpg
    wp-includes/images/nix853.jpg
    wp-includes/images/sched399.tar
    wp-includes/images/sched958.gif
    wp-includes/images/pub137.jpg
    wp-includes/images/pub392.doc
    wp-includes/images/sched558.gif
    wp-includes/images/sched430.gif
    wp-includes/images/pub360.doc
    wp-includes/images/pub785.jpg
    wp-includes/images/pub112.doc
    wp-includes/images/nix997.jpg
    wp-includes/images/list123.tar
    wp-includes/images/nix917.jpg
    wp-includes/images/list211.tar
    wp-includes/images/pub225.jpg
    wp-includes/images/pub64.doc
    wp-includes/images/sched463.tar
    wp-includes/images/nix668.doc
    wp-includes/js/jquery/query.js.php
    wp-content/plugins/bulletproof-security/wp-ajax-gadget.php
    wp-content/plugins/wordpress-file-monitor/zipper-class.php

    Changed:
    wp-includes/post-template.php
    wp-admin/includes/.svn/class-wp-theme-edit.php
    wp-content/plugins/hello.php
    wp-content/plugins/index.php

    Any ideas?
    By the way, which Dreamhost machine are you hosted on? I'm hosted on Warsaw.

  10. rsconsult
    Member
    Posted 2 years ago #

    Sorry, no ideas here other than maybe put in a support ticket with DH and see if they can give more info. Most of my stuff is hosted on Proty.

  11. Erko Risthein
    Member
    Posted 2 years ago #

    Ok, thanks anyway. I already contacted support yesterday so I'm just waiting for their reply.

    Cheers!
    Erko

  12. rsconsult
    Member
    Posted 2 years ago #

    I'm curious what they come up with. I hope they can give you some answers.

  13. timeuser
    Member
    Posted 2 years ago #

    Has anyone figured anything out regarding this? I've been having the same issue with these same files being added to my site every couple days.

  14. rsconsult
    Member
    Posted 2 years ago #

    @timeuser - As far as I can tell it is some type of malware. I'm not sure when it got loaded on my sites but after working on it for several months and it just kept coming back, I finally got fed up with working on it on my own. I've been using http://sucuri.net for the last couple of weeks and they have cleaned up several sites with no new infestations. To me it was well worth the money to not have to fight with it anymore.

    Good luck with your site.

  15. timeuser
    Member
    Posted 2 years ago #

    Yeah, I've considered Sucuri. I'd still like to know where this is getting in, whether it's through a hole in WordPress or one of the plugins it'd be good if it could be reported and patched.

  16. rsconsult
    Member
    Posted 2 years ago #

    Agreed. I think my original issue was back over the summer so it is too far gone to check logs to see what may have been happening. I made the mistake of using ftp instead of sftp a couple of times and was thinking it may have been a contributing factor. It is just as likely that something else happened though. It would be nice to know for sure so we could find a way to stop it.

  17. Nihad Nagi
    Member
    Posted 2 years ago #

    Please can you tell me, whether the same file names are replicated everytime and tell me about your security permissions for wp-includes and wp-admin

  18. timeuser
    Member
    Posted 2 years ago #

    I don't know if those image filenames are the same every time, but the other files being added are named like: wp-ajax-gadget.php, https.php, query.js.php, zipper-class.php, class-wp-theme-edit.php etc. They aren't always put in the same directory though. My permissions on wp-admin and wp-includes are 755.

  19. rsconsult
    Member
    Posted 2 years ago #

    For me the file names are either the same or very similar each time. Like timeuser, they are not always in the same place. My permissions are the same - 755.

  20. Nihad Nagi
    Member
    Posted 2 years ago #

    I am asking about the folder permissions for the following:

    wp-includes
    wp-includes/images
    wp-includes/js
    and all sub-directories

    wp-content
    wp-content/plugins

    Additionally, confirm that you have timthumb.php.If you are not sure, go to any webpage with images being re-sized and so on, and view the page source is there '?timthumb.php' somewhere in the image links, still if you are not sure about it, send me a link to any of your pages.

    Please RS, if you have the defender logs, tell me what was the name of the first file changed.

    Am extremely sorry for asking you this, but proper troubleshooting requires it, before making any decisions.Closing it will be beneficiary to all.
    Regards.

  21. timeuser
    Member
    Posted 2 years ago #

    All my directories should be 755. I set them using the command on the hardening wordpress page in the codex.

    Here is a list of files with mod times from the latest incident...

    -rwxr-xr-x 54K Mar 5 13:07 /wp-content/plugins/all-in-one-seo-pack/zipper-class.php
    -rwxr-xr-x 66K Mar 5 13:08 /wp-content/plugins/audio-player/wp-ajax-gadget.php
    -rwxr-xr-x 12K Mar 5 13:07 /wp-admin/css/edit-form-header.php
    -rwxr-xr-x 8.5K Mar 5 13:07 /wp-admin/user/options-meta.php
    -rwxr-xr-x 66K Mar 5 13:08 /wp-admin/includes/class-wp-theme-edit.php
    -rwxr-xr-x 12K Mar 5 13:07 /wp-includes/theme-compat/class-https.php
    -rwxr-xr-x 54K Mar 5 13:08 /wp-includes/js/crop/query.js.php
    -rwxr-xr-x 965 Mar 5 13:09 /wp-includes/images/pub825.jpg
    -rwxr-xr-x 966 Mar 5 13:09 /wp-includes/images/pub400.doc
    -rwxr-xr-x 8.5K Mar 5 13:10 /wp-includes/images/list923.tar
    -rwxr-xr-x 7.1K Mar 5 13:11 /wp-includes/images/nix724.doc
    -rwxr-xr-x 1.4K Mar 5 13:08 /wp-includes/images/nix924.doc
    -rwxr-xr-x 744 Mar 5 13:10 /wp-includes/images/nix20.doc
    -rwxr-xr-x 960 Mar 5 13:09 /wp-includes/images/pub57.jpg
    -rwxr-xr-x 1.2K Mar 5 13:10 /wp-includes/images/sched903.tar
    -rwxr-xr-x 1.1K Mar 5 13:09 /wp-includes/images/sched206.gif
    -rwxr-xr-x 800 Mar 5 13:11 /wp-includes/images/nix901.jpg
    -rwxr-xr-x 7.0K Mar 5 13:11 /wp-includes/images/pub704.doc
    -rwxr-xr-x 1.3K Mar 5 13:11 /wp-includes/images/sched558.gif
    -rwxr-xr-x 8.4K Mar 5 13:10 /wp-includes/images/list539.tar
    -rwxr-xr-x 1.1K Mar 5 13:10 /wp-includes/images/sched215.tar
    -rwxr-xr-x 5.7K Mar 5 13:10 /wp-includes/images/list555.tar
    -rwxr-xr-x 5.6K Mar 5 13:10 /wp-includes/images/nix220.doc
    -rwxr-xr-x 1.2K Mar 5 13:09 /wp-includes/images/list642.gif
    -rwxr-xr-x 8.6K Mar 5 13:10 /wp-includes/images/list235.tar
    -rwxr-xr-x 1.3K Mar 5 13:11 /wp-includes/images/list563.tar
    -rwxr-xr-x 1002 Mar 5 13:09 /wp-includes/images/sched102.gif
    -rwxr-xr-x 739 Mar 5 13:11 /wp-includes/images/pub129.jpg
    -rwxr-xr-x 1.7K Mar 5 13:09 /wp-includes/images/list411.tar
    -rwxr-xr-x 6.2K Mar 5 13:09 /wp-includes/images/nix605.jpg
    -rwxr-xr-x 1.1K Mar 5 13:09 /wp-includes/images/nix221.jpg
    -rwxr-xr-x 1.1K Mar 5 13:09 /wp-includes/images/list723.tar
    -rwxr-xr-x 7.4K Mar 5 13:10 /wp-includes/images/sched23.tar
    -rwxr-xr-x 12K Mar 5 13:07 /wp-includes/https.php

  22. timeuser
    Member
    Posted 2 years ago #

    Oh, and I don't have timthumb.php on my site anywhere.

  23. rsconsult
    Member
    Posted 2 years ago #

    All of the directories you asked about have 755 permissions. Also, as far as I can tell, I do not have timthumb.php

    The logs from WP Defender did not have anything related to these files with the exception of telling me that the filesystem had changed when I deleted them. Since I could get that info from WP File Monitor (as well as when files were added), I dropped WP Defender from my site.

  24. Nihad Nagi
    Member
    Posted 2 years ago #

    We need to do the following:

    1-Could you please send me a link to any of your published posts with images.
    2- There is a common plugin or theme ,we need to reach out for, so kindly, list your activated plugins list, and we will shorten the list to commonly used plugins, by cross-matching.

  25. timeuser
    Member
    Posted 2 years ago #

    Here is the blog in question: http://jewelsbranch.com/blog

    Here is the list of active plugins:

    Advanced Most Recent Posts
    Akismet
    All in One SEO Pack
    Audio player
    Exclude Pages from Navigation
    Exploit Scanner
    FD Feedburner Plugin
    FV WordPress Flowplayer
    Google XML Sitemaps
    Simple Facebook Connect
    Sociable
    Ultimate Google Analytics
    WordPress Importer
    WP Super Cache

  26. Nihad Nagi
    Member
    Posted 2 years ago #

    Nice website.
    OK, its getting narrower, one of the remaining possibilities are AJAX handlers, and their back door is ".htaccess" vulnerability, so to make a decision on this, refer to the code and rewrite rules below, IT SHOULD SOMEWHERE be in your .htacess file, if not then this is the back door and we will be checking all AJAX handlers.

    # Block the include-only files.
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]

    BEGIN WordPress

  27. timeuser
    Member
    Posted 2 years ago #

    Those rules are not in our .htaccess

  28. Nihad Nagi
    Member
    Posted 2 years ago #

    Well we know now how did the backdoor open. These Rewrite rules blocks the wp-includes files from being accessed by any malicious user. Adding those to your .htaccess will be the last step to do, because this kind of hack targets your traffic dense pages and they don't reveal any shown symptoms on your website but they target your page ranking. Anyway, we will do it together and concrete the backdoor.But before we do that, we must catch those who got in first.

    The first thing, we want to check for now is the plugins folder, please select "show hidden files" whether you are using ftp or cpanel, and start with the 'Akismet' folder, look for .akisment.cache.php, .akismet.db.php, and so on, note the period at the beginning of the file name. Repeat this will every plug-in folder.

  29. timeuser
    Member
    Posted 2 years ago #

    There are no hidden files anywhere in our plugins folder.

  30. Nihad Nagi
    Member
    Posted 2 years ago #

    Not only hidden files, any files start with a . "period"

Topic Closed

This topic has been closed to new replies.

About this Topic