Forums

WordPress › Support » Plugins and Hacks

Hacked website possibly through Contact Form 7 & Really Simple CAPTCHA plugins!! (7 posts)

  1. B_Dark
    Member
    Posted 5 months ago #

    in 3 Dec 2011 11:17:56 PM on websitedefender.com it give me these 2 messages:

    1."File structure change: 1 new file found

    One or more new files were created on the web server. You can find the list of newly created files below:

    List of new files
    Filename Creation time
    /home/cat/public_html/mysite.com/wp-content/uploads/wpcf7_captcha/1377993414.php 3 Dec 2011 11:17:56 PM"

    2."An executable PHP file /mysite.com/wp-content/uploads/wpcf7_captcha/1377993414.php was found the the WordPress uploads directory. By default WordPress doesn't allow uploading of PHP files in the uploads directory. Usually hackers are uploading malicious executable files in this directory because in a secure installation it's the only directory that has write permissions. The presence of this file in the uploads directory may indicate that your system was compromised.
    Solution

    Analyze the contents of this file. If the file is malicious, delete it immediately from your system!"

    In 2 hours it moved all the pages in trash bin, it erased and changed many menus, it had erased more then 600 "featured images" and "external media" videos.
    I tried to delete the "wp-content/uploads/wpcf7_captcha/1377993414.php" but I didn't anything in it. I deleted the file "wpcf7_captcha". I want you to tell how did this happened

    I use WP 3.2.1,
    Better WP Security 2.10,
    Wordpress Firewall 2 1.3,
    Contact Form 7 3.0.1,
    Really Simple CAPTCHA 1.2
    in this site single wp .

    And i have in my one multisite wp in main root of my host the WebsiteDefender WordPress 2.0.6 to scan all my host

    1. How did this thing happened?

    2.I have backup of 2 dec. and I have the corrupted base and at 3 dec. I have 3 new posts and I don't want to lose them. Which sql queries I call and in which tables, in order to add in the base of tables of 2 dec. the 2 new posts from 3 dec. ?!?!?

    Please help me!!!

  2. Takayuki Miyoshi
    Member
    Posted 5 months ago #

    It is websitedefender.com's false-positive. No problem.

    /home/cat/public_html/mysite.com/wp-content/uploads/wpcf7_captcha/1377993414.php

    These files are temporary files created by Really Simple CAPTCHA. Not malicious.

    See
    http://wordpress.org/extend/plugins/really-simple-captcha/
    http://contactform7.com/blog/2009/11/25/captcha/

  3. B_Dark
    Member
    Posted 5 months ago #

    ok my bad maybe but i lost a lot o things of my wp site the same time with this information from websitedefender.com

    Please, somebody help me with this one.
    I have backup of 2 dec. and I have the corrupted base and at 3 dec. I have 3 new posts and I don't want to lose them. Which sql queries I call and in which tables, in order to add in the base of tables of 2 dec. the 2 new posts from 3 dec. ?!?!?

  4. westerdaled
    Member
    Posted 5 months ago #

    Hi

    I am in the exact position and I nearly nuked my blog site bacuse of it. I think routinely ignoring security scans doesn't sound like a good idea. Do I take it we need to change the temp dir to a user defined location as outlined in
    http://contactform7.com/blog/2009/11/25/captcha/ .

  5. westerdaled
    Member
    Posted 5 months ago #

    Hi

    I have now changed the defualt wp_content/uploads/wpcf7_captcha
    with an entry in config.php

    /** here we stop C form 7 writing to the wp_content/upload dir by using our our own dir*/

    define( 'WPCF7_CAPTCHA_TMP_DIR', 'WHEREEVER/' );

    This now works but was more fiddly than than it looks

    1) check the the contact form 7 settings page as this reports whether your chosen directory is writable or not after your ftp accross your amended config.php.
    2) using the new sytax for the the contact form short code
    3) backup you config.php! I managed to corrupt mine but recovered from backup.

  6. emilysparkle
    Member
    Posted 5 months ago #

    thanks for this thread, i'm a new website defender user and am terrified every time i see a 'red alert'! so, can i just clarify that you're saying the files that appear in /uploads/wpcf7_captcha/ are not malicious, but it's better to move their landing place to somewhere else?

    and sorry to be thick, but what variable is 'WHEREVER'? my url? and wehre is new syntax? do i need to rebuild my forms?

    thanks.

  7. westerdaled
    Member
    Posted 5 months ago #

    Emily

    Yes, it appears to be a false alarm. Just keep WebSite Defender happy I moved the location where these .php and images are stored. THis you can do through
    this change in your config.php

    define( 'WPCF7_CAPTCHA_TMP_DIR', 'WHEREEVER/' );

    the 'WHATEVER/' is any directory name you chose to create so '/mycaptcha' anything your want. You will need to use an ftp client such as FileZila. It will also set the file mask (chmod) of the directory to 0777 to keep Contact Form 7 happy.

    No need to rebuild your forms - I simply changed the syntax of the short code to keep it up to date.

    One final thing... I suggest your google "hardening your WordPress site "as web site defender is simply one component of your anti hacking armour..

    Good luck

    Daniel

Reply

You must log in to post.

About this Topic

Tags