WordPress.org

Ready to get started?Download WordPress

Forums

I've been hijacked (7 posts)

  1. billjones
    Member
    Posted 3 years ago #

    Second time over the past year it has happened. It's to use email for spam, deleted the email account and it went into loop mode and then my account was suspended for cpu usage. here are the files that caused the issue.

    Dear Bill,

    It has come to our attention that your account contains malicious content:

    ---
    4337 me 99.4 /home/me/public_html/rhmpanoorg/wp-includes/cek.php

    906 me 99.1 /home/me/public_html/rhmpanoorg/wp-includes/checker.php

    23316 me 99.1 /home/me/public_html/rhmpanoorg/wp-includes/cek.php
    ---

    The first number is the process number then it shows your user name and then the second number is the % of how much of the CPU your are using. The last is the 3 processes and the files that are using that much resources.

  2. ClaytonJames
    Member
    Posted 3 years ago #

    I don't believe either of those files would be native to the wordpress package.

    http://core.trac.wordpress.org/browser/branches/3.1/wp-includes

  3. billjones
    Member
    Posted 3 years ago #

    they are not, I posted this so anyone who cared to could check their folder for the same files.

  4. ClaytonJames
    Member
    Posted 3 years ago #

    I see. Thank you!

  5. UseShots
    Member
    Posted 3 years ago #

    You should find out how those files got there. If you don't close the security hole, you site will get reinfected again and again

  6. bjones
    Member
    Posted 3 years ago #

    I would like to know, any suggestions on how I would do that?

  7. ClaytonJames
    Member
    Posted 3 years ago #

    You might start by reviewing your access logs. Sometimes examining time stamps on corrupted files can give you an indicator as to the time frame you need to focus on. It sounds as if you already removed or altered the corrupted files, so that might no longer be as easy.

    Examine the workstations you use to log into your ftp account and your wordpress dashboard. Make sure they are malware and virus free. Credential stealing trojans are not unheard of. Either way, you might consider it time for some password changes.

    Examine your file and directory permissions for inappropriate settings. If you are on a shared server, do a little research into your hosting providers history in these matters, and consult their FAQ and support sections for proper permissions in a shared environment.

    Exploits can also take up residence in your database. If you suffered from a hack in the past, just removing corrupted files and upgrading platforms may not be enough.

    Examine your themes and plugins. Make sure they are up to date, are from trusted sources, and don't utilize any obfuscation methods in their coding (at least none that you would not expect). Research any items that might be suspect for past known vulnerabilities, updates and security issues.

Topic Closed

This topic has been closed to new replies.

About this Topic