Forums

WordPress › Support » Plugins and Hacks

WP Super Cache
strange page/url in newest cached pages list (7 posts)

  1. sokratesagogo
    Member
    Posted 10 months ago #

    Hi,

    In the Super Cache settings I have enabled "List the newest cached pages on this page." option on the WordPress site here: http://www.phpc.cam.ac.uk

    I am seeing some strange URLS in the list that has been generated, including this:

    /?c=http://staplesautoengineering.com/catalog/images/readme.txt??

    Is this some sort of probing?

    Sok

    http://wordpress.org/extend/plugins/wp-super-cache/

  2. sokratesagogo
    Member
    Posted 10 months ago #

    Looks like this is a phishing attack - if someone is careless enough to click the link from the newly cached pages (doh!) then perhaps the url is crafted to get WordPress to execute the query encoded in the text page - the bit beginning eval(base64_decode(

    I guess this has injected some code into a file somewhere.

    Anyone know how I can decode the section in the above txt file to see what it did?

    Sok

  3. Ron Rennick
    MultiSite Guru
    Posted 10 months ago #

    It's not WP executing the query, it's the PHP on your web server that executes it.

    Start searching for modified PHP files. Best place to start is plugins and the active theme.

  4. sokratesagogo
    Member
    Posted 10 months ago #

    Thanks Ron,

    Will start checking

    Sok

  5. sokratesagogo
    Member
    Posted 10 months ago #

    Being a bit of a dimwit here Ron, but wouldn't there have to be a .php extension in the URL for it to be executed directly by the server?

  6. Ron Rennick
    MultiSite Guru
    Posted 10 months ago #

    wouldn't there have to be a .php extension in the URL for it to be executed directly by the server?

    How do your pretty permalinks (or the home of the web site) end up being server by WP when there is no .php in the URL?

    Your webserver is configured to direct requests to index.php (while keeping the request uri intact) and you may also have an .htaccess that rewrites the request to the same result.

    As soon as the web server sees that the request is going to a .php file it hands the request over to PHP for processing. PHP then loads your index.php (or xml-rpc.php, etc.).

  7. sokratesagogo
    Member
    Posted 10 months ago #

    Haven't found anything suspicious yet if anyone is still reading. Interestingly found a couple of entries in Apache access log showing a couple of Korean and Japanese IP addresses querying the site with HTTP 200 status codes

Reply

You must log in to post.

About this Plugin

About this Topic

Tags