richriderSo a few weeks ago I posted how a few of my sites had been hacked. It has been an on going issue where the group has tried numerous times to gain access. This past attempt, a hacker was able to gain access to one of my sites (I left one site up as a dummy site to see what/how they were gaining access). In my logs - this is what I saw - can anyone explain possibly what/why these commands were used? Also are these a possible sign of a new exploit/security vulnerability in 2.9.1?
/wp-content/themes/default/media.php?cahsurip
/wp-content/uploads/2010/01/default_backup.php
/wp-content/themes/default/index.php?cmd=ls+al
/wp-login.php?CSLike I said - this was a dummy site left virtually un-touched after their hacks early last month. The default_backup.php is an exploit file they left behind after one hack to gain access to the server (brute force for passwords, show file locations etc.). That file I removed as soon as I discovered the hack - so we can see the hacker was hoping to have that file left behind. But as for the other three entries... any thoughts?
Rich
s_ha_dum (was apljdi)