WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] suspicious "sitemap.php" file added to public_html dir (3 posts)

  1. euchapelice
    Member
    Posted 1 year ago #

    hi,

    i wanted to ask if anyone has encountered a situation similar to this and how it was patched/fixed (to prevent future hacks).

    i recently experienced anomalous output on some pages on a wp site i manage. a viewer would go to the site, look at some pages and see texts inserted in the actual page text. texts like selling viagra or some other random text/spam (just texts). the number of processes running on the server (shared hosting) would spike, from the regular 1 to 2 over 25, to about 20 to 25 over 25. the site would constantly throw internal server errors. the text are randomly inserted and sometimes a refresh of the same page will make the insertions disappear. some pages viewed in diff browsers/machines will produce one hacked and one normal page.

    i have consulted our hosting service but they always say they'll get back but then give no definite answers or they don't get back at all.

    i also looked at some cross-site scripting or 'pharma hack' and other possibilities

    so, after looking for evidence or clues myself (database looks clean, the theme pages did not have inserted code etc.) i noticed a "sitemap.php" file in my site's public_html. i double-checked and, yes, wordpress doesn't have such a file. i looked at the file and saw code similar to this one:
    http://www.leakedin.com/2013/05/01/potential-leak-of-data-obfuscated-php-code-437/

    i'd like to know how such files could be uploaded (or written) in the public_html dir. or more important: how such hacks may be prevented, avoided (or minimized?) in the future.

    thanks for any help or point to the right direction.

  2. esmi
    Forum Moderator
    Posted 1 year ago #

    You've been hacked. :-( Unfortunately, there are many possible vectors that the hacker could have used and, without some cooperation from your hosts, it may be impossible to tie it down to it down to any particular vector.

    For now, you need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Anything less will probably result in the hacker walking straight back into your site again.

    I'd also suggested reviewing:
    Hardening WordPress
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

  3. euchapelice
    Member
    Posted 1 year ago #

    thanks esmi, i'll read through the resources you provided. yes, unfortunately my host has not responded with any helpful steps. i've done several live chats and support tickets and follow-up tickets, but no helpful reply. so these resources would definitely help.

Topic Closed

This topic has been closed to new replies.

About this Topic