WordPress.org

Ready to get started?Download WordPress

Forums

WordPress 2.6 posts hacked (8 posts)

  1. hilaryjb
    Member
    Posted 5 years ago #

    I'm getting pharmaceutical spam inserted into the body of my posts. Usually with a stylesheet (from mcasro.org) hiding the text from visitors, occasionally not.

    I've been reading up on possible causes and eliminating one after another:

    • there are no extra users in the database
    • there are no unwanted active plugins disguised as image files
    • there is no code in my active theme with eval( or base64
    • nor yet in the main script files, except in wp-app.php where it's meant to be.
    • nor anything in theme or script files with 'beliy' or 'keymachine' or 'seogoogle' or any of the other things you're advised to search for
    • recently changed my admin password to something very obscure
    • all files have good permissions
    • I've overwritten files faithfully when upgrading - apart from wp-config, see below

    There was a brief interval when theme files were left at 777, hence all my searching in there for anything alien. Can't find anything. And until yesterday I hadn't upgraded wp-config.php for years. Done that now... but since it could be a month before the next attack, I've no way of telling whether this will have made any difference.

    I need help.

    Anyone?

  2. whooami
    Member
    Posted 5 years ago #

    are you getting this after having done all of the above? because really, about the only thing I would recommend that you didnt mention doing is changing the mysql passwd. you can safely assume that's been compromised, even if it hasnt.

  3. whooami
    Member
    Posted 5 years ago #

    and btw, kudos, serious kudos for you -- for not only searching around and doing your homework, but for giving all the recommendations you read up on a go.

    oops, i did forget one other thing .. plugins...

    check that none of your plugin versions are on here, at the least.

    http://www.milw0rm.com/search.php?dong=wordpress

    then make sure youre upgraded.

  4. @mercime
    Volunteer Moderator
    Posted 5 years ago #

    Try #1 and #2 solution here as well. The database fix video in solution #1 and if all fails, solution #2. Good luck.

  5. hilaryjb
    Member
    Posted 5 years ago #

    Thanks very much for the responses! Much appreciated. The downside of using WordPress is feeling very much alone when things go pear-shaped.

    Yes, the problem still occurred after doing all the above - the only exception is updating wp-config.php. Trouble is, there's no positive way to tell if the problem's fixed, as there tends to be a delay of a month or more between attacks...

    I don't have any of those plugins - and thank you for the list, as I was wondering how to check for vulnerabilities there.

    How to change the mysql password and not break the blog? Do I just change it in Cpanel and edit wp-config.php?

    As you can probably tell from that question, I'm not an expert. ;) I'm really short of time and wholly lacking in knowledge to fix this. (Does anyone sell WP tech support?)

    I will look at solutions #s 1 and 2, thank you, and try them when I feel brave.

  6. hilaryjb
    Member
    Posted 5 years ago #

    Turns out #1 is what I'd already done, looking for added active plugins. But the music's good. ;)

    Any advice on changing the mysql password, anyone?

  7. whooami
    Member
    Posted 5 years ago #

    How to change the mysql password and not break the blog? Do I just change it in Cpanel and edit wp-config.php?

    Yes.. assuming that you are using the same mysql password that is used for your ftp login, and cpanel login. Cpanel is set up so that one password affects everything. Change your password there, change your wp-config.php and remember that the next time you try to access cpanel or use your ftp client, you will need to use that same password.

  8. hilaryjb
    Member
    Posted 5 years ago #

    I have different Mysql users and passwords for each database, so I created a new user with access to the blog db, put this one in wp-config.php, and deleted the old one. Nothing broke :)

    Would anyone like to guess what are the chances that this will have solved the problem?

Topic Closed

This topic has been closed to new replies.

About this Topic