WordPress.org

Ready to get started?Download WordPress

Forums

Major WordPress vulnerability: comment Spam, changed files & settings (11 posts)

  1. ffwebdesigner
    Member
    Posted 3 years ago #

    I'm pretty sure there's a major security vulnerability even in the most recent version of wordpress 3.1.2.

    I experienced hacker link spam and modification of wp-settings and files on a wordpress blog. Symptoms are as follows:

    • Changed footer.php with some links to i guess turkish penis enlargement sites. well hidden with base64 and gzipinflate.
    • comment moderation deactivated
    • automatic spam comments like e.g.
      [...]Craps are one of the leading free online craps guide will explaining the very basics things of games in simple strategies[...]... through trackbacks and comments every minute
    • even though comments are closed for all articles and trackbacks / pingbacks are deactivated
    • did a clean reinstall of wp 3.1.2 without any plugins after having changed mysql pw and admin pw through phpmyadmin plus wp-config keys

    This means: the wp installation is absolute clean and safe. Still we get the spam comments.

    Let's fix this together fast and heal WordPress! Who got the same symptoms?

    Cheers,
    ff-webdesigner.de

  2. esmi
    Forum Moderator
    Posted 3 years ago #

    The hacks could be coming from anywhere on the server rather than through WordPress. Have you reviewed:
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

  3. ffwebdesigner
    Member
    Posted 3 years ago #

    Thanks esmi, i knew link one, did all that. I'm over link 2 now...but should be fine...it's a clean reinstall with changed pws. That's what I'm worried about.

  4. esmi
    Forum Moderator
    Posted 3 years ago #

    Check your images. As Otto points out in that second link, hackers can disguise backdoor scripts as images simply by throwing in a .jpg extension etc. Even came across what looked very like a hack yesterday that might have used a Thumbs.db file.

  5. ffwebdesigner
    Member
    Posted 3 years ago #

    Okay, whole upload dir deleted. Still: to bring a malicious hidden php code in e.g. .jpg extension would mean there has to be code added to wp core files, right? It's a clean install with changed keys, mysql, wp admin and even ftp wps. Also checked mysql wp_users: just admin. Searched for suspicious code in mysql. No edoced. What happened? New spam 5 minutes ago...Grrrrrrr!

  6. esmi
    Forum Moderator
    Posted 3 years ago #

    Is this spam within the code (ie a hack)? Or are these spam comments?

  7. ffwebdesigner
    Member
    Posted 3 years ago #

    Mostly spam comments. But the also changed footer.php and some admin settings (no admin review of comments eg).

  8. Matt McInvale
    Member
    Posted 3 years ago #

    The attackers may have your FTP credentials. Check your system for malware.

  9. esmi
    Forum Moderator
    Posted 3 years ago #

    Try using some anti-spam plugins such as Akismet and Bad Behaviour. Other than that, there are no security issues with 3.1.2 that I am aware of, so the prime suspect still remains your server itself.

  10. ffwebdesigner
    Member
    Posted 3 years ago #

    See above: we changed the ftp, mysql und wpadmin pws...twice before and after clean reinstall. and we've been using si captcha, which did a good job so far on 20 of my blogs for years. System is definitely clean.

  11. ffwebdesigner
    Member
    Posted 3 years ago #

    Problem is still the same. About 50 Pingback Spams a day, though activated captcha and disabled pingbacks for every single post and generally in discussion options.

Topic Closed

This topic has been closed to new replies.

About this Topic