WordPress.org

Ready to get started?Download WordPress

Forums

WP 2.8.6 + Mystique defaced (5 posts)

  1. Mydoom666
    Member
    Posted 4 years ago #

    Hi,

    And sorry for my bad English... ^*^"

    My blog was defaced a few days ago.
    Here are the logs in question : 17-12-09-wp_defaced.log

    I have not modified the source code of the template or wordpress and all files have a correct chmod.

    Since I changed my theme and everything works. The hacker fails with iNove theme.

    Too bad because I really like Mystique. :(

  2. digitalnature
    Member
    Posted 4 years ago #

    Is this the entire log related to this hack attempt?
    because some things just don't make sense.

    There's a content.php file in the theme folder which doesn't exist in the default Mystique theme, but it exists on your server. So I assume the hacker uploaded this file somehow on your server, but in your log there's no trace for this upload.

    Note that all GET requests are normal, the hacker can only do this trough POST requests. If you find another log that explains the content.php file upload, look for POST requests

  3. Mydoom666
    Member
    Posted 4 years ago #

    Nop, this is not the entire log. Here is the complete log of the first attack : 15-12-09-wp_defaced.log.

    And you right ! there is no content.php in the default Mystique theme.

    He created a new admin user with the lost password fonction to log in admin panel and add some malicious code in Mystique theme. :)

    Anyway, access to wp-admin directory is now banned.

    Sorry for have been doubts about your wonderful theme !
    Next time, i will check all my logs before post a useless post. ;)

  4. digitalnature
    Member
    Posted 4 years ago #

    from your logs, this seems to be the script that's being run on your server. If this is a wordpress security vulnerability, maybe it will help WP developers fix it...

  5. Mydoom666
    Member
    Posted 4 years ago #

    you're right, but i don't know how contact them and my english is very limited. :/

    but I will keep up the log on the serveur if ever an WP developper comes here.

    All I can say is that the hacker can create a new user with Admin rights (I received the notification mail).

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags