wp-includes folder hacked? | WordPress.org

Resolved lrbphoto
(@lrbphoto)

14 years, 2 months ago

Today I noticed from our Statcounter.com tracking some very weird URLs on our site. It seems like a hacker has hijacked our home page and added some random text and images below the main content. Here are some examples:

http://laurenbphoto.com/blog/wp-includes/images/define-buck
http://laurenbphoto.com/blog/wp-includes/images/define-bucket
http://laurenbphoto.com/blog/wp-includes/images/nordlingen-germany

When I log in to the admin, I can’t find any of the posts or images, though the source code says the images are hosted on our site. If I log in via FTP, I don’t see the images in the wp-includes/images directory. I even did a full server search using cPanel and could not locate the images.

Also, our site redirects to http://www.laurenbphoto.com if you put in http://laurenbphoto.com. Yet, these URLs work without the www.

I did a twitter search for define buck and found this tweet with some reference to it:
https://twitter.com/#!/wushunate/status/180589249589026816

I looked at the users timeline and there are a bunch of similar links to other WordPress sites. The twitter account seems hacked though. Until these weird pages started showing up, he hadn’t tweeted in two years.

We’re hosting with Host Gator and I have them looking into it. Anyone else seen this and can explain what’s happening? Any security suggestions?

Better yet, how do I get rid of it?

Thanks,

Lincoln

Viewing 2 replies - 1 through 2 (of 2 total)

The Hack Repair Guy
(@tvcnet)

14 years, 2 months ago

Hi,
As far as I can tell your site seems free of malware:

Try this free malware checking service to verify:
http://www.UnmaskParasites.com/security-report/?page=laurenbphoto.com/blog/

Because bots or people are trying to connect to links on your website, that does not mean your site is hacked.

I’m not seeing any redirects or odd content here.

Thread Starter lrbphoto
(@lrbphoto)

14 years, 1 month ago

So the Host Gator security team figured it out:

Upon inspection we found that malware had indeed been injected into your account. The vast majority of injections are done by malicious users who have found exploits in scripts previously (and legitimately) installed on the account. Some are also the result of a compromised password due to a virus-infected PC, so please make sure to scan any computer used to access this account with at least two anti-virus programs. We have taken the below actions to prevent further malicious activities. Please make sure to update your password to update all the scripts/plugins on your account to the latest version.

This account was exploited due to an outdated timthumb script installed with a theme. To prevent further exploitation in this manner we have updated all the timthumb scripts on the account to the latest security release.

Damn you TimThumb!

It’s annoying that I have to worry about my theme files being up to date.

Lincoln

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘wp-includes folder hacked?’ is closed to new replies.

Tags

In: Hacks
2 replies
2 participants
Last reply from: lrbphoto
Last activity: 14 years, 1 month ago
Status: resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics