Support » Fixing WordPress » Paypal scam

  • jrosick

    (@jrosick)


    Help! I don’t know if somebody is exploiting some wordpress code on my site or if I have some other vulnerability. Somebody is putting up a paypal scam site inside my wp-admin directory. I’m running: Debian Woody, Apache 2, php4, WordPress 1.5.

    This guy has hit me twice now. After the first time I thought I could contain it by removing group/world write permissions for everything below my http root but I was wrong. The only thing I can think of is that somebody is executing some code via php to create the scam site.

    Has anybody else had this problem?

Viewing 7 replies - 1 through 7 (of 7 total)
  • DianeV

    (@dianev)

    I’ve not heard of it personally. I’d suggest password-protecting the folder itself.

    If you have access to your server logs, they might give you some clues. As well, web servers (at least, FreeBSD) have logs of FTP activity. If you don’t have access to these, I’d suggest asking your web host.

    … are you using a web host, or running WP on your own computer?

    Thread Starter jrosick

    (@jrosick)

    I’m running WP on my own computer.

    The main reason I’m posting here is because both times I got hit the fake paypal site was created as a directory under the wp-admin directory. Why would my scammer put his scam site within that directory unless that was the only one he could put it in? That’s why I’m concerned that some php file within wp-admin is allowing arbitrary code to be executed.

    Is my logic sound?

    This time I made the whole wp-admin directory not-writable by anybody. I’ve also changed all my passwords (WP, root, etc.). We’ll see what happens 🙁

    knotty

    (@knotty)

    Maybe you should let Paypal know. They have a fraud reporting address. Ideal is if this guy gets caught.

    Thread Starter jrosick

    (@jrosick)

    That’s how I initially got alerted to the problem. Paypal contacted my ISP and they contacted me. It makes me very angry and I’d love for this guy to get caught, but the ISP said they see this happen more often that you would think and they don’t have a good way to track these guys down.

    BTW I’m checking my logs in case I find something. Thanks for the comments so far!

    mikep

    (@mikep)

    You do want to try and get his IP and preserve all the files he uploaded. In the UK, this activity would be a crime under the Computer Misuse Act. Good hunting!

    michaelc

    (@michaelc)

    “I’d suggest password-protecting the folder itself.”

    #1 most important piece of advice. It’s stronger protection than making the folder unwriteable.

    If I were concerned with malicious code having been inserted in a wp-admin file, I would reinstall WP and then password protect the wp-admin folder.

    Thread Starter jrosick

    (@jrosick)

    Interesting that this pops up the day after I posted my problem:
    http://yro.slashdot.org/yro/05/03/04/0535233.shtml?tid=103&tid=116

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Paypal scam’ is closed to new replies.