Support » Fixing WordPress » C99 Shell hack, phishing install, several times

  • Resolved dnobendno


    My blog keeps getting smacked with this stuff, crazy Russians (they call themselves the Captain Crunch security team), who then install AOL phishing sites. Somehow they upload the file (yhg.php) into my server and pretty much get access to everything.

    What did I do wrong the the security front? I just noticed the update and I am upgrading. from 2.0.2 to 2.0.3. Will that be sufficient?


Viewing 9 replies - 1 through 9 (of 9 total)
  • It might help, but you would do well to contact your hosts and ask them what on earth is going on!

    It’s not necessarily a wordpress problem, it could be their servers. In any case, they need to know about security problems, and they ought to treat it as a matter of urgency, too.

    I contacted the host. They blame it on scripts.

    HostForWeb? blame it on scripts? that’s it? that’s all the explanation they gave you? how much are you paying these guys? 🙂

    as the host, they should work with you to provide some assurance that they’ve done substantial amount of auditing and investigation and at the very least, implement some preventive measures. is a good place to start. 🙂

    Yeah, they’re really not being very good hosts if they’re just telling you it’s scripts. For all we know, it could be wordpress, but it might be, for instance, some other client on your shared hosting (just one possibility).

    At the very least, they should be able to tell you a little more about where the vulnerability is — what file, where the attack is coming from, is it someone on your shared server, etc.

    They should also be careful how they reply, since people use the wordpress forums to help choose their hosting, it’s bad publicity if they mess you around.


    disable mysql injection, and php include. that happened to a friend of mine, some skiddie use phpinclude and uploaded a c99shell into his.

    thank you very much for this

    I found out I have the same problem. A c99 script was uploaded to my hosting account on which I have nothing but wordpress. I am tend to believe that this is a wordpress security exploit.

    Good enough — but have you updated to the latest release for your version of WordPress? These things need to be kept up; otherwise, stuff can happen.

    The WP release announcements are on your internal WP Dashboard.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘C99 Shell hack, phishing install, several times’ is closed to new replies.