Hack analysis (5 posts)

  1. sscotter
    Posted 4 years ago #

    Hi all,

    I discovered about half an hour ago two WordPress sites I host have been "hacked". In both cases a PHP file with a random filename was found in the /wp-content/uploads directory. The contents of the scripts were subtly different but the aim of both was to send spam email. The contents of my outbound postfix queue is about 1,750 emails which I'm now purging.

    I have access to the logs of both websites going back twelve months (I'm a hoarder!). Grepping the logs for the name of the uploaded scripts shows me that the scripts were first HTTP:// requested two days ago. However, I can't see any log of when the files were uploaded (and therefore how!). I've also grepped the logs for upload.php, but the last use of that 31st July by my IP address so it does't appear the scripts were uploaded via that.

    What else should I be grepping to try and track how this scripts were uploaded in the first place?

    PS. I am running the latest version of WordPress (v3.2.1) on both sites. I did however have a couple of out of date pluggins but I've not spotted any overlap with the plugins between the two sites. Of course, the hacks may not be linked.. but they are both hosts on the same server.

    Any advice will be gratefully received!

  2. esmi
    Forum Moderator
    Posted 4 years ago #

  3. MickeyRoush
    Posted 4 years ago #

    @ sscotter

    Did any of your themes and/or plugins use timthumb.php or any variant of? Also look for any requests for that as well.

  4. sscotter
    Posted 4 years ago #

    Thanks for your input.

    I have checked and one of the compromised sites has the WP Mobile Detector plugin which contains a timthumb.php file. Grepping the logs doesn't show anything of interest though.

    I'll keep on searching!

  5. Roy
    Posted 4 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.