I discovered about half an hour ago two WordPress sites I host have been “hacked”. In both cases a PHP file with a random filename was found in the /wp-content/uploads directory. The contents of the scripts were subtly different but the aim of both was to send spam email. The contents of my outbound postfix queue is about 1,750 emails which I’m now purging.
I have access to the logs of both websites going back twelve months (I’m a hoarder!). Grepping the logs for the name of the uploaded scripts shows me that the scripts were first HTTP:// requested two days ago. However, I can’t see any log of when the files were uploaded (and therefore how!). I’ve also grepped the logs for upload.php, but the last use of that 31st July by my IP address so it does’t appear the scripts were uploaded via that.
What else should I be grepping to try and track how this scripts were uploaded in the first place?
PS. I am running the latest version of WordPress (v3.2.1) on both sites. I did however have a couple of out of date pluggins but I’ve not spotted any overlap with the plugins between the two sites. Of course, the hacks may not be linked.. but they are both hosts on the same server.
Any advice will be gratefully received!
- The topic ‘Hack analysis’ is closed to new replies.