Hacked by theme-editor.php POST Injection? (7 posts)

  1. samburgers
    Posted 8 years ago #

    Hi there,

    Just this morning, I have noticed that my blog was running quite slowly. Not the admin pages, but just the pages that are public.

    I took a look at the html of the page, and to my surprise, it was around 500KBs long! The culprit? At the end of my page, there were thousands of lines of html code injected, with "display:none" specified (as to only appear to text readers... aka search engines).

    I went to the root folders of the site in question, and it seems that blog had been hacked (with physical files added to their folders).

    So I deleted the html from my footer.php.

    This evening, I encountered the same thing, pages loading slowly, and not surprisingly, there was the same thing (although now, the links are different).

    Screenshot of a portion of the footer: http://i15.photobucket.com/albums/a397/samburgers/injection1.gif

    Then going to my FTP, I found the modification date to the footer.php file, which was Mar. 27 10:07pm

    Screenshot: http://i15.photobucket.com/albums/a397/samburgers/injection2.gif

    Thirdly, viewing my raw visit log from my host's cPanel, I see that the person was able to inject code into my themes using POST injection methods?!

    Screenshot: http://i15.photobucket.com/albums/a397/samburgers/injection3.gif

    There are no other files that have been modified, and the ip range has now been banned from my site.. but this worries me...

    Is this something WordPress should look into to fix?

  2. Len
    Posted 8 years ago #

    Gather whatever pertinent information you have such as server logs etc and send it to security@wordpress.org

  3. whistler2020
    Posted 8 years ago #

    tried upgrading to 2.3.3?

  4. samburgers
    Posted 8 years ago #

    @LenK: Thanks, will do.

    @whistler2020: I can try, but I don't think there's much difference... the changelogs show nothing relevant to the file in question


  5. whistler2020
    Posted 8 years ago #

  6. samburgers
    Posted 8 years ago #

    Sorry, I forgot to mention, xmlrpc.php is up to the latest 2.3.3 version as suggested on the page.

  7. weezil
    Posted 8 years ago #

    What are your file perms set for?

Topic Closed

This topic has been closed to new replies.

About this Topic