Support » Fixing WordPress » Jps beeing uploaded to UPLOAD FOLDER

  • Dear Community,

    we are having an issue since some time: we regulary have images that are uploaded into the uploads folder – and then the actual month with long names ie ChIJsUunOMIXLxgRu-wUxVeF2Ok-6.jpg — this file occurs on other days or the same day with same name and -7 etc. I get notified every time someone logs into wordpress, there are no logins at that time. We run the free version of wordfence and i have tried a couple of other tools.
    the site does not appear hacked. I replaced the original wordpress installation files.

    Looks like its a direct upload – but how is it done? I have been trying to search online to find similar issues but i was not really successful. What can i do? Is there a way to set rights on the folder that disallows direct uploads and allows only uploads from wordpress? Or does anyone have an idea what i can do?

    Thanks,
    Iris

Viewing 4 replies - 1 through 4 (of 4 total)
  • Hola istria,

    the site does not appear hacked

    Maybe some kind of glitch or a plugin that creates (loads?) this image? First of all, check the access logs. On that stage you need more information about the issue.

    Thread Starter istria

    (@istria)

    I have checked the access log on the day/time this pictures are created according to FTP but there is nothing at that time BUT im seeing some weird calls of files. We have two domains running on this server, with two seperate word press installation. The same thing happens on both. The picture that is created has a preview and its a picture that is used on each site, but it has no specifics as to why it would be replicated ie by a plugin …

    The calls on phoenix-safaris.com all forward to an 404 error page, but the ones from mara-siria-camp actually call pages – which is not good, no idea, those pages are not there, im not that familiar with this logs – not sure how to proceed?

    doing_wp_cron=1640517913.3824810981750488281250" "WordPress/5.8.2; https://phoenix-safaris.com" "-"
    114.119.150.0 - - [26/Dec/2021:12:25:16 +0100] "GET /buy-viagra-tablets-without-prescription/ HTTP/1.1" 404 72798 phoenix-safaris.com "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+https://webmaster.petalsearch.com/site/petalbot)" "-"
    114.119.138.0 - - [26/Dec/2021:12:27:27 +0100] "GET /online-gaming/victorian-gambling-legislation.html HTTP/1.1" 302 331 mara-siria-camp.com "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+https://webmaster.petalsearch.com/site/petalbot)" "-"
    114.119.138.0 - - [26/Dec/2021:12:27:29 +0100] "GET /wp-content/uploads/revslider/templates/dark-fullsite-block-3-services/online-gaming/victorian-gambling-legislation.html HTTP/1.1" 200 8029 mara-siria-camp.com "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+https://webmaster.petalsearch.com/site/petalbot)" "-"

    —-
    Iris

    Thread Starter istria

    (@istria)

    So i checked through and found a rewrite rule in htaccess from 21 July and the folder with the files, i deleted the rewrite rules AND the folder. But still the question is where do those images come from …

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Please remain calm and give this a good read.

    https://wordpress.org/support/article/faq-my-site-was-hacked/

    When you have successfully deloused your site then consider giving this a read too.

    https://wordpress.org/support/article/hardening-wordpress/

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Jps beeing uploaded to UPLOAD FOLDER’ is closed to new replies.