Support » Fixing WordPress » Loads of .cache-files pooring in with movie names

  • I’m currently using 2.8.3 of WordPress.
    I think this is that someone somehow managed to open up a backdoor to my blog and now fills it with files.

    Today I tried to write a blog article with two images. None where abled to get uploaded. Wierd, I should have many MB left on the server. So I think there’s something wrong with the images. I try for a while, re-saving them, changing names and file format, etc. Then I finally give up and check my FTP. My space is full, even over shooting by maybe 5-10 MB.

    After a while I find that in my img-folder (in the root) for images there is a folder named .cache. This folder is absolutly loaded with files. They ad up to 30 MB, about 5-10 kB each. Everyone of the files are named after some movie, then the .cache-filetype.

    I delete them all. But a few hours later checking back the folder has a few files, they came back. My first thought was that it was the artist plugin going crazy with some beta-feature for movies. So I delete them again, but saving some files not .cache – namely “.refgg” and “.uagg”.

    The folder just increases in file, so I download the file. Thinking it’s an image I open them in Photoshop. No luck. I then try opening them in Notepad just to see any info on header data or something. They are all fulled with html-code. All crammed with links and info about downloading DVD’s etc.

    In my img-folder I then find a index.php and a generate.php. They contain alot of code, of course, and some references to the address Google gives nothing special (not that I can understand at least).

    I also find a .haccess-file in the img-folder saying alot, and at the end “Satisfy from any” and “Allow from all”.

    I’m totally clueless here, this is a bit to deep for me. Any ideas? This might even be some old bug I have missed and that got in before it was fixed in an update and then stuck. It might even be an attack on my server and nothing to do with WordPress.

    Any ideas are welcome!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Your site got hacked.

    Remove that stuff, including the bad htaccess, the php, the cache directory, etc.

    Check your directory permissions as well. Make sure they’re all 755 or 644.

    doh >_< Big thanx man!

    Is this an attack that happened because of a previous bug in WordPress or something else?

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    No way to tell how it got hacked without looking through detailed server logs.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Loads of .cache-files pooring in with movie names’ is closed to new replies.