A friend of mine recently had his site hit with a Google pharma spam attack. I went in and found some rogue php files as well as a compromised WordPress file. I got all that cleaned up and then did a bunch of searches based on the obfuscation techniques they used (str_rot13, base64_decode, the usual) and found nothing else. I looked at the entries in the wp_options table and didn’t find what some sites have warned of from such attacks.
One of the attack files mentioned wp-content/cache/data, and in that directory were a bunch of files dated 4/14/2011. They have hexadecimal names and the contents — ranging from 3k to 11k — LOOK like base64/gzcompressed strings, but decoders have failed to work on the ones I’ve tried (you can see one here if you wish to try your hand with it: http://dl.dropbox.com/u/1732496/9bce95fe8525f7aab607941e33b39f3a ) I saved the directory and then deleted it and everything seemed to run fine, so I assumed it was part of the attack. (Since the attack code is so obfuscated I haven’t figured out the exact purpose of referring to this directory.)
Today I checked in after a week and the directory is back, along with more files, again all dated 4/14/2011. I don’t see any indications of compromised or malicious files anywhere, so I’m not sure what is creating these. My friend doesn’t use any caching plugins, so this is all very suspicious. I can’t find anything referring to “wp-content/cache/data” in plaintext, but of course it may be well obfuscated (which I also don’t see any indications of anywhere.)
Does anyone have any idea what these files might be and, if they’re malicious, how I might be able to go about finding their source? (Another wrinkle to this problem: I only have ftp access to my friend’s site, other than WP admin access, as his provider doesn’t do shell access. Still, with some creative tinkering I can run some stuff like grep and database queries.)
- The topic ‘Odd "cache" files in wake of pharma spam attack’ is closed to new replies.