Support » Fixing WordPress » Question About Possible Hack of Site

Viewing 15 replies - 76 through 90 (of 161 total)
  • For instance I can tell you that looks like it is running an apache server. Not real common on hacked windoze systems


    I guess my previous life causes me to be extra extra careful – I look at finding the signature as just a validation the system was compromised rather than the ONLY compromise.



    Well I agree a multiprone approach is a good idea. However if you go back three days in backups you might have function_gpc somewhere in them too. Afterall who knows many advances this hack has gone through.

    Bottom line is do several things. That is what I am doing.


    Violent agreement – hence why I keep a pristine code base laying around for deployment. The only thing I took from my active backups are my database and my image files. Everything else in that VirtualServer tree is history. Even checked my database for entries made over the last couple of days, users that shouldn’t be there etc.


    @rwboyer, how do I identify compromised files? I looked for function gpc_ in the index.php file, but it’s not there. I looked for recently updated files, the only one I can find is .htaccess. I saw another thread that said I should delete that file… does that make sense?

    I would not delete .htaccess


    what system are you running wordpress on?

    can you look at your webserver access logs?

    can you do any kind of advanced file search based on change dates or content?


    Joseph Scott



    If you have specific details on the steps to reproduce this please email

    I have been trying to reproduce the problem on a test WP 2.7.1 install (since someone specifically mentioned that version) and so far have not been able to reproduce the problem.

    The HTTP POST request with the base64 encoded data to xmlrpc.php might be part of the problem, but so far I haven’t seen any information to indicate (nor have I been able to reproduce) that the attack originated with that request. It could be a step in the hack after they’ve already broken in via other means.

    Information has been made available to wordpress already this year by CoreLabs around june/july.


    My host is called 1&1. I don’t know what kind of system they use — how would I be able to tell?

    I stumbled on a Logs subdirectory, which has two files dated today — http://ftp.log and access.log.36.5

    Other than .htaccess, I have not found any files dated today. Two days ago I posted successfully and I find a .jpg file associated with that with the proper date, but I can’t find any system-looking files that are any more recent than June, the last time I reinstalled.

    I’m not aware of any way to do file searches for change dates – I’m using Windows Explorer to look at the directory. I’ve tried painstakingly opening every subdirectory to check file dates, but there are dozens and dozens of nested subdirectories, I get lost.


    I sent you my logs so you can see if you can infect a copy of your own.

    Joseph Scott



    If it is one of those already known hacks then it isn’t a hole in xmlrpc.php.

    Andrea Rennick


    Customer Care at Copyblogger Media and Studiopress

    “I wish WP would have a path command so we could move the files into this kind of setup if we wanted. “

    Actually it does. Look in the wp-config files, plenty of declarations there for changing the default dirs.

    I have access to my logs but it’s huge, like 800MB. How does one go about looking at such a huge log file? That is, what sort of program/utility can I use to see the data from yesterday (which is when my site was hacked).

    There is only real var which is the absolute variable for directories. However move the entire wp-admin, wp-content, wp-includes, etc to a non web accessible folder and no go.

    There should be just a few files on the web accessible side that load the core system in a non web accessible path.

    So for wp-admin.php only index.php should be there. Which simply calls wp-config.php and loads the custom absolute path which contains the wp-content, wp-includes, wp-admin, etc.

    Of course so many mods are programmed not to follow that logic which is to bad.

Viewing 15 replies - 76 through 90 (of 161 total)
  • The topic ‘Question About Possible Hack of Site’ is closed to new replies.