Support » Fixing WordPress » Security Alert? A7A php mailer

  • I moved my WordPress blog to a new host last week, installing it by hand since Fantastico did not at the time have version 2.0.2.

    Today, when using FTP, I noticed a new directory had been added to the root of that domain (in public_html) called A7A. At first I thought it was a plugin. When I looked at the text file there, it appeared to be a php mailer of some sort.

    I feel that someone/something has hacked into my directory to add this program, which presumably would be used to send spam.

    I deleted the A7A directory, but wonder if there is some additional protection I need to add, without compromising the functionality (writeability) of my blog. Permissions on the public_html directory are: drwxr-xr-x

    Or is this a security flaw that WordPress needs to investigate?



Viewing 15 replies - 1 through 15 (of 20 total)
  • I would doubt this, but I would certainly change every password you use on that domain without delay.
    Have you alerted your host?

    I don’t think this is a wordpress security flaw. Sounds more like an issue with your host or your passwords

    I agree with podz, and just want to add that it could be something your web host puts in your document tree, for example as a proxy for your mail.
    Check with your host if this is something normal.

    I have checked with the hosting company, and they thought it was a security exploit in WordPress 2.0.2.

    I will change my password.


    just curious- what hosting company are you using?

    just curious- what hosting company are you using?

    looks like site5

    dworsky said:
    I have checked with the hosting company, and they thought it was a security exploit in WordPress 2.0.2.

    On what did they base this conclusion? I find it highly irresponsible for people to post crap like this when there are no facts to substantiate such a claim. If your host thinks that there is a legitimate flaw, then they should act upon it for the safety of their own servers and ensure that they have gathered every scrap of information and then pass it along to .

    If they simply blow this off as a WP security flaw and do nothing more about it, then they are not the kind of host I would ever use.

    I posted my problem in a public customer to customer forum at Site5… and the quasi-moderator of the forum was the one who replied. I am not even sure if he is a paid employee.

    He said:

    “Sounds like you found a wordpress exploit. The odds are the hacker wil be back.

    Those open source scripts . . .

    There are only so many solutions:

    1) wordpress plugs the hole and you apply the update
    2) you plug the hole (if you are good at coding)
    3) remove the script

    directories should be chmod 755.

    I really *do* like Site5 and don’t know what they could/should do.


    This is NOT a wordpress exploit.

    If it is, tell Site5 to post in this forum that it is not their fault at all. They cannot do that – because it IS their fault.

    I posted my problem in a public customer to customer forum at Site5… and the quasi-moderator of the forum was the one who replied. I am not even sure if he is a paid employee.

    Given his post, I’d take anything he says with a grain of salt. He’s just making stuff up as he goes along.

    While he is correct that it is theoretically possible that it’s a WP exploit (because any PHP script can have an exploit in it), this is unlikely for many reasons:
    – No currently known exploits exist for the latest versions
    – There have not been a large amount of hacked WP blogs recently, which you would expect if somebody found a real exploit

    More to the point, if he is somebody in a position where he could investigate the matter, clearly he has not done so and simply blamed WordPress. That’s not the kind of response you want from a hosting provider. Yeah, if I got that sort of response, I’d drop the host like a bad habit. If they’re not concerned about security, then I don’t want them to have my business.

    I really *do* like Site5 and don’t know what they could/should do.

    What they SHOULD do is actually investigate instead of talking out their ass about it being a WP exploit. If it is a real exploit, then they should find out what the exploit is and tell the world, like any good netizen. If it’s not an exploit, then even suggesting that that is what it is is downright irresponsible and, yes, possibly criminal.

    In any case, I’m adding Site5 to my own list of “hosts not to do business with”.

    As for his comments on Open Source, you might tell him that the forum he’s posting on is not open source, but that it is “visual source”, meaning hackers can see the code to it as well. For that matter, the webserver hosting his forum runs Apache, which *is* open source. As is all other software that comprises the very backbone of the whole bloody internet. He uses open source software every single day, as does everybody else on the planet. So his comments about Open Source are not only fairly stupid, but ignorant of the facts as well.

    For anybody who feels like commenting on this on their forums, you can find the actual post here:


    a good host can literally “see” what venue was exploited to hack an account. Its a bit of work though, and many are too lazy to do that.

    I’m lucky insofar that my reseller account sits with a host who is anything but lazy. Their safety measures are great to start with, but during those very few instances over the past 4-5 years that a site got hacked, they could precisely pinpoint which was the fault and venue and even name the file and precise entry method.

    It usually was indeed a script not updated inspite of a security warning, they didn’t blame the script either, nor did they take down any accounts, they just politely asked to have the script updated. But it sure helps to get a precise point of entry and filename.

    So, I recommend a better host.

    I maybe should have saved the files that I found in my public_html area in the folder a7a… but I deleted the whole thing, thinking it was bad (and it probably was).

    Uninformed me would think this makes it almost impossible for my host, Site5, to do any detective work at this point.


    dworsky: They can examine the server’s log files, if they have a clue. But it sounds like they don’t. Regardless, if they can’t tell you how their servers got hacked, do you really want them to be managing your servers?

    Reposting my post to the site5 forum. I’ve tweaked the content a bit… 😉

    WordPress is pretty darn secure. Note that the forums at site5 are community forums, NOT a tech-support forum. You should open a ticket IMMEDIATELY with site5’s support team, and have them dig into this further. Any discussion here as to whether ‘site5 looked into it’ is premature, as they haven’t…

    You should also download your access logs and take a look yourself. If it’s something via the web, it should show in the logs.

    It’s important to note that WP 2.0.2 is pretty darn secure, no known exploits at this time. HOWEVER, you could have plugins, or other scripts, that you are making use of that aren’t completely secured.

    I’ve double-posted this in both forums to make sure it gets read. Definitely ALWAYS open a >support ticket< and make sure support looks into a breach. I don’t think it is WP just on the surface, needs investigation by techs. Forums are almost never the route to actual support staff at most ‘real’ sites.


    “If your host genuinely believes that WordPress has a vulnerability that they have discovered they owe it to the wider community to submit that information – without delay – to Until then, it’s entirely their problem.”

    and if it IS a WP problem – why is it on THEIR fantastico?

Viewing 15 replies - 1 through 15 (of 20 total)
  • The topic ‘Security Alert? A7A php mailer’ is closed to new replies.