what are the permissions of your themes files?
777? 666?
I noticed you are attempting to hide the version of WP you are using — youre running 2.3.2 🙂
The files are set to 644.
Yeah, I am running 2.3.2 – as I said in my first post – and yeah, I have removed it from the header, as was suggested on one of the many sites I found while attempting to diagnose the problem I outlined above.
I’m not sure what significance your comment holds. Seriously, is there something wrong with not showing the version number?
Seriously, is there something wrong with not showing the version number?
No. It doesn’t actually help or anything, but there’s nothing wrong with it.
He may have hacked your core files or left a backdoor in there or got in through a plugin or something. Replace all the WordPress files with fresh ones. Deactivate your plugins and see if they may have known compromises for them before reactivating them. Look through your server logs to see how he’s getting in.
no 🙂 and I dont see where you said what version you were running, but I might have missed it.
The significance of it lies in the version being the most important thing when someone says something about being hacked. Since I dont see it mentioned in your post above — I went to see on your site.
Re-reading, I see now that you indicated you are running the “latest” — I skipped right over that, since its not a version number.
So I go look, and you have removed it, which is fine, Ive removed mine. There are other ways to get a WP version number though, thats all I was alluding to.
You mention also checking to make sure yur plugins are up to date.. thats great, if the authors of the plugins have actually taken the time to take care of any security issues.
Are any of them listed here:
http://wordpress.org/support/topic/154770
Thanks guys,
whooami, I’m not using any of the plugins that are listed in the linked post – I wasn’t having a go at you about the version number, I was genuinely asking if removing it was an issue.
Otto42, I’ll replace the files as you suggest and see if that prevents it from happening again.
I’m still curious to know if this is has happened to others here. As I said, I found several exploited sites just by doing a quick google search, but it doesn’t seem like there is a known ‘hole’ or even that other people aware that it’s happening.
elroyel1327, I wasnt worried 🙂 If youre curious though, your version # is displayed prominently in all of your feeds 🙂
AH HA! On following up with Otto42’s suggestion I was just running though the files list and comparing it to the default file list from a new install of WP – sure enough there was a wp- prefixed file there that wasn’t suppose to be.
It appears that somehow someone had managed to install a r57shell file on the server (which I’ve now removed).
Being that this sort of thing is completely beyond my understanding, how should I go about preventing this from happening again?
Did you happen notice the timestamp on the file? if you did, I would be looking through my apache logs like a fool — that timestamp would make it much easier to track down.
Again, thats a root shell exploit, and they are typically accomplished using RFI attacks. They show up in your apache logs.
The best defense against those is to make sure that everything on your site is secure, and coded properly, and to make sure your host is also running secure software.
Beyond that, theres always mod_security, upgrading to PHP5 (which closed the hole on most RFIs)
Theres also plenty of reading:
http://en.wikipedia.org/wiki/Remote_File_Inclusion
I’ll be reading up for sure.
Thanks for your help with this whooami and Otto42, it’s very much appreciated.
