WordPress.org

Support

Support » How-To and Troubleshooting » [Resolved] suspicious "sitemap.php" file added to public_html dir

[Resolved] suspicious "sitemap.php" file added to public_html dir

  • euchapelice
    Member

    @euchapelice

    hi,

    i wanted to ask if anyone has encountered a situation similar to this and how it was patched/fixed (to prevent future hacks).

    i recently experienced anomalous output on some pages on a wp site i manage. a viewer would go to the site, look at some pages and see texts inserted in the actual page text. texts like selling viagra or some other random text/spam (just texts). the number of processes running on the server (shared hosting) would spike, from the regular 1 to 2 over 25, to about 20 to 25 over 25. the site would constantly throw internal server errors. the text are randomly inserted and sometimes a refresh of the same page will make the insertions disappear. some pages viewed in diff browsers/machines will produce one hacked and one normal page.

    i have consulted our hosting service but they always say they’ll get back but then give no definite answers or they don’t get back at all.

    i also looked at some cross-site scripting or ‘pharma hack’ and other possibilities

    so, after looking for evidence or clues myself (database looks clean, the theme pages did not have inserted code etc.) i noticed a “sitemap.php” file in my site’s public_html. i double-checked and, yes, wordpress doesn’t have such a file. i looked at the file and saw code similar to this one:
    http://www.leakedin.com/2013/05/01/potential-leak-of-data-obfuscated-php-code-437/

    i’d like to know how such files could be uploaded (or written) in the public_html dir. or more important: how such hacks may be prevented, avoided (or minimized?) in the future.

    thanks for any help or point to the right direction.

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Resolved] suspicious "sitemap.php" file added to public_html dir’ is closed to new replies.