This is what my host tells me is happening, I don’t quite understand it all but I wanted to share this most recent info:
“It’s not a particular host, it’s your site. No other servers have this issue, and the old server you were on doesn’t either….whatever they found in your site they’re using. And it seems they’ve found it in other people’s sites as well.
The files were uploaded through an exploit, I’m not sure where. I’m going to check your logs to see if I can find it quickly. The processes were not running off files on the server, the command was called from another server, which allowed them to upload to the /tmp directory which all client’s accounts can access (as it is needed for scripts to run). ”
Also, I just found a new DB user on my site, neither I nor my host added this user to the MySQL.
If you have not done so already, I strongly recommend that you change all of your hosting account, FTP, MySQL user, and blog user passwords ASAP.
Everything seems to be back to normal for now, my host restored the site backups and I changed all the passwords.
I did a search on google and it seems a lot of people are having this problem! Mean hackers.
Restoring the site backups still could restore whatever let them in the first place. make sure to change permissions only to what they need to be and make sure you have latest versions of things.
Estjohn, I know you’re right but I have no idea how to find the file and so far my host can’t find it. 🙁
As for permissions, I’ve changed the root wp files and all the wp-content files (except Spam Karma 2 which says it has to be 666?) to 644 and 755 (folders). I’m not sure what to change wp-images, includes and admin to? I mean, don’t those need to be writable for WP to function?
Sorry if this is a dumb question. 🙁
Incidentally, one of a friend of mine just had her blog hacked in the same way and all her files were CHMOD 644 and 755. It didnt seem to make a difference.
Does your friend use the same web host?
And who IS your favorite web host, might I ask? ;->
seems like they are using some exploit to get in. Looking at the log file you send me- wht other plugins are in your wordpress installation I saw ‘wp-amazon-plugin.php’ and SK2 anything else?
And maybe you can send also the info for your friends plug ins…
If we assume for a second that wordpress doesn’t allow for any exploits- it should be one of the plugins…
I don’t know where my friend is hosted, I emailed her about it. I’ll ask about her plugins also.
I’m hosted at EStarr.com, they have been very helpful in trying to resolve this and if it weren’t for them my sites wouldn’t be working right now. They haven’t been able to locate the hack file though.
Lets see, the plugins I have in my folder (though I dont use all of them) are:
Spam Karma 2: http://unknowngenius.com/blog/wordpress/spam-karma/
Adhesive: http://www.asymptomatic.net/wp-hacks
Kittens Friendly Comments: http://mookitty.co.uk/devblog/category/friendly-comments/
The default Hello Dolly and Markdown plugins
Kittens Spam Words: http://blog.mookitty.co.uk/devblog/kittens-spam-words/
Links Page: http://www.asymptomatic.net/wp-hacks
MiniPosts: http://doocy.net/mini-posts/
Project Plugin: http://scapermoon.net/
Spam Karma 1
Textile: http://www.huddledmasses.org/
WP-Amazon: http://manalang.com/wp-amazon
Contact Form: http://ryanduff.net/projects/wp-contactform/
Wp Grins: http://www.alexking.org/software/wordpress/
// Edit: The only plugins I have in common between my two hacked blogs are the project plugin and the default WP plugins. The project plugin is what controls those little progress bars on my sites //
Ok, this is not very comforting… my blog was working PERFECLTY about an hour ago, and with out a visible reason, it has ceased to function.
I was witnessing the same problem stated here, had un 777/666’ed my files to 655/755 and even double checked all my passcodes and SQL users… now I have this error:
Parse error: parse error, unexpected $ in /home/jamesme/public_html/blog/wp-content/plugins/edit-comments-full.php on line 210
Righton – what you are seeing is a file error, not a hacking you’ll be relieved to know.
edit-comments-full.php
When did you add the above plugin and have you edited it at all ? Try deleting it and uploading another – don’t overwrite, delete first.
Righton – what you are seeing is a file error, not a hacking you’ll be relieved to know.
edit-comments-full.php
When did you add the above plugin and have you edited it at all ? Try deleting it and uploading another – don’t overwrite, delete first.
I haven’t installed anything.
I just deleted it… everything functions perfectly.
Odd, because that wasn’t there the other day, and I haven’t installed a plugin in over a month.
Deletion fixed it.
