ilrosewood
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Hack affecting WordPress loginaimutch – download a full copy of your site to your computer. Then use a program like notepad++ that can do a recursive search of the contents of all the files that you downloaded.
Search for base64_decode — almost all backdoors are obfuscated by encoding their wares in base64. There are some times where base64_decode is called that is legit.
http://pastebin.com/yKuaSN5x is what my malicious code looked like.
If you see a line like that, remote it, re-upload, and if your site still works, great.
http://sitecheck.sucuri.net/scanner/# — when I’d run that scan whilst infected it would show up there as infected. Once I removed the offending code and the whois.dat file the site showed clean.
Forum: Fixing WordPress
In reply to: Hack affecting WordPress loginI don’t know why diff -qr didn’t find this nor a find but…
I downloaded the latest wordpress to my local machine and then I downloaded the entire site so that I could go file by file. If it took all night, I didn’t care.
But I ran the latest wordpress download against the site download through beyond compare and I finally found an out of place file — /wp-includes/feed-comments.php which had a clear as day base64 decode.
So I’ve nuked that file and the whois.dat that it was serving.
The backup I had from may was of the site files only and not the wordpress files. I checked the backup from the original hack on 8-31 and the modified files were there. I compared the other site that was hit with the same hack and it had the same modifications.
It created a global called _abc_ so I searched all files for “abc” to see if anything was calling that global and I checked the db for that call as well.
Hopefully this finally gets rid of this stupid thing. Is there a clearing house that takes these hacks to break them down / trace them?
Forum: Fixing WordPress
In reply to: Hack affecting WordPress loginI too have experienced this exact same hack on multiple sites.
I did a SQL dump and went through it line by line and couldn’t find anything malicious or out of place.
I’ve gone back through my theme and none of the theme files have been modified since the previous backup in May.
I’ve rm -rf’d everything and started the site back from scratch.
I’ve looked for modified files and the only file I can find is the whois.dat file in the root directory. No files make a reference to whois.dat nor do any of the SQL records.
I previous had followed the hardening guide in the codex and I did it again when I reinstalled — so I set the file permissions for files and directories per that guide.
After the hack I changed the mysql password and updated the wp-config file.
I’ve also updated all passwords for users.When the site is compromised I never see the compromised site. Everything always looks fine to me other than the /wp-admin not working as aimutch described.
aimutch — if you’ve been able to figure this one out, please let me know. I’ve been fighting this since about 8/30 and it is driving me batty.
Forum: Plugins
In reply to: Multiple blog viewI got what I wanted working.
I took the page.php and edited it to form a new template that I could apply to the page.
The code I needed was:
<?php $recent = new WP_Query("cat=6&showposts=7"); while($recent->have_posts()) : $recent->the_post();?> <?php the_permalink() ?><?php the_title(); ?> <?php the_excerpt(); ?> <?php endwhile; ?>Changing cat=6&showposts=7 as needed and then marking up what it spit out.