Title: omueller's Replies | WordPress.org --- # omueller [ ](https://wordpress.org/support/users/omueller/) * [Profile](https://wordpress.org/support/users/omueller/) * [Topics Started](https://wordpress.org/support/users/omueller/topics/) * [Replies Created](https://wordpress.org/support/users/omueller/replies/) * [Reviews Written](https://wordpress.org/support/users/omueller/reviews/) * [Topics Replied To](https://wordpress.org/support/users/omueller/replied-to/) * [Engagements](https://wordpress.org/support/users/omueller/engagements/) * [Favorites](https://wordpress.org/support/users/omueller/favorites/) Search replies: ## Forum Replies Created Viewing 10 replies - 1 through 10 (of 10 total) * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Geo Tag] Markers not showing](https://wordpress.org/support/topic/markers-not-showing-1/) * [omueller](https://wordpress.org/support/users/omueller/) * (@omueller) * [11 years, 7 months ago](https://wordpress.org/support/topic/markers-not-showing-1/#post-4991500) * : plugin is still working great in post edition mode under wp 3.9.2 but I also can’t display the markers. * (PS: to get the correct map, you will first need to patch your plugin code according to [http://wordpress.org/support/topic/i-like-it-but-there-is-a-show-stop-bug-in-096?replies=1#post-](http://wordpress.org/support/topic/i-like-it-but-there-is-a-show-stop-bug-in-096?replies=1#post-)) * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[W3 Total Cache] [Plugin: W3 Total Cache] varnish cache not purged – sends GET requests instead of PURGE](https://wordpress.org/support/topic/plugin-w3-total-cache-varnish-cache-not-purged-sends-get-requests-instead-of-purge/) * [omueller](https://wordpress.org/support/users/omueller/) * (@omueller) * [13 years ago](https://wordpress.org/support/topic/plugin-w3-total-cache-varnish-cache-not-purged-sends-get-requests-instead-of-purge/#post-2718287) * Hello & many thanks for this useful plugin! * Just a small feature request for the next update: it seems the cache is emptied as soon as somebody creates a new post (post_status = “auto-draft” in the wp_posts table). * Maybe you could ignore these specific posts until they are completely ready and published ? Otherwise the cache gets emptied pretty often, especially on a busy page with many redactors like on our system. * Kind regards, Olivier * PS: strangely, it seems all pages are then gone from the cache, even if the plugin only purges /category/(.*), /, /feed and the new post. But simply ignoring auto- draft posts should solve this anyway… 🙂 * Forum: [Themes and Templates](https://wordpress.org/support/forum/themes-and-templates/) In reply to: [Horizontal scrolling transition for WP-based pages ?](https://wordpress.org/support/topic/horizontal-scrolling-transition-for-wp-based-pages/) * Thread Starter [omueller](https://wordpress.org/support/users/omueller/) * (@omueller) * [13 years, 8 months ago](https://wordpress.org/support/topic/horizontal-scrolling-transition-for-wp-based-pages/#post-2894501) * This looks pretty cool Andrew, thanks for your feedback ! Also if your webpage does not seem to use wordpress. Or would you have something similar as wp-theme? * I also saw some nice examples under [http://www.designinsocial.com/](http://www.designinsocial.com/)( but vertical) and some jQuery.ScrollTo-based stuff or similar. * Regards, O. * Forum: [Themes and Templates](https://wordpress.org/support/forum/themes-and-templates/) In reply to: [Horizontal scrolling transition for WP-based pages ?](https://wordpress.org/support/topic/horizontal-scrolling-transition-for-wp-based-pages/) * Thread Starter [omueller](https://wordpress.org/support/users/omueller/) * (@omueller) * [13 years, 8 months ago](https://wordpress.org/support/topic/horizontal-scrolling-transition-for-wp-based-pages/#post-2894499) * No idea yet… Ok, then I will try to do something by myself, also if it will probably take a long time 🙂 Cheers, O. * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [mail-spam relay over 3.0.1 POST exploit ? (base64_decode eval decrypt)](https://wordpress.org/support/topic/mail-spam-relay-over-301-post-exploit-base64_decode-eval-decrypt/) * Thread Starter [omueller](https://wordpress.org/support/users/omueller/) * (@omueller) * [15 years, 4 months ago](https://wordpress.org/support/topic/mail-spam-relay-over-301-post-exploit-base64_decode-eval-decrypt/#post-1772793) * No, I can’t be sure as I’m just the sysadmin there, no the webpage manager, but the spam-relay-issue is a problem for me, so that’s why I’m looking at that… But there was probably a problem before, because the blog was already relaying spams before the upgrade to 3.0.1 (it’s why it has been upgraded). * DB looks ok, just one admin user and a few standard users. * FTP log also ok, so it most probably came from the web. I will check the weblogs archive later. * index.php is the same as in the wordpress-3.0.1.zip distribution. * I guess there must be some files from old installations laying around… We’ll try an installation from scratch later this week or next week. * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [mail-spam relay over 3.0.1 POST exploit ? (base64_decode eval decrypt)](https://wordpress.org/support/topic/mail-spam-relay-over-301-post-exploit-base64_decode-eval-decrypt/) * Thread Starter [omueller](https://wordpress.org/support/users/omueller/) * (@omueller) * [15 years, 4 months ago](https://wordpress.org/support/topic/mail-spam-relay-over-301-post-exploit-base64_decode-eval-decrypt/#post-1772789) * Checked and nothing. All these “old” injections were for much older versions of WordPress: 3.0.1 is installed here… 🙂 * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [mail-spam relay over 3.0.1 POST exploit ? (base64_decode eval decrypt)](https://wordpress.org/support/topic/mail-spam-relay-over-301-post-exploit-base64_decode-eval-decrypt/) * Thread Starter [omueller](https://wordpress.org/support/users/omueller/) * (@omueller) * [15 years, 4 months ago](https://wordpress.org/support/topic/mail-spam-relay-over-301-post-exploit-base64_decode-eval-decrypt/#post-1772787) * thanks for your feedback heincredibleDude! Yes, it’s similar to this 2008 bug, but not exactly the same. I checked the files for “_wp_debugger” and other things( _POST[‘file’]) but with no success. * index.php has been modified by the webdesigner, but doesn’t seem to contain any“ bad” or injected code. But I also see many old files (from 2008) which should probably have been deleted or at least updated. * I also just found a directory called “…” (3 dots) in the wp-content directory with some “strange” things inside: * ``` drwxrwxr-x 10 512 Aug 30 00:58 . drwxrwxrwx 10 512 Oct 26 14:13 .. drwxr-xr-x 4 512 Aug 30 00:58 addthis -rw-rw-r-- 1 677 Aug 27 12:03 adrotator.php drwxrwxr-x 5 512 Aug 24 2009 audioplayer -rw-r--r-- 1 2240 May 3 2010 hello.php -rw-r--r-- 1 30 Apr 15 2009 index.php drwxrwxr-x 4 512 Feb 6 2009 photopress -rw-rw-r-- 1 133120 Jun 10 2009 photopress.tar -rw-rw-r-- 1 39846 Jun 10 2009 photopress_1.5.2.zip drwxrwxrwt 4 512 Jul 26 2009 postie -rw-rw-r-- 1 1331253 Jun 10 2009 postie.1.2.3.zip -rw-rw-r-- 1 1474560 Jun 10 2009 postie.tar drwxrwxr-x 7 1024 Aug 24 2009 proplayer drwxr-xr-x 5 512 Aug 27 14:49 quick-cache -rw-rw-r-- 1 1823 Jun 10 2009 redirectify.php drwxrwxr-x 2 512 Jan 4 2010 videos-plugin -rw-rw-r-- 1 31091 Jun 10 2009 wp-db-backup.php -rw-rw-r-- 1 52709 Jun 10 2009 wp-super-cache.0.9.4.3.zip -rw-rw-r-- 1 7613 Jun 10 2009 wp-xmlmigrate.php drwxr-xr-x 2 512 Aug 30 00:36 youtube -rw-rw-r-- 1 1497 Jun 10 2009 youtube.1.php ``` * but there doesn’t seem to be any include “…/xyz” in the code. Maybe it was removed with the 3.0.1 upgrade, but there is definitely something to be done there. * I will ask the webmaster to do a clean installation and to remove any old file first. * To be continued! regards, O. * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [mail-spam relay over 3.0.1 POST exploit ? (base64_decode eval decrypt)](https://wordpress.org/support/topic/mail-spam-relay-over-301-post-exploit-base64_decode-eval-decrypt/) * Thread Starter [omueller](https://wordpress.org/support/users/omueller/) * (@omueller) * [15 years, 5 months ago](https://wordpress.org/support/topic/mail-spam-relay-over-301-post-exploit-base64_decode-eval-decrypt/#post-1772719) * Strange, would I be the only one with this spam-problem? * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [mail-spam relay over 3.0.1 POST exploit ? (base64_decode eval decrypt)](https://wordpress.org/support/topic/mail-spam-relay-over-301-post-exploit-base64_decode-eval-decrypt/) * Thread Starter [omueller](https://wordpress.org/support/users/omueller/) * (@omueller) * [15 years, 5 months ago](https://wordpress.org/support/topic/mail-spam-relay-over-301-post-exploit-base64_decode-eval-decrypt/#post-1772454) * And here the “disabled” hack code (just to give an idea, otherwise there is no way to answer the issue anymore…). Hack-code has been removed. * The question is why WordPress simply runs this code coming form a POST request with “file=xyz” as parameter ? Does it happen by default, or is it a bad configuration from the blog owner? * 1) “raw” POST request: * ``` Request: domain.ext 95.168.210.229 - - [16/Nov/2010:13:18:16 +0100] "POST / HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" jSLZPj4wA4wA ANRuqbIAAAAA "-" ---------------------------------------- POST / HTTP/1.1 Host: domain.ext Cookie: 545a398915a49f25=46b6f4af9be2faec;_wp_debugger=b5a7308802027b504c188deac3fa5c40; User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Content-Length: 8389 Content-Type: application/x-www-form-urlencoded Expect: 100-continue 8389 file=QGV2YWwoZGVjcnlwdCgi... [censored] [censored] [censored] ...CiAgICB9DQogICAgcmV0dXJuICRyZXM7DQp9 HTTP/1.1 200 OK Expires: Tue, 09 Nov 2010 12:18:16 GMT Last-Modified: Tue, 16 Nov 2010 12:18:16 GMT ``` * 2) Decoded request: * ``` @eval(decrypt("...[censored]...") [...] ``` * 3) Final spam code: * ``` unset($_POST['file']); $stage="second"; [...] $domain = substr($from, strpos($from, "@"), strlen($from)); $header = "From: ".$realname." <".$from.">\r\n"; $header .= "Message-Id: <130746".mt_rand(1000,2000).".".mt_rand(0,2000).$domain.">\r\n"; $header .= "MIME-Version: 1.0\r\n"; $header .= "Content-Type: text/html\r\n"; $header .= "Content-Transfer-Encoding: 8bit\r\n\r\n"; $header .= nl2br($message)."\r\n"; if(mail($to,$subject,"",$header)) echo "mail_good"; [...] ``` * Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) In reply to: [mail-spam relay over 3.0.1 POST exploit ? (base64_decode eval decrypt)](https://wordpress.org/support/topic/mail-spam-relay-over-301-post-exploit-base64_decode-eval-decrypt/) * Thread Starter [omueller](https://wordpress.org/support/users/omueller/) * (@omueller) * [15 years, 5 months ago](https://wordpress.org/support/topic/mail-spam-relay-over-301-post-exploit-base64_decode-eval-decrypt/#post-1772445) * PS: just checked the logs, and it always seem to come from this host: unn-95- 168-210-229.superhosting.cz (95.168.210.229), with a spam about every 5 minutes. Since it is blocked (with the .htaccess), it tries other urls… * ``` unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:07:14 +0100] "POST / HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:18:15 +0100] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:18:15 +0100] "POST / HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:09 +0100] "POST / HTTP/1.1" 403 202 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:09 +0100] "POST /?s=google HTTP/1.1" 403 202 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:09 +0100] "POST /wp-atom.php HTTP/1.1" 403 213 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:09 +0100] "POST /wp-login.php HTTP/1.1" 403 214 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:10 +0100] "POST /wp-login.php HTTP/1.1" 403 214 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:33 +0100] "POST / HTTP/1.1" 403 202 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" [...] ``` Viewing 10 replies - 1 through 10 (of 10 total)