toastmasterflash
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Resolving XMLRPC.PHP DDOS attack with htaccess redirect?this is happening to me also. After my host warned me it looks like this has been happening for many months and I was not seeing it in my logs.
I just put the block on xmlrpc.php and will watch my stats for the next few weeks. I also banned the IPs that were doing it, about 10 of them.
Forum: Fixing WordPress
In reply to: Several of my blogs have been hackedoops, the code sample was removed, so here it is in pastebin: http://pastebin.com/6hZ6ffeW
Forum: Fixing WordPress
In reply to: Several of my blogs have been hackedno. Site 5.
Forum: Fixing WordPress
In reply to: Several of my blogs have been hackedwas the code in directories other than the mini forms? Or outside of your wordpress directory?
Forum: Fixing WordPress
In reply to: Several of my blogs have been hackedone more thing, I am still not sure what exactly that code was up to, I googled around but never found a definitive answer. It wasn’t installing malware when I was clicking around my site. I am curious about what it was doing.
Forum: Fixing WordPress
In reply to: Several of my blogs have been hackedthe same thing happened to me. Here’s what happened and what I did to (hopefully) resolve:
my site was hanging, it would show the header and then hourglass for a while, then after a long while (45 seconds or so) show the rest of the site. I eventually found that many of my theme’s php pages (header.php, footer.php, index.php) had weird text blocks appended to them, beginning with
[Code moderated as per the Forum Rules. Please use the pastebin]
and being hundreds of lines long. I started deleting that text and found the problem did not go away. I ftp’ed into my site and found that it was everywhere, not just in my wordpress directory but out in folders all over my site: in every theme folder (I had about 8), and in random php files from old versions of my site. I tried deleting the lines manually but realized there were way too many to do in a reasonable amount of time. Googling found different accounts of this same thing, and some had their .htaccess files hacked as well but mine was normal.
Luckily my host has a 30 day backup/restore and I restored back to a previous version that was problem free, and therefore didnt have to go in and manually clean up my site. This was of both the static pages in my site and also the databases.
FTP logs showed repeated failed ftp access attempts during the night before I found my site slow, so it appears they ftp’ed in. Since they were in directories that were not part of worddpress, I am guessing it was not a wordpress attack but an ftp password attack. I don’t know that for sure though.
Before I found the malicious text it was very hard to figure out what was going on because everything was hanging, even my backup site in a different directory. That made me think it was a server, software, or networking issue with my host and I wasted a lot of time trying to prove that out.
At the time of the hack, my wordpress was fully up to date but I did have some out of date plugins. I won’t list them since I dont think they were the culprits. My passwords were slightly complex, but words only with no numbers or symbols. After restoring I changed all of my passwords (the sitehost admin panel, wordpress, ftp) to crazy long complicated ones. I have been ok since then and if something else happens I will update.