Files being added to one of my sites

it could be a plugin
the only way to tell is deactivate them all and test

if it stops re-activate one by one – testing in between

Have you figured out how they managed to add this backdoor to your site?
I see many sites affected by this (including mine): wp-ajax-gadget.php

Any info on this would be appreciated.

No, I have found no other info so far other than it is not a plugin. Hopefully some other people can chime in and offer some suggestions or info.

Are you by any chance hosted by Dreamhost?

Yes. That site is being hosted with Dreamhost. Although, I was having the issue way before they reset everyone’s password due to the security issue. Still think it may be related?

That’s the only thing I could think of.

I was thinking they were not related due to the time I’ve had issues but who knows. I’ve cleaned out everything and reset my shell password so we’ll see if it works or not.

I have also changed all the passwords. But damn, it just happened again!

Added:
wp-includes/images/nix549.jpg
wp-includes/images/nix853.jpg
wp-includes/images/sched399.tar
wp-includes/images/sched958.gif
wp-includes/images/pub137.jpg
wp-includes/images/pub392.doc
wp-includes/images/sched558.gif
wp-includes/images/sched430.gif
wp-includes/images/pub360.doc
wp-includes/images/pub785.jpg
wp-includes/images/pub112.doc
wp-includes/images/nix997.jpg
wp-includes/images/list123.tar
wp-includes/images/nix917.jpg
wp-includes/images/list211.tar
wp-includes/images/pub225.jpg
wp-includes/images/pub64.doc
wp-includes/images/sched463.tar
wp-includes/images/nix668.doc
wp-includes/js/jquery/query.js.php
wp-content/plugins/bulletproof-security/wp-ajax-gadget.php
wp-content/plugins/wordpress-file-monitor/zipper-class.php

Changed:
wp-includes/post-template.php
wp-admin/includes/.svn/class-wp-theme-edit.php
wp-content/plugins/hello.php
wp-content/plugins/index.php

Any ideas?
By the way, which Dreamhost machine are you hosted on? I’m hosted on Warsaw.

Sorry, no ideas here other than maybe put in a support ticket with DH and see if they can give more info. Most of my stuff is hosted on Proty.

Ok, thanks anyway. I already contacted support yesterday so I’m just waiting for their reply.

Cheers!
Erko

I’m curious what they come up with. I hope they can give you some answers.

Has anyone figured anything out regarding this? I’ve been having the same issue with these same files being added to my site every couple days.

@timeuser – As far as I can tell it is some type of malware. I’m not sure when it got loaded on my sites but after working on it for several months and it just kept coming back, I finally got fed up with working on it on my own. I’ve been using https://sucuri.net for the last couple of weeks and they have cleaned up several sites with no new infestations. To me it was well worth the money to not have to fight with it anymore.

Good luck with your site.

Yeah, I’ve considered Sucuri. I’d still like to know where this is getting in, whether it’s through a hole in WordPress or one of the plugins it’d be good if it could be reported and patched.

Agreed. I think my original issue was back over the summer so it is too far gone to check logs to see what may have been happening. I made the mistake of using ftp instead of sftp a couple of times and was thinking it may have been a contributing factor. It is just as likely that something else happened though. It would be nice to know for sure so we could find a way to stop it.