Files being added to one of my sites

  • I’m hoping that someone can help me out on this. I have a site that files were added to. I had WP File Monitor added and it notified me that files were added to wp-includes/images and then a couple of files were changed. I removed them and then added WP Defender in the hopes that it would tell me if I had security setup wrong on a folder or something.

    WP Defender did find a couple of things but they were all very minor, low alerts. But whatever is going on, keeps happening. I will go through and remove/restore things and then in a day or so, they are all right back. Here is a list of the files added/changed from the WP File Monitor plugin. I’m hoping that someone here recognizes what this is and now I can fix my site to not let them in anymore.

    Files Changed:

    /wp-content/plugins/index.php
    /wp-includes/post-template.php

    Files Added:

    /wp-content/plugins/jquery-lightbox-for-native-galleries/wp-ajax-gadget.php
    /wp-content/plugins/wassup/zipper-class.php
    /wp-includes/images/list10.gif
    /wp-includes/images/list106.gif
    /wp-includes/images/list914.gif
    /wp-includes/images/list98.gif
    /wp-includes/images/nix156.doc
    /wp-includes/images/nix252.doc
    /wp-includes/images/nix380.doc
    /wp-includes/images/nix572.doc
    /wp-includes/images/nix580.doc
    /wp-includes/images/nix676.doc
    /wp-includes/images/nix732.doc
    /wp-includes/images/nix772.doc
    /wp-includes/images/nix828.doc
    /wp-includes/images/nix868.doc
    /wp-includes/images/pub281.jpg
    /wp-includes/images/pub377.jpg
    /wp-includes/images/pub608.doc
    /wp-includes/images/pub665.jpg
    /wp-includes/images/pub705.jpg
    /wp-includes/images/pub761.jpg
    /wp-includes/images/pub801.jpg
    /wp-includes/images/pub857.jpg
    /wp-includes/images/pub953.jpg
    /wp-includes/images/sched15.tar
    /wp-includes/images/sched734.gif
    /wp-includes/js/scriptaculous/query.js.php

    Has anyone else experienced this or have any idea what I can do to make this stop happening?

Viewing 15 replies - 31 through 45 (of 63 total)

  • Ok, can you tell me, what other forms plugins you have used before and currently deactivated, if any.

    Hi,

    Do you have raw access logs for the last couple of days? Log analysis usually helps reveal backdoors.

    If you are not comfortable with analyzing raw logs you might want to contact me https://www.UnmaskParasites.com/contact/

    Ok, timeuser, you have a file called zipper-class inside the All-in-one SEO pack, am I right?

    There was a file called zipper-class.php, but I’ve deleted it. I have a copy of it in my daily backup though.

    That’s our first intruder, zipper-class.php is not one of the files in the All-in-one SEO pack. How did I know, I downloaded the pack to my local machine, and extracted and examined it, but there is no file with that name in the standard package. Try it yourself.Download the package to your LOCAL machine, and examine it. We got the first guy in, lets go for the others.

    If you are using the Audio Player with this attributes:
    Audio Player
    Version: 2.0.4.1
    Author: doryphores
    then the second intruder is “wp-ajax-gadget.php”, examine the standard package. If different, please confirm. If yes then there is one last step, to do and we are all clean.

    Yes, that is correct. Audio Player should not contain wp-ajax-gadget.php.

    What about the first, am I right about it too?

    Yeah, neither of those files should be there.

    I’ve since deleted *all* the files listed in my previous post as none of them are supposed to be there.

    Patience my friend, we just got those who got in, we need to know who opened the door for them, and whether he is outside now, or still in, because if he does still, we will kick these two out, and very soon he will open the door, cause he is in.
    Let’s interrogate them by copying and pasting the code inside of this two files, so they would tell us. So, please do, copy and paste the code here.

    zipper-class.php: https://gist.github.com/1989979

    wp-ajax-gadget.php: https://gist.github.com/1989977

    I just found some other files that shouldn’t exist by examining odd POST requests in my logs as suggested by @useshots above.

    /wp-content/themes/thematicfeaturesite/log/templates.php

    the /wp-content/themes/thematicfeaturesite/log/ directory had execute only permissions on it as well which is wrong. That whole directory should not be there. Looks to me like that may be the current entry point. Perhaps it was added during a previous exploit and I missed it. There have been a few exploits on this site in the last couple weeks I’ve been fighting.

    Mine has this added to the top of every .php page in my WordPress directories on multiple sites:

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    It redirects them to a broken ustream URL. WTF.

    Thank you timeuser, I will be providing a step by step solution for everyone here within 15 minutes, hope it helps. This message is just to let you know, that the issue was not overlooked.
    Regards.

Viewing 15 replies - 31 through 45 (of 63 total)
  • The topic ‘Files being added to one of my sites’ is closed to new replies.