Page was created; identifier:

  • Resolved obgc

    (@obgc)


    9 years, 1 month ago

    Hi,

    I am using Sucuri Security and was notified about few new events like:

    2015-10-20 13:13 system 37.139.47.83 Page was created; identifier: 755; name: In that live ...
2015-10-20 13:13 system 37.139.47.83 Page (private to published); identifier: 755; name: In that live ...
2015-10-20 13:13 system 37.139.47.83 Page was created; identifier: 754; name: Another person be partly up webcam ...
2015-10-20 13:13 system 37.139.47.83 Page (private to published); identifier: 754; name: Another person be partly up webcam ...

    Obviously some malicious code was executed. I looked into Apache log entries for that time/IP and noticed that all were POSTs to the root of the website:

    37.139.47.83 - - [20/Oct/2015:15:12:44 +0200] "POST / HTTP/1.1" 200 49 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0"

    How is this possible that such POST caused adding new page without logging into the system? How can I find the whole in security and eliminate it?

    Thanks
    Greg

    https://www.ads-software.com/plugins/sucuri-scanner/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter obgc

    (@obgc)

    Hi,

    I solved the problem. I found the malicious code in xcalendar.php which was installed as a plugin.
    Anyone who has something like that:
    /*
    Plugin Name: SEO Adviser
    Plugin URI: seoadviser .com
    Description: SEO Adviser
    Version: 1.2
    Author: Phil Smitter
    Author URI: seoadviser[dot]com
    License: GPLv2 or later
    */
    please get rid of it as soon as possible. It causes invisible pages to be inserted into your WP database. Pages usually relate to some dirty stuff, that you would not normally write about ??

    Greg

    yorman

    (@yorman)

    Thanks for the report, and congratulations in finding the culprit by yourself, I need more people like you in this forum ??

    I will send this information to the Sucuri Research team and they will probably include it in the signature database used to scan malicious files. Thanks again.

    pkd

    (@peter-king-design)

    This happened to one of my sites as well and this is the only post I could find regarding this.

    I received a bunch of notifications from Sucuri, like this:

    Subject: Post Update
    Login Info: Time: June 10, 2016 9:25 am
    Website Info: Site: (redacted)
    IP Address: 37.139.47.83
    Notification: Page (private to published); identifier: 2683; name: viagra jelly
    or
    Notification: Page was created; identifier: 2683; name: viagra jelly

    Found this in my wp-config.php file:

    require_once(ABSPATH.’wp-content/plugins/estore2/estore2.php’);
    require_once(ABSPATH.’wp-content/plugins/xcalendar/xcalendar.php’);

    I found these files and directories in my Plugins:
    estore2
    xcalendar

    I deleted those files, reverted my wp-config, updated wp-config keys, changed site passwords.

    If anyone knows how this hack is getting in, post it here. Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Page was created; identifier:’ is closed to new replies.