WordPress got hacked here, wp-includes/user.php and theme got changed
-
Hello all,
I just noticed that WordPress got hacked here on several installations. All run the current WP version.
Here what got changed, maybe I find more.
wp-includes/user.php, this block got inserted after line 108:
[Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]This gets updated often, Apache log shows this for example:
2.6.207.91.unknown.steephost.net - - [10/Nov/2012:01:07:58 +0100] "GET / HTTP/1.1" 200 152014 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:01 +0100] "GET /wp-login.php HTTP/1.1" 200 3254 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:03 +0100] "POST /wp-login.php HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:04 +0100] "GET /wp-admin/ HTTP/1.1" 200 134951 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:34 +0100] "GET /wp-admin/theme-editor.php?file=header.php&theme=hot-chilli HTTP/1.1" 200 64428 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:35 +0100] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:36 +0100] "GET /wp-admin/theme-editor.php?file=header.php&theme=hot-chilli&scrollto=0&updated=true HTTP/1.1" 200 72711 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:37 +0100] "GET / HTTP/1.1" 200 241077 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:38 +0100] "GET /wp-admin/theme-editor.php?file=header.php&theme=hot-chilli HTTP/1.1" 200 72247 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:39 +0100] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:39 +0100] "GET /wp-admin/theme-editor.php?file=header.php&theme=hot-chilli&scrollto=0&updated=true HTTP/1.1" 200 64892 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:40 +0100] "GET /wp-admin/ HTTP/1.1" 200 134951 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:56 +0100] "GET /wp-login.php?action=logout&_wpnonce=dae5b8d308 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:04:56 +0100] "GET /wp-login.php?loggedout=true HTTP/1.1" 200 3289 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:19:14:22 +0100] "GET / HTTP/1.1" 200 152036 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5" 2.6.207.91.unknown.steephost.net - - [10/Nov/2012:22:50:31 +0100] "GET / HTTP/1.1" 200 152041 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5"So I started by replacing ALL WordPress files with their originals. Also I am changing passwords for all users and will install a watchdog which checks on changed files from outside the sealed web container.
Is this a know hack? I googled but was not very successful.
Any suggestions how to get my site clean again?
Cheers,
Martin
Viewing 10 replies - 1 through 10 (of 10 total)
Viewing 10 replies - 1 through 10 (of 10 total)
- The topic ‘WordPress got hacked here, wp-includes/user.php and theme got changed’ is closed to new replies.