cdmarine

Forum Replies Created

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter cdmarine

    (@cdmarine)

    Here are a few representative samples:

    66.147.242.150 – – [17/Jan/2010:10:11:57 -0700] “POST /wp-cron.php?doing_wp_cron HTTP/1.0” 200 312 “-” “WordPress/2.9.1; https://{MySiteURL}”
    66.147.242.150 – – [17/Jan/2010:10:11:58 -0700] “GET {File_1.jpg} HTTP/1.0” 200 147310 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:11:58 -0700] “GET {File_1.jpg} HTTP/1.0” 200 147310 “-” “-“
    67.210.218.88 – – [17/Jan/2010:10:11:57 -0700] “GET {BlogPostThatCallsFile_1}/ HTTP/1.0” 200 18686 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_1.jpg} HTTP/1.0” 200 147310 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_1.jpg} HTTP/1.0” 200 147310 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_1.jpg} HTTP/1.0” 200 147310 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_1.jpg} HTTP/1.0” 200 147310 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_2.jpg} HTTP/1.0” 200 80884 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_2.jpg} HTTP/1.0” 200 80884 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_2.jpg} HTTP/1.0” 200 80884 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_2.jpg} HTTP/1.0” 200 80884 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_3.jpg} HTTP/1.0” 200 66663 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_3.jpg} HTTP/1.0” 200 66663 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_3.jpg} HTTP/1.0” 200 66663 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_3.jpg} HTTP/1.0” 200 66663 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_4.jpg} HTTP/1.0” 200 131329 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_4.jpg} HTTP/1.0” 200 131329 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_4.jpg} HTTP/1.0” 200 131329 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_4.jpg} HTTP/1.0” 200 131329 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_5.jpg} HTTP/1.0” 200 112541 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_5.jpg} HTTP/1.0” 200 112541 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_5.jpg} HTTP/1.0” 200 112541 “-” “-“
    66.147.242.150 – – [17/Jan/2010:10:15:09 -0700] “GET {File_5.jpg} HTTP/1.0” 200 112541 “-” “-”

    This goes on and on and on, with each file getting hit 4 times in rapid succession.

    And, here’s an interesting bit where two different IP’s are pretty clearly operating together:

    66.147.242.150 – – [17/Jan/2010:11:33:55 -0700] “GET {File_25.jpg} HTTP/1.0” 200 141375 “-” “-“
    66.147.242.150 – – [17/Jan/2010:11:33:55 -0700] “GET {File_25.jpg} HTTP/1.0” 200 141375 “-” “-“
    75.17.127.35 – – [17/Jan/2010:11:33:53 -0700] “GET /{BlogPostThatCallsFile_25}/ HTTP/1.1” 200 5213 “https://images.google.com/imgres?imgurl=https://{MySiteURL}{File_25.jpg}&imgrefurl=https://{MySiteURL}/{BlogPostThatCallsFile_25}/&usg=__A6g9h9Dv7eUA94SLKeFrvOELmto=&h=333&w=500&sz=138&hl=en&start=14&um=1&tbnid=xsI7Sgy1Jd_V4M:&tbnh=87&tbnw=130&prev=/images%3Fq%3Drussian%2Bteacakes%26ndsp%3D20%26hl%3Den%26rls%3Dcom.microsoft:en-us:IE-Address%26rlz%3D1I7GGLL_en%26sa%3DN%26um%3D1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
    75.17.127.35 – – [17/Jan/2010:11:33:55 -0700] “GET {File_25.jpg} HTTP/1.1” 200 141412 “https://images.google.com/imgres?imgurl=https://{MySiteURL}{File_25.jpg}&imgrefurl=https://{MySiteURL}/{BlogPostThatCallsFile_25}/&usg=__A6g9h9Dv7eUA94SLKeFrvOELmto=&h=333&w=500&sz=138&hl=en&start=14&um=1&tbnid=xsI7Sgy1Jd_V4M:&tbnh=87&tbnw=130&prev=/images%3Fq%3Drussian%2Bteacakes%26ndsp%3D20%26hl%3Den%26rls%3Dcom.microsoft:en-us:IE-Address%26rlz%3D1I7GGLL_en%26sa%3DN%26um%3D1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
    75.17.127.35 – – [17/Jan/2010:11:33:56 -0700] “GET /favicon.ico HTTP/1.1” 404 3652 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
    66.147.242.150 – – [17/Jan/2010:11:34:00 -0700] “GET {File_25.jpg} HTTP/1.0” 200 141375 “-” “-“
    66.147.242.150 – – [17/Jan/2010:11:34:00 -0700] “GET {File_25.jpg} HTTP/1.0” 200 141375 “-” “-“
    75.17.127.35 – – [17/Jan/2010:11:33:59 -0700] “GET /{BlogPostThatCallsFile_25}/ HTTP/1.1” 200 5213 “https://images.google.com/imgres?imgurl=https://{MySiteURL}{File_25.jpg}&imgrefurl=https://{MySiteURL}/{BlogPostThatCallsFile_25}/&usg=__A6g9h9Dv7eUA94SLKeFrvOELmto=&h=333&w=500&sz=138&hl=en&start=14&um=1&tbnid=xsI7Sgy1Jd_V4M:&tbnh=87&tbnw=130&prev=/images%3Fq%3Drussian%2Bteacakes%26ndsp%3D20%26hl%3Den%26rls%3Dcom.microsoft:en-us:IE-Address%26rlz%3D1I7GGLL_en%26sa%3DN%26um%3D1” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
    75.17.127.35 – – [17/Jan/2010:11:34:00 -0700] “GET /wp-includes/js/comment-reply.js?ver=20090102 HTTP/1.1” 200 1172 “https://{MySiteURL}/{BlogPostThatCallsFile_25}/” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
    75.17.127.35 – – [17/Jan/2010:11:34:00 -0700] “GET /wp-content/plugins/sociable/sociable.css?ver=abc HTTP/1.1” 200 1224 “https://{MySiteURL}/{BlogPostThatCallsFile_25}/” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
    75.17.127.35 – – [17/Jan/2010:11:34:00 -0700] “GET /wp-content/themes/thesis_151/layout.css?112209-61142 HTTP/1.1” 200 14117 “https://{MySiteURL}/{BlogPostThatCallsFile_25}/” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
    75.17.127.35 – – [17/Jan/2010:11:34:00 -0700] “GET /wp-content/themes/thesis_151/custom/custom.css?102809-81031 HTTP/1.1” 200 2763 “https://{MySiteURL}/{BlogPostThatCallsFile_25}/” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
    75.17.127.35 – – [17/Jan/2010:11:34:00 -0700] “GET /wp-content/themes/thesis_151/style.css?061109-50649 HTTP/1.1” 200 375 “https://{MySiteURL}/{BlogPostThatCallsFile_25}/” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
    75.17.127.35 – – [17/Jan/2010:11:34:00 -0700] “GET /wp-content/themes/thesis_151/lib/css/ie.css HTTP/1.1” 200 372 “https://{MySiteURL}/{BlogPostThatCallsFile_25}/” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
    75.17.127.35 – – [17/Jan/2010:11:34:00 -0700] “GET /wp-content/plugins/wp-spamfree/js/wpsf-js.php HTTP/1.1” 200 0 “https://{MySiteURL}/{BlogPostThatCallsFile_25}/” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”

    So… any ideas what this is and how to stop it?

    You may need to flush rewrite rules after registering taxonomy.

    add these two lines after
    register_taxonomy( $taxonomy[‘name’], ‘post’, array( ‘hierarchical’ => false, ‘label’ => $taxonomy[‘label’], ‘query_var’ => true, ‘rewrite’ => true ) ); line in yoast_simple_taxonomies function.

    global $wp_rewrite;
$wp_rewrite->flush_rules();

    These lines needed only once to flush rewrite rules. You can remove them later.

    This worked for me.

    Forum: Fixing WordPress
    In reply to: WordPress hacked

    Oh, and just for reference again…

    Each time it has happened, I have checked for the creation of new users, and that has not happened. However they’re continuing to get in, it’s not by creating a new user (they do helpfully change my password for me, though!).

    And my password this last time was just a bunch of random characters, so it’s unlikely they’re just cracking passwords.

    Forum: Fixing WordPress
    In reply to: WordPress hacked

    I would like some clarification on changing the database prefix. These are the instructions listed at https://semperfiwebdesign.com/documentation/wp-security-scan/change-wordpress-database-table-name-prefix/ :

    1. backup your wordpress database to a sql file (you can use phpmyadmin)
    2. open that *.sql file (make another copy first) using text editor, then find and replace all “wp_” prefix to “something_”.
    3. now, drop all tables of your wordpress databases (don’t drop the database)
    4. import the *.sql file which has been edited before into your wordpress databases.
    5. and lastly, edit your wp-config.php file and change the $table_prefix = ‘wp_’; to $table_prefix = ’something_’;
    6. you may find that your plugins are deactivated automatically when this happens, so you’ll want to activate them again if that’s the case… I’d recommend deactivating them prior to doing this anyway as a precaution.

    Can someone please explain to me what “drop all tables” means? Does that mean “delete”?

    I’m desperate here. I’ve been hacked repeatedly, and I’m at the end of my rope. I installed the WP Security Scan plugin and it tells me the only things wrong with my installation are that my prefixes are still set to “wp_” and that “file .htaccess does not exist in wp-admin/”.

    Can someone tell me what the latter means, and what I should do about it. And please feel free to speak to me like I’m a 5-year old, because I really do not know what I’m doing with this stuff.

    For your reference, here’s what’s been happening, and here’s what I’m using:

    Problem:
    Repeatedly hacked by a group called “Red Virus.” They appear to only be messing with the theme header.php file. They don’t appear to be redirecting, or causing any other nefarious stuff to happen. It appears to be just changing the look of the page for attention and giggles. I say “appears” because I don’t know jack about any of this, and God knows how they got in in the first place, so who knows what else they might have done elsewhere in my files.

    WordPress Version
    WP 2.7.1 (up to date)

    Theme:
    Atahualpa 3.2 (up to date)

    Plugins:
    Offical StatCounter Plugin 1.0 (up to date)
    Sociable 3.1.1 (up to date)
    WP-Spamfree 2.0.0.6 (up to date)
    WP Security Scan 2.4 (up to date)

    Inactive Plugins:
    Addmarx 1.1.7
    Akismet 2.2.3
    Hello Dolly 1.5

    I should add, I suppose… I’m running 2.7.1, so shouldn’t be an “old version” issue.

    I had the same thing happen to me this morning. I contacted my host and had my passwords reset. The compromised file (at least the one I’ve found so far) was the theme’s header file. I deleted the theme’s entire directory and re-uploaded a fresh copy.

    I have not yet found any other compromised files, but I also don’t have the expertise to know what the hell I’m looking for either.

    The thing that concerns me is not knowing how they got access in the first place. I’m kind of hoping it was just a cracked password, but my fear is that there’s some backdoor hanging open that I can’t find because I don’t know what to look for.

    Also, something weird:

    Despite deleting the entire directory for the theme, when I uploaded and activated the fresh copy, it had retained all of the optional tweaks I had made (e.g., blockquote formatting, etc.).

    How is this possible? Are those things saved elsewhere (outside of the theme’s directory)? If so, how is it that you can activate another theme, and those settings are (obviously) all different, appropriate to the new theme?

    I ask because I’m just afraid I may have missed deleting something that I should have deleted when I was deleting the theme.

Viewing 6 replies - 1 through 6 (of 6 total)