cipals15

@esmi: Do you have any idea on when will they update it to meet PageSpeed criteria?

I also have the same question?

Any help would be appreciated.

What should I do if advanced-cache.php isn’t there?

Ok. I thought it was the cause of the recent error 500 Internal Server Error.

Googling is a friend.

Regards,
cipals15

Thanks. I haven’t seen that part before. ??

Ok. I have already sent it to your email.

Please get back to me for possible discoveries. Our IT team was also interested with the file. Weirdos! LOL…

UPDATE:

Found the possible backdoor file. ( .nfs00000000010fea6a000647f3 ) Please confirm if this is a malicious file or a false positive.

I have grabbed a copy and deleted the file on the server.

It might be an important WordPress file.

I have contacted them. They said they have run a script to remove it. However, there were remnants of the attack that i have seen which i think was not deleted by script they used.

A certain file in the cache folder so i deleted it immediately. That’s the same file i found to be malicious on wp-includes/ folder.

Anyway, i love doing it the hardway. I will learn alot through it. Thanks for the hack report. Yeah. You were ‘no. 1’ in search results.

I have found some of those POST logs:

a. 97.74.180.1 – – [02/Nov/2010:00:10:04 -0700] “POST sugod.com/lyrics/wp-cron.php?doing_wp_cron HTTP/1.0” 200 – “-” “WordPress/3.0.1; https://sugod.com/lyrics”

b. 97.74.180.1 – – [02/Nov/2010:00:24:33 -0700] “POST sugod.com/lyrics/wp-cron.php?doing_wp_cron HTTP/1.0” 200 – “-” “WordPress/3.0.1; https://sugod.com/lyrics”

c. 97.74.180.1 – – [02/Nov/2010:00:27:57 -0700] “POST sugod.com/lyrics/wp-cron.php?doing_wp_cron HTTP/1.0” 200 – “-” “WordPress/3.0.1; https://sugod.com/lyrics”

d. 97.74.180.1 – – [02/Nov/2010:00:34:59 -0700] “POST sugod.com/wp-cron.php?doing_wp_cron HTTP/1.0” 200 – “-” “WordPress/3.0.1; https://sugod.com”

e. 97.74.180.1 – – [02/Nov/2010:00:36:28 -0700] “POST sugod.com/wp-cron.php?doing_wp_cron HTTP/1.0” 200 – “-” “WordPress/3.0.1; https://sugod.com”

With these samples. It seemed that wp-cron is doing something. Please further explain this. Thanks.

Hmm.. Can you send the link to the ‘messed up’ post? Thanks.

I recommend using Firefox add-on named: “Firebug” which helps you analyze HTML files easily through some visualization improvement.

Link here: https://addons.mozilla.org/en-US/firefox/addon/1843/

Thanks.

Here is a chunk of the log file:

97.74.180.1 – – [02/Nov/2010:23:58:24 -0700] “POST sugod.com/wp-cron.php?doing_wp_cron HTTP/1.0” 200 – “-” “WordPress/3.0.1; https://sugod.com”

125.5.38.115 – – [02/Nov/2010:23:58:23 -0700] “GET sugod.com/actor-kirk-abella-mistakenly-shot-dead-in-cebu/ HTTP/1.1” 200 17730 “https://www.google.com.ph/search?client=firefox-a&rls=org.mozilla:en-US:official&channel=s&hl=tl&q=Kirk+Abella&um=1&biw=1280&bih=857&ie=UTF-8&sa=N&tab=iw” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 ( .NET CLR 3.5.30729)”

125.5.38.115 – – [02/Nov/2010:23:58:26 -0700] “GET sugod.com/wp-content/themes/arthemia/style.css HTTP/1.1” 200 10608 “https://sugod.com/actor-kirk-abella-mistakenly-shot-dead-in-cebu/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 ( .NET CLR 3.5.30729)”

Please explain what do each division do represent.. or any information you know with this log file. Thanks.

The logs only showed an IP address, a date, and GET as well as URL. Which of these should I look into? What pattern or movements should I watch?

Its a very long list and i don’t have the luxury of time to go through all of it.

Hoping to have a good input from you.

Thanks.

UPDATE:

Its spreading fast. Yes. It had affected all PHP files not only in my WP. Is it a GoDaddy-wide outbreak? or had it affected other webhosting companies?

I think this class=”p3-insert-all size-full alignnone” is giving the problem.

As a solution, replace it with:

style=”float: left;”

That’s one great story. LOL! But i realized the previous attack was solved by GoDaddy. Where i just woke up and saw a clean WordPress Install.

Now, i’m trying my very best to find the culprit and protect my existing wordpress Install.

I have learned alot because of this attack. I mean alot that i will treasure for the rest of my life.

To those who are currently solving the problem. please post what you find out in your wordpress powered site. I can’t find any other malicious things except those.

I’m currently going through on how to use Firefox’s Live HTTP Headers. Maybe it’ll help.