ME777 slot login.REGISTER NOW GET FREE 888 PESOS REWARDS!

Forum Replies Created

Viewing 4 replies - 1 through 4 (of 4 total)

Forum: Fixing WordPress
In reply to: Viagra spam injected for googlebot

Thread Starter daggerbox
(@daggerbox)

13 years, 12 months ago

This infection came back this week, even after updating to WP 3.1. I followed all the clean-up steps including the step for setting up a Google Alert which notified me.

Looking at the logs, I see some suspicious posts.

“POST /blog/xmlrpc.php HTTP/1.0” 200 483 “-” “The Incutio XML-RPC PHP Library — WordPress/3.0.4”

“POST /blog/wp-login.php HTTP/1.1” 200 3437 “https://www.forthgo.com/blog/” “Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9”

“POST /blog/wp-content/themes/classic/functions.php HTTP/1.1” 404 4451 “-” “-“

“POST /blog/wp-content/plugins/syntaxhighlighter/wp-syntaxhighlighter.php HTTP/1.1” 200 189 “-” “-”

I assume the login attempts failed since they weren’t followed by access to admin pages like my logins are. The classic/functions post failed because I removed that theme. I did have syntaxhighlighter installed, so maybe that was the entry path.

Question: is it possible for me to log the POST data so I can see just what is going on with those suspicious posts in the future?

Forum: Fixing WordPress
In reply to: Viagra spam injected for googlebot

Thread Starter daggerbox
(@daggerbox)

14 years ago

It was the WordPress Pharma hack.

Forum: Fixing WordPress
In reply to: Viagra spam injected for googlebot

Thread Starter daggerbox
(@daggerbox)

14 years ago

A fresh copy of WP removed the infection. I still don’t know what the problem was since I haven’t identified any difference between the old and new files.

Forum: Fixing WordPress
In reply to: Viagra spam injected for googlebot
Thread Starter daggerbox
(@daggerbox)

14 years ago
Thanks for looking. I was thinking the upgrade would at least give me fresh clean copies of all the PHP/JS files. That does seem to be the case, based on a folder compare with a fresh download. The only differences were:
- plugins, now disabled
- themes, now deleted except for 2010
- .htaccess, deleted then restored after post urls broke
- uploaded images files (I know code can be hidden here, but surely a real code file is needed to access it).
- wp-config.php, only 1 secret key instead of 7 but calling same wp-settings.php
- 16 misc files, mostly in tinymce and swfupload, now deleted
Still compromised. Could it be something in my host’s apache setup that got hacked? (Though my non-blog pages aren’t compromised.)

I don’t see anything strange in the database, but code can’t be initiated from there, can it?

Viewing 4 replies - 1 through 4 (of 4 total)