indigothirdeye
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Security issue, multiple sitesThe hack I believe used a vulnerability in the wp-admin/theme-editor.php. Luckily, we have a script that checks for code changes, and caught the exploit within a half hour of the attack. The logs from our site that was hacked had this in the logs:
194.110.162.79 - - [15/Apr/2008:14:40:02 -0700] "GET /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 30 2 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" 194.110.162.79 - - [15/Apr/2008:14:40:03 -0700] "GET /wp-login.php?redirect_to=%2Fwp-admin%2Ftheme-editor.php%3Ffile%3Dwp-content%2Fthemes%2Fdefault%2Findex. php%26theme%3DWordPress%2BDefault HTTP/1.1" 200 2043 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" 194.110.162.79 - - [15/Apr/2008:14:40:03 -0700] "GET /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 20 0 9620 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" 194.110.162.79 - - [15/Apr/2008:14:40:04 -0700] "POST /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 3 02 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" 194.110.162.79 - - [15/Apr/2008:14:40:04 -0700] "GET /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default&a=te HTTP/1. 1" 200 9832 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" 194.110.162.79 - - [15/Apr/2008:14:40:05 -0700] "POST /wp-content/themes/default/index.php HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en- US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" 194.110.162.79 - - [15/Apr/2008:14:40:06 -0700] "POST /wp-content/themes/default/index.php HTTP/1.1" 200 7895 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; e n-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" 194.110.162.79 - - [15/Apr/2008:14:40:07 -0700] "POST /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 3 02 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" 194.110.162.79 - - [15/Apr/2008:14:40:08 -0700] "GET /wp-login.php HTTP/1.1" 200 1835 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/ 20070309 Firefox/2.0.0.3"Both sites had the WordPress and WordPressx user added to the wp-users table. Neither had a wp-info.txt luckily, but many of the .giff and .pngg’s were found. There were also 2 files in the /tmp/ directory numbered 1 and 2 with full directory listings of the sites. We immediately launched a “Deny any” on the theme-editor.php files to prevent further attacks using this method and cleaned up what we could find.
Forum: Fixing WordPress
In reply to: Cannot redeclare translate() (previously declaredLike i said, this is content meant to be outside of WordPress. I manually created those directories, and created that index.php for other purposes. All plugins were disabled for the upgrade, and have not been re-enabled as of yet, and I only have a few to begin with like Akismet, WP-DB-backup, and ZenPress (not affiliated with the images directory).
Basically, the index.php is a file that does a real basic list of the files in that directory, in this case, images. It adds downloading functionality and some other stuff custom for the site. In no way is that page or index.php called to from WordPress.
The page mentioned uses a
function translate($string)which seems to be interfering with the WordPress
function translate($text, $domain) { global $l10n;in the l10n.php file, but like I said, this shouldnt have anything to do with WordPress, and why they are even trying to do anything together is beyond me. It worked fine with 2.1.3, but not 2.2.