thank you both for your quick responses.
@swansonphotos, I do appreciate the unlikelyhood (and how many installs of this there probably are), but it’s possible this exploit hasn’t been shared. I am going to restore the site again, and do 2 experiments where 1) I make a change to one of the entry points I suspect 2) if it happens again, i’ll need to figure out how to capture the info being passed in. not sure if it’s possible with my host.
I’ll report my findings either way
@geoffreyshilling, yes i do thank you. I have a clean dev version of the site, db & files, created locally so no chance of infection. it’s easy to restore, but still annoying.
I suspect i actually need to change hosts. the log entries in iThemes leading up the site compromise included what looks like full paths of various other accounts on this shared host. that would indicate an escalation of privileges to obtain that info. If that’s true, then nothing i do will help.
-
This reply was modified 8 years ago by ipfreely.
