Andrey "Rarst" Savchenko

Forum Replies Created

Viewing 5 replies - 61 through 65 (of 65 total)

  • Update.

    Today I caught login attempt from hacker in exactly same way, IP block prevented him from going into admin.

    Half an hour later my database disappeared. ??

    Got hit by similar iframe attack today.

    Damage:
    1. Got iframe inserts in root index.php (possibly more, quickly overwrote with clean WP install)

    2. Got hidden and very obscured PHP backdoor in WP plugins dir, “blog” sub-dir. Check for this people! I would’ve missed it if I wasn’t very thorough and checking everything few times – it didn’t show in installed plugins.

    What can I say about method:
    1. There was no FTP involved, FTP log is absolutely clean as far as it goes.
    2. I don’t believe my home PC was compromised (confident me).
    3. I had found actual intrusion in access log. How it went (as far as I can tell):
    – hacker came from online service that looks for sites on same server (now I am worried about server having hole)
    – blog home page loaded
    – wp-login seems typed by hand and suddenly he is in admin
    – manually uploads and activates backdoor plugin
    – briefly checks plugin few hours later from another ip

    Log fragment for those who want to take a look:
    https://dl.getdropbox.com/u/58900/ip.csv

    Weirdest part – it seems hacker just saw my blog for the first time, no previous visits, no poking around, no bruteforce attempts I can see. He just came by looking for site on specific server and somehow just logged in.

    My conclusion – this was purely WP attack, hacker made beeline for WP login and he knew exactly what was he doing with that plugin.

    Question is – where the heck is hole, in WP or in server. ??

    I encountered this with creating page today (just installed Widget Cache, WP 2.7.1). Ended up creating few unneeded copies of page because of blamk coming up, then couldn’t delete those until disabled plugin.

    No idea if posts are affected, will check that tommorow.

    Anything specific I might do to help figure this out?

    I second OP for returning option. I have tight area for displaying related posts and numbers mostly get on new line, effectively doubling block height. Log out each time I need to look how it is working for a visitor – no fun at all.

    Installed 2.0.5, but still getting same problem. ?? Any info on my setup I might provide to help look into it?

    Here is what I get after saving options:

    <ul><li>No related posts found. If you want more post like this one <a href=\"https://skribit.com/blogs/www-rarst-net\">make a suggestion on my Skribit page</a>.</li></ul>

    After saving few times there are whole bunches of slashes.

Viewing 5 replies - 61 through 65 (of 65 total)