Title: Hack analysis
Last modified: August 20, 2016

---

# Hack analysis

 *  [sscotter](https://wordpress.org/support/users/sscotter/)
 * (@sscotter)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/hack-analysis/)
 * Hi all,
 * I discovered about half an hour ago two WordPress sites I host have been “hacked”.
   In both cases a PHP file with a random filename was found in the /wp-content/
   uploads directory. The contents of the scripts were subtly different but the 
   aim of both was to send spam email. The contents of my outbound postfix queue
   is about 1,750 emails which I’m now purging.
 * I have access to the logs of both websites going back twelve months (I’m a hoarder!).
   Grepping the logs for the name of the uploaded scripts shows me that the scripts
   were first HTTP:// requested two days ago. However, I can’t see any log of when
   the files were uploaded (and therefore how!). I’ve also grepped the logs for 
   upload.php, but the last use of that 31st July by my IP address so it does’t 
   appear the scripts were uploaded via that.
 * What else should I be grepping to try and track how this scripts were uploaded
   in the first place?
 * PS. I am running the latest version of WordPress (v3.2.1) on both sites. I did
   however have a couple of out of date pluggins but I’ve not spotted any overlap
   with the plugins between the two sites. Of course, the hacks may not be linked..
   but they are both hosts on the same server.
 * Any advice will be gratefully received!

Viewing 4 replies - 1 through 4 (of 4 total)

 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/hack-analysis/#post-2275261)
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 *  [MickeyRoush](https://wordpress.org/support/users/mickeyroush/)
 * (@mickeyroush)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/hack-analysis/#post-2275351)
 * @ sscotter
 * Did any of your themes and/or plugins use timthumb.php or any variant of? Also
   look for any requests for that as well.
 *  Thread Starter [sscotter](https://wordpress.org/support/users/sscotter/)
 * (@sscotter)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/hack-analysis/#post-2275428)
 * Thanks for your input.
 * I have checked and one of the compromised sites has the WP Mobile Detector plugin
   which contains a timthumb.php file. Grepping the logs doesn’t show anything of
   interest though.
 * I’ll keep on searching!
 *  [Roy](https://wordpress.org/support/users/gangleri/)
 * (@gangleri)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/hack-analysis/#post-2275429)
 * About the timthumb hack:
    [http://wordpress.org/support/topic/timthumb-google-images-hack?replies=1](http://wordpress.org/support/topic/timthumb-google-images-hack?replies=1)

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Hack analysis’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 4 replies
 * 4 participants
 * Last reply from: [Roy](https://wordpress.org/support/users/gangleri/)
 * Last activity: [14 years, 9 months ago](https://wordpress.org/support/topic/hack-analysis/#post-2275429)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics