Possible 3.0.0 Exploit

  • Resolved tomharrison

    (@tomharrison)


    15 years, 8 months ago

    I noticed a sharp decline in search engine traffic over the past few days. Did a Google site search on my blog and found many of my SERPs rankings containing pharmaceutical spam.

    Did a grep on my blog dir for the names of the drugs and found that someone had placed a file called out.zip in one of the directories in wp-uploads 3 days ago and uncompresses it to a folder called “out”. This contained all the spam content.

    Also found a bogus wp-includes/wp-load.php script which was being globally included via a wp-config.php modification. It was redirecting incoming search traffic to medbox24.com.

    Didn’t find anything in my database, no extra users added, not sure how they accessed my server yet.

    Deleted all the spam content, removed the imposter script, upgraded WP and changed all my passwords.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator James Huff

    (@macmanx)

    15 years, 8 months ago

    Unfortunately, it’s a code injection hack that can happen to any file on any poorly secured sever. All it takes is for one account to be compromised on the server (or for the hacker to open an account on the server), and he can then exploit the server’s poor security to infect every file on the server.

    This particular hack has been going through several popular shared hosting providers for the past several months. Since it’s a general hack that exploits server security, there’s nothing the WordPress team can do.

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If this happens again, I recommend moving to a different hosting provider.

    Thread Starter tomharrison

    (@tomharrison)

    15 years, 8 months ago

    I see, thank you for the reply. I’m on DreamHost so I will bring it to their attention.

    I had already done all of the things in that FAQ to clean outmy blog, so everything is working fine now.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Possible 3.0.0 Exploit’ is closed to new replies.

Tags