Title: WordPress 3.0.1 hack or exploit?
Last modified: August 19, 2016

---

# WordPress 3.0.1 hack or exploit?

 *  Resolved [mosco](https://wordpress.org/support/users/mosco/)
 * (@mosco)
 * [15 years, 6 months ago](https://wordpress.org/support/topic/wordpress-301-hack-or-exploit/)
 * I am running several wordpress blogs, all running 3.0.1
    They are all getting
   hacked, the exploit is inserting a <scrip src=”… pointing to a malware host at
   the bottom of all the posts in each blog.
 * So it looks like an sql injection hack (it would be impossible just by using 
   a hacked wp-admin account, some of these blogs have 10,000+ posts and the hack
   shows up all at once on all of them.
 * The entire wp-admin is secured (not accessible from the outside), so the hack
   is not going through there, and it is also not coming through ftp. None of the
   core wordpress files look compromised (no base64 code anywhere), and the hack
   still happened after replacing all the wordpress core files with a freshly re-
   downloaded 3.0.1 version (and checking that no additional files where left over.)
 * There is only one blog that is not being hacked, and that one does not allow 
   comments. All the others do.
 * So I am wondering if there is a zero-day exploit out there on the comments system
   in wordpress 3.0.1
 * It could also be due to a plugin, we’re looking into that, but we’ve ruled out
   most of the plugins since there are only a couple of them that are common to 
   all the hacked installations.
 * Anyone else seeing something like this?

Viewing 5 replies - 1 through 5 (of 5 total)

 *  [mrmist](https://wordpress.org/support/users/mrmist/)
 * (@mrmist)
 * [15 years, 6 months ago](https://wordpress.org/support/topic/wordpress-301-hack-or-exploit/#post-1790715)
 * What’s it hosted on? The platform could be vunerable.
 *  Thread Starter [mosco](https://wordpress.org/support/users/mosco/)
 * (@mosco)
 * [15 years, 6 months ago](https://wordpress.org/support/topic/wordpress-301-hack-or-exploit/#post-1790717)
 * IIS 7 fully patched, with latest php version and fastcgi, there is no command
   line shell available and no remote users can login.
 * There are a lot other php and non-php apps on there, non are hacked, this looks
   very specifically like a wordpress hack, it’s only inserting the code inside 
   wordpress posts
 * the only other way I would see someone doing this is using phpmyadmin, but there
   is no phpmyadmin installed that’s accessible to outside users.
 * If the host itself was compromised I would expect to see that same code inserted
   into other mysql table to make it show up on other parts of the hacked sites.
   That is not happening.
 *  [Chris Trynkiewicz (Sukces Strony)](https://wordpress.org/support/users/eclare/)
 * (@eclare)
 * [15 years, 6 months ago](https://wordpress.org/support/topic/wordpress-301-hack-or-exploit/#post-1790824)
 * Mosco, can you confirm that you have no other sites that have comments and WERE
   hacked?
 *  Thread Starter [mosco](https://wordpress.org/support/users/mosco/)
 * (@mosco)
 * [15 years, 6 months ago](https://wordpress.org/support/topic/wordpress-301-hack-or-exploit/#post-1790835)
 * Yes, but that’s the only one other site.
    All the hacked sites have the Akismet
   plugin + commeting on, the one that didn’t get hacked doesn’t allow comments 
   anywhere and doesn’t have Akismet enabled.
 *  Thread Starter [mosco](https://wordpress.org/support/users/mosco/)
 * (@mosco)
 * [15 years, 6 months ago](https://wordpress.org/support/topic/wordpress-301-hack-or-exploit/#post-1790987)
 * No more hacks since we upgraded to 3.0.2, we were getting hit twice a day before
   that.
 * If that holds then I think 3.0.1 has an sql injection vulnerability that was 
   fixed in 3.0.2 (something more serious than the xss vulnerability that was announced
   fixed in 3.0.2)

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘WordPress 3.0.1 hack or exploit?’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 5 replies
 * 3 participants
 * Last reply from: [mosco](https://wordpress.org/support/users/mosco/)
 * Last activity: [15 years, 6 months ago](https://wordpress.org/support/topic/wordpress-301-hack-or-exploit/#post-1790987)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics