arachnejericho
Forum Replies Created
-
Forum: Plugins
In reply to: [ReCaptcha Integration for WordPress] Cannot set "prevent lockout" to falseThanks! It’s fixed now. π
Forum: Fixing WordPress
In reply to: Reporting a hacking method; have you seen this?Brad Markle,
I’m going to install plugins one at a time, slooooowly, and wait to see if hacks reappear over time. Snapshot before installing any plugin.
The IP address is a Tor address, so it’s pretty much a mask they can take on and off whenever they like.
I’ve been reading up on fun like last year’s exploit of Tim Thumb.
This is going to be a slow operation.
Forum: Fixing WordPress
In reply to: Reporting a hacking method; have you seen this?Brad Markle,
Nope, it’s not expected, and not that pattern with POSTs.
Here’s more information I dug up from a recent hack, with plugins I was using (all the latest versions available from WordPress).
https://plus.google.com/u/0/118153148768252972560/posts/e4FTcmTxuvB
When I removed all plugins and did a totally fresh WP install after an “rm -rf *”, I didn’t get hacked again.
Forum: Fixing WordPress
In reply to: Reporting a hacking method; have you seen this?@ MickeyRoush
Yeah, I know. It’s … disturbing to say the very, very least.
@ Brad Markle
There were a bunch of random php files they had managed to drop into the installations of one of my side sites. From there, they hacked the main site.
Only the http logs caught them. So now I’m scanning those for similarly suspicious entries.
87.225.253.174 - - [25/Jan/2012:16:23:38 -0800] "POST /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/defines.php HTTP/1.1" 404 579 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" 87.225.253.174 - - [25/Jan/2012:16:23:41 -0800] "POST /wp-content/plugins/w3-total-cache/lib/W3/Cdn/S3/archive.php HTTP/1.1" 404 569 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" 87.225.253.174 - - [25/Jan/2012:16:23:44 -0800] "POST /wp-content/plugins/w3-total-cache/lib/Minify/Minify/Inline/rss.php HTTP/1.1" 404 576 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" 87.225.253.174 - - [25/Jan/2012:16:23:46 -0800] "POST /wp-content/plugins/w3-total-cache/inc/options/support/form/de.php HTTP/1.1" 404 575 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" 87.225.253.174 - - [25/Jan/2012:16:23:49 -0800] "POST /wp-content/plugins/w3-total-cache/lib/Microsoft/WindowsAzure/RetryPolicy/en.php HTTP/1.1" 404 589 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" 87.225.253.174 - - [25/Jan/2012:16:23:51 -0800] "POST /wp-content/plugins/wp-ajax-edit-comments/css/themes/aesthetica-large/images/en_GB.php HTTP/1.1" 404 595 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" 87.225.253.174 - - [25/Jan/2012:16:23:54 -0800] "POST /wp-content/plugins/wp-ajax-edit-comments/css/themes/classy-large/images/images.php HTTP/1.1" 404 592 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" 87.225.253.174 - - [25/Jan/2012:16:23:56 -0800] "POST /wp-content/w3tc/pgcache/2010/04/03/retyping-the-speckled-band-part-6-action-climax-and-epilogue/rss.php HTTP/1.1" 404 613 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" 87.225.253.174 - - [25/Jan/2012:16:23:59 -0800] "POST /wp-content/plugins/wp-ajax-edit-comments/css/themes/aesthetica-small/images/json.php HTTP/1.1" 404 594 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" 87.225.253.174 - - [25/Jan/2012:16:24:01 -0800] "POST /wp-includes/js/tinymce/themes/advanced/skins/highcontrast/rss.php HTTP/1.1" 404 575 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" 87.225.253.174 - - [25/Jan/2012:16:24:04 -0800] "POST /wp-content/themes/weaver/js/superfish/images/index.php HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" 87.225.253.174 - - [25/Jan/2012:16:24:07 -0800] "POST /wp-content/w3tc/pgcache/2010/04/03/json.php HTTP/1.1" 404 553 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)"Forum: Fixing WordPress
In reply to: Reporting a hacking method; have you seen this?No hack in progress. Just been backdoored and code injected all over the place and oy. Nothing is good and everything hurts.
Thanks for the looks and the advice.
Forum: Fixing WordPress
In reply to: Reporting a hacking method; have you seen this?Thank you, Brad.
An update: I think the problem is that DreamHost keeps getting hacked.
https://plus.google.com/u/0/118153148768252972560/posts/JoJYPZ3aiP6
If those were DreamHost admins, they aren’t (a) root and their IPs are not (b) in DreamHost’s block.
I’d say there’s a hack in progress. DreamHost may or may not respond by phone (which I’m now paying for, as this is severe enough to warrant it).
One of the installations just got upgradeable, and indeed, upgraded flawlessly.
Excellent plugin, and saves a lot of headache. And works with multiple installs that share the same database. π
Forum: Plugins
In reply to: <!–nextpage–> and full feedThanks!
I will see if I can find a way to wedge in a filter. Or if that’s an option right now.
Still perusing the code. I should go look at the new branch, too.
Forum: Plugins
In reply to: <!–nextpage–> and full feedFiled a ticket via trac:
http://trac.ww.wp.xz.cn/ticket/5835
Either it will get picked up by the whim of the WordPress gods, or it will not….
Forum: Plugins
In reply to: <!–nextpage–> and full feedThe full feed plugin does not take care of this problem.
I need help with this, and I don’t know the code base well enough to figure out what’s going on with RSS generation. Simply editing the full feed plugin to strip out ‘nextpage’ surprisingly does not work.