frank0815
Forum Replies Created
-
see this thread
http://ww.wp.xz.cn/support/topic/changed-headers-in-all-php-files?replies=24
did you have mail poet installed?
Meanwhile I’m pretty sure it’s the MailPoet vulnerability… see
http://ww.wp.xz.cn/support/topic/changed-headers-in-all-php-files?replies=24
and
http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html
Did any of your hacked sites have MailPoet installed? Or… since you’re on a shared account, has your host found a site on the same server that has MailPoet installed?
Not unsuccessfully Jan, what you’re saying is probably the correct conclusion, I’m just trying to determine whodunnit and be sure, before making arrests 😉
Looking at
http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html
http://ww.wp.xz.cn/support/topic/update-older-versions-of-mailpoetwysija-right-away?replies=7
would you think that the issue we’re having IS caused by MailPoet?
For now, I have deleted MailPoet and restored a backup from July 5. So far, the site is OK but I’m thinking backdoors MAY have been installed / database may have been affected before that date. Just to be sure and looking at WHEN the MailPoet exploit started happening… if you had backups from June, May and April etc. – which one would you use to restore?
Jan… that’s not the point. Just trying to connect the dots here and I have a feeling that a specific plugin is to blame. I’m thinking MailPoet / wysija. Their 2.6.7 version did not solve the problem they had a few weeks ago.
So… you guys with the headers .php hack… have you been using it before your sites were hacked???
chrisjackson: same thing here…
could you please post a list of all plugins used on your hacked sites?All those affected: please post a list of all plugins used on your hacked sites…