[wp-hackers] WP exploit , was Re: [Webmaster Central Help] Site hacked.

Mike Little wordpress at zed1.com
Wed Dec 2 09:29:06 UTC 2009


2009/12/2 Malaiac <malaiac at gmail.com>

> 2009/11/27 Malaiac <malaiac at gmail.com>:
> > Regarding
> http://www.google.com/support/forum/p/Webmasters/thread?fid=2bb823d5af6173a00004794fff8f89b7&hl=en
> >
> > it seems this is an exploit from older versions of WP.
> >
> > One of my sites had been hacked with it. Upgrading to 2.8.6 and
> > overwriting the wp-settings.php file did the job.
>
> Oops.
> upgrading to 2.8.6 only fixed the problem for a few days before the
> hacker went on it again.
>
>
>
Look for files which are not part of WordPress and remove them. They often
have wp sounding names but contain complete cracker control panels that can
edit files, create new files, and modify your database all under automated
remote control! Once those are there, upgrading wp doesn't make them go
away.

Filenames I have seen on clients' sites include:
class-cache.php
cache.php
wp-manager.php
works.php
wp-info.php
wp-stats.php
wp-old.php


The very best thing to do is download your complete wp directory to your
desktop, and compare it to a pristine copy of wp 2.8.6. Look for unknown
files and especially different file sizes.


Mike
-- 
Mike Little
http://zed1.com/


More information about the wp-hackers mailing list