[wp-hackers] Hacked blogs

Peter van der Does peter at avirtualhome.com
Thu Mar 26 16:43:47 GMT 2009

On Thu, 26 Mar 2009 17:00:53 +0100
Joost de Valk <joost at yoast.com> wrote:

> Exactly, it's a check.
> Going through the access logs I can't find anything else yet though,
> what we DO see on one of the hosts is that the "infected" files were
> uploaded through FTP (we can see that in the xfer.log), but if I'm
> not mistaken, that could still be done through XSS right?


In order to upload through FTP you will need a username and password,
unless you can upload to any directory anonymously, which is bad.
FTP usernames and password are normally not held on a web server, again
if you run a script that can do FTP uploads, it's bad.

I believe a local machine, Windows/Mac/Linux, is infected with a virus.
Do the site(s) share the same username/password?
Who has FTP access to the site(s)?

Change the password of the user who uploaded the infected file and try
to find out from which user/IP it came. Anybody who has FTP access has
to thoroughly inspect their machine(s).

Peter van der Does

GPG key: E77E8E98

WordPress Plugin Developer

GetDeb Package Builder/GetDeb Site Coder
http://www.getdeb.net - Software you want for Ubuntu

More information about the wp-hackers mailing list