[wp-hackers] Hacked blogs

Bjorn Wijers burobjorn at gmail.com
Fri Mar 27 13:52:53 GMT 2009

Just a minor remark on FTP which might be useful:

A lot of people use wireless anywhere they can, while forgetting that FTP
credentials are sent in plain-text making it very easy for a bad-guy to sniff
the passwords by using a compromised wifi access point. Make sure you use a
secure encrypted connection (for instance SFTP) for all your network traffic
when using wifi accesspoint you do not control.

Hope you'll find the culprit sooner than later.

All the best,


met vriendelijke groet,
Bjorn Wijers

* b u r o b j o r n .nl *
digitaal vakmanschap | digital craftsmanship

Concordiastraat 68-126
3551 EM Utrecht
The Netherlands

phone: +31 6 49 74 78 70

Peter van der Does wrote:
> On Thu, 26 Mar 2009 17:00:53 +0100
> Joost de Valk <joost at yoast.com> wrote:
>> Exactly, it's a check.
>> Going through the access logs I can't find anything else yet though,
>> what we DO see on one of the hosts is that the "infected" files were
>> uploaded through FTP (we can see that in the xfer.log), but if I'm
>> not mistaken, that could still be done through XSS right?
> In order to upload through FTP you will need a username and password,
> unless you can upload to any directory anonymously, which is bad.
> FTP usernames and password are normally not held on a web server, again
> if you run a script that can do FTP uploads, it's bad.
> I believe a local machine, Windows/Mac/Linux, is infected with a virus.
> Do the site(s) share the same username/password?
> Who has FTP access to the site(s)?
> Change the password of the user who uploaded the infected file and try
> to find out from which user/IP it came. Anybody who has FTP access has
> to thoroughly inspect their machine(s).

More information about the wp-hackers mailing list