[wp-hackers] Pharma hack
jdg at codesymphony.co
Sat Sep 28 12:36:31 UTC 2013
Simon is right - check the server access logs (if you can). That may tell you how they got in.
On Sep 28, 2013, at 5:53 AM, Simon Vart <simon.vart at exigences.biz> wrote:
> Did you check webserver logs ? You will pages accessed.
> Check creation date of common.php and /cookies/ directory and it will tell
> you when to look around
> Le 28 sept. 2013 10:09, "Steve Taylor" <steve at sltaylor.co.uk> a écrit :
>> A site I run just got hit by the "pharma hack". There was a common.php and
>> a /coockies/ directory in the root, and a modification to .htaccess
>> rerouting all search bots to common.php - encoded but obviously stuffed
>> with spam keywords, which were appearing in Google's index.
>> I've cleaned up and all seems fine now, but obviously it'd be good to
>> identify the point of entry and be sure.
>> The site has always had an up-to-date core, with minor delays (I think a
>> week passed before upgrading to 3.6.1). A few plugins needed upgrading, but
>> as far as I could tell none of the upgrades involved serious security
>> The guy who hosts the site (not my choice) says he's 99% certain WP was the
>> issue, but this seems unlikely to me. He doesn't seem terribly
>> knowledgeable about security. I can't be 100% there wasn't some odd hole in
>> my WP installation, but obviously I suspect a server vulnerability -
>> leaving us pointing the finger at each other.
>> Personally I would move hosts, but this isn't my decision. Just wondering
>> what people here thought, and if anyone heard of recent vulnerabilities to
>> this hack in relatively up-to-date WP installations. Also, what concrete
>> analysis of the situation should be the bare minimum expected of a host?
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers