Wordpress page.php Exploit
I administer a number of websites for clients. Recently, I noticed one client who has a Wordpress site had over 6000 pages indexed in Google. This is odd since her website only has about 20 pages. I investigated and found the additional URL's were coming from a folder called "media" with a single file called page.php inside of it. From this single page.php, thousands of URL's were created with this format -
http://myclientssite.com/media/page....t-side-effects
I changed all passwords associated with the account, updated all themes, plugins, Wordpress itself. Installed Bulletproof Security. Ran malware and exploit scanners. Nothing was found. I tried deleting the media folder, but it would just show up again. So this is coming from something inside Wordpress.
To stop these pages from being created again, I deleted the page.php inside the folder and removed all permissions to it. This removes the pages. Though this solution doesn't really address the core problem, I still don't know what exploit caused the problem.
Anyway, today I was administering comments on another site and I found lots of spam comments pointing to a page.php in a subfolder of many other sites. So this exploit is happening to a lot of Wordpress based sites.
Basically, if you are running Wordpress, check to see if any extraneous folders have been created. I noticed that the folder names are changing, today I saw some called "uggs", "O", "newbags", "info", "mk" and many others.
You should also check to see how many pages you have indexed in Google.
So please watch out for this exploit.
http://myclientssite.com/media/page....t-side-effects
I changed all passwords associated with the account, updated all themes, plugins, Wordpress itself. Installed Bulletproof Security. Ran malware and exploit scanners. Nothing was found. I tried deleting the media folder, but it would just show up again. So this is coming from something inside Wordpress.
To stop these pages from being created again, I deleted the page.php inside the folder and removed all permissions to it. This removes the pages. Though this solution doesn't really address the core problem, I still don't know what exploit caused the problem.
Anyway, today I was administering comments on another site and I found lots of spam comments pointing to a page.php in a subfolder of many other sites. So this exploit is happening to a lot of Wordpress based sites.
Basically, if you are running Wordpress, check to see if any extraneous folders have been created. I noticed that the folder names are changing, today I saw some called "uggs", "O", "newbags", "info", "mk" and many others.
You should also check to see how many pages you have indexed in Google.
So please watch out for this exploit.