Strange Wordpress Exploit POST alters encrypted php files
I turned to the ISP for help. At first it was the usual change all your passwords. Did that, things were no better. So back with the ISP and what we finally found was I've got two Wordpress sites on my account that I host for others, but patch etc. So anyway, these two sites are seperate domains and seperate from the domains that the files are getting altered on.
Let's call the sites that the files are getting altered on domains 1, 2, and 3 and my home directory. We'll call the two wordpress domains 4 and 5.
What is happening so far as we've determined is that a single ip address is hitting the wordpress domains (4 and 5 ) with a POST call. At the same time to the second of that POST, the encrypted php file on domains 1,2,3 and my home directory is altered.
So far I've blocked the IP address, which if the person is any good at all, it will stop them the first time they try hitting it tonight and that is about it.
Anyone seen this type of attack before? In the POSTs for the last two months there has been no file specified in the http logs I can see, but the person at the isp found these form last night. So presumably these are the files the exploit is using. Though wp-atom is a redirect.
[18/May/2009:23:59:16 -0500] "POST /wp-atom.php HTTP/1.1" 302
[18/May/2009:23:59:17 -0500] "POST /wp-login.php HTTP/1.1" 200
I've checked those WP sites every way I know to see if they've been hacked, but see no external signs of that.
It's a weird one. Before it's all over I'll probably give the Wordpress sites the boot. Both of them are friends business sites and for $10 dollars a year can be hosted with their own domain at Wordpress.com and then the security isn't my headache.
So if you've got sites with encrypted php files that are breaking for no apparent reason check the http logs at the modifed time. I was doing this, but my mistake was I only checked the logs in the domains that were breaking. I needed to to check all the logs in my hosting account for all domains.
Hopefully this info will benefit someone that was banging their head against the wall as I was.
-
Headfirst -
Thanks - 1 reply
SignatureGolf Outing Sponsor Signs, Banners and Flags||Plymouth, MI Marketing || Plymouth Dentist{{ DiscussionBoard.errors[799575].message }}-
WareTime -
Thanks
{{ DiscussionBoard.errors[799695].message }} -
-
-
MemberWing -
Thanks - 1 reply
Signature| Law of Attraction Coaching | Secure Fast Hosting | Law of Attraction |{{ DiscussionBoard.errors[799587].message }}-
WareTime -
Thanks
{{ DiscussionBoard.errors[799702].message }} -
-
-
TheRichJerksNet -
Thanks - 1 reply
{{ DiscussionBoard.errors[799603].message }}-
WareTime -
Thanks
{{ DiscussionBoard.errors[799698].message }} -
-
-
TheRichJerksNet -
Thanks - 1 reply
{{ DiscussionBoard.errors[799703].message }}-
WareTime -
Thanks
{{ DiscussionBoard.errors[800117].message }} -
-
-
TheRichJerksNet -
[ 1 ] Thanks - 1 reply
{{ DiscussionBoard.errors[800160].message }}-
WareTime -
Thanks
{{ DiscussionBoard.errors[803222].message }} -
-