Dealing with exploit related issues

  • Hey all,

    A client of mine is having some pretty severe exploit-related problems with his site. Essentially, a file keeps showing up in the main blog directory called press.js, which appears designed to forward the blog to a bunch of spam and malware-related sites. I have a version of the file I could probably throw up on pastebin if you guys would find it of any assistance.

    On top of this, I found this bizarre code at the top of wp-trackbacks.php:

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    Do you guys have any suggestions as to how I might deal with this? Unfortunately, I don’t have access to his database at the moment so I haven’t had a chance to check to see if that’s the issue. Any help would be appreciated.

    – Ernie

Viewing 3 replies - 1 through 3 (of 3 total)
  • tigtog

    (@tigtoggmailcom)

    Need to run the Exploit Scanner plugin to give you a better idea of the extent of the infected files. Then you’ll need database access to get rid of them properly.

    Thread Starter stoicboy

    (@stoicboy)

    I ran the plugin, and it appears those were the only two files the plugin picked up. It did not appear any posts or database entries were infected based on the scan … which makes sense due to the way it presented the content. (I did an unminify of the JS file and it showed it was forwarding to some weird Russian site). I’m going to talk with the guy about changing the password and updating the SALT files then going from there.

    That PHP code seems to inject spammy links from “genshop .org” into web pages.

    It doesn’t have anything to do with the “press.js”.

    In my experience, there should be some backdoor script on your site that hackers use for their attack. Check raw access logs for suspicious POST requests.

    The can all so be some spammy rogue pages (I’ve seen this on other site that pull spammy links from “genshop .org”)

    Could you share any additional information you might have? I’m especially interested in the “press.js” code and other suspicius files.

    You can contact me here: https://www.unmaskparasites.com/contact/

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Dealing with exploit related issues’ is closed to new replies.