Daily file changes?

Hi,
To my knowledge WP does not update itself at all without provocation. ??

The answer certainly would partly depend on what the hack was. And did you truly find the cause? The reason that I ask is that there is a “popular” hack where malware gets on your system and works like this: it looks for common FTP programs, and if it finds one with stored passwords, it goes to work, logging onto each site and writing its malware links into as many index files in every folder that it can find. Then visitors to your site get more malware, and the cycle continues.

And it will basically go on doing that forever, completely unnnoticed by you, until you get rid of the malware. I would check your system and also talk to your host – they have logs of site activity, and if they don’t suck, they will do some checking on that for you.

I just saw one of those malware hacked sites today. Something to check, anyway.

Good luck.

Thank you for a prompt reply.

The system was thoroughly cleaned after it was hacked, so if this is the result of an attack, it is a new attack. As I mentioned, it has only begun since updating to 3.0.1. There was no suspicious behavior for months. Furthermore, ALL of the files in WordPress are affected.

Do you have any sense of what the malicious script might look like? It would help me if I had a sense of what I should be looking for.

And again, Thanks.

If all of the files in WordPress are affected, it’s not the malware I’m familiar with, which only hits index files. And to answer your question, the malware I described isn’t exactly visible, it’s in the Windows registry and is detected and cleaned by malware scanners, such as Malwarebytes. I don’t know if that malware could hit a Mac or Unix box, possibly not.

You’d best begin consulting with security experts, and that’s not me. ?? You’re in for some detective work. First, you could check the time and date of the hacked files. Then with that info, talk to your host tech support and see if they can view logs of what was happening on your site at that time. They could quickly rule out FTP, for instance, from these logs.

You also didn’t give details on what crap the hackers put in your files. I would do Google searches on what you found, and this could lead to the most useful info.

IMO, this isn’t a hack via someone stealing your WP password, as I think they wouldn’t tend to bother updating your files, they’d probably just screw with your site content. But maybe I’m wrong.

Good luck, D

I changed my FTP password, and it is still happening. Is this just a bug?

I’m reticent to start referring to this as “being hacked”, because there doesn’t seem to be anything malicious going on. This falls more into the category of unusual behavior.

I have compared several of the files to that of a fresh install, and I haven’t found ANY difference in the code.

My host also hasn’t been able to find anything specifically wrong.

If this is a bug, it is frustrating, because the point of the file monitor plugin is to alert me to suspicious changes, but if changes are constant, how will I know?