Files being added to one of my sites

  • I’m hoping that someone can help me out on this. I have a site that files were added to. I had WP File Monitor added and it notified me that files were added to wp-includes/images and then a couple of files were changed. I removed them and then added WP Defender in the hopes that it would tell me if I had security setup wrong on a folder or something.

    WP Defender did find a couple of things but they were all very minor, low alerts. But whatever is going on, keeps happening. I will go through and remove/restore things and then in a day or so, they are all right back. Here is a list of the files added/changed from the WP File Monitor plugin. I’m hoping that someone here recognizes what this is and now I can fix my site to not let them in anymore.

    Files Changed:

    /wp-content/plugins/index.php
    /wp-includes/post-template.php

    Files Added:

    /wp-content/plugins/jquery-lightbox-for-native-galleries/wp-ajax-gadget.php
    /wp-content/plugins/wassup/zipper-class.php
    /wp-includes/images/list10.gif
    /wp-includes/images/list106.gif
    /wp-includes/images/list914.gif
    /wp-includes/images/list98.gif
    /wp-includes/images/nix156.doc
    /wp-includes/images/nix252.doc
    /wp-includes/images/nix380.doc
    /wp-includes/images/nix572.doc
    /wp-includes/images/nix580.doc
    /wp-includes/images/nix676.doc
    /wp-includes/images/nix732.doc
    /wp-includes/images/nix772.doc
    /wp-includes/images/nix828.doc
    /wp-includes/images/nix868.doc
    /wp-includes/images/pub281.jpg
    /wp-includes/images/pub377.jpg
    /wp-includes/images/pub608.doc
    /wp-includes/images/pub665.jpg
    /wp-includes/images/pub705.jpg
    /wp-includes/images/pub761.jpg
    /wp-includes/images/pub801.jpg
    /wp-includes/images/pub857.jpg
    /wp-includes/images/pub953.jpg
    /wp-includes/images/sched15.tar
    /wp-includes/images/sched734.gif
    /wp-includes/js/scriptaculous/query.js.php

    Has anyone else experienced this or have any idea what I can do to make this stop happening?

Viewing 3 replies - 61 through 63 (of 63 total)
  • Thread Starter rsconsult

    (@rsconsult)

    Just a word of advice to those who may run multiple sites under the same SFTP/FTP account – you need to use the instructions on all of the sites under that ID, not just the one(s) that may be infected. If not, something may be hidden and it will come back.

    Hello Everyone,
    It seems that everything is fine now, if anyone met any problem, I would be glad to help. Its been my pleasure knowing you all and sharing with you all.
    Regards,
    Nihad

    sleeplessindc

    (@sleeplessindc)

    I just discovered this hack today in my blog when I tried to publish a new page. Thanks so much for all the research you’ve done on this. Before I found this discussion, I had reinstalled WordPress (I am on 3.4.2). I’ve followed all the instructions and hope that it is now fixed. The plugins that were altered and the wp-includes directory all had a date of 11/11/12 8:25 a.m. I found Zipper-class.php in my gravity-forms-custom-post-types plugin and wp-ajax-gadget.php in my wp-super-cache
    In the database options table, I found
    ftp_credentials and rss_images and rss_something? (can’t remember what it was named) All plugins except one had 755 permissions. The php-execution-plugin had a 777 permission. I changed that to 755.

    I’ve also let Dreamhost know about the problem and they are helping to scan my files and make fixes on their end if they can. Looks like whoever is doing this is still at it.

Viewing 3 replies - 61 through 63 (of 63 total)
  • The topic ‘Files being added to one of my sites’ is closed to new replies.