Help locating source of intrusion

  • 91.224.160.116 [24/Sep/2012:09:13:50 -0600] GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php HTTP/1.1
    91.224.160.116 [24/Sep/2012:09:13:51 -0600] GET /wp-content/plugins/wp-phpmyadmin/phpmyadmin/index.php HTTP/1.1
    91.224.160.116 [24/Sep/2012:09:13:52 -0600] GET /wp-content/plugins/wp-phpmyadmin/phpmyadmin/scripts/setup.php HTTP/1.1
    91.224.160.116 [24/Sep/2012:09:13:52 -0600] POST /wp-content/plugins/wp-phpmyadmin/phpmyadmin/scripts/setup.php HTTP/1.1
    91.224.160.116 [24/Sep/2012:09:13:53 -0600] POST /wp-content/plugins/wp-phpmyadmin/phpmyadmin/config/config.inc.php HTTP/1.1
    91.224.160.116 [24/Sep/2012:09:13:54 -0600] GET /wp-content/plugins/wp-phpmyadmin/phpmyadmin/scripts/setup.php HTTP/1.1
    91.224.160.116 [24/Sep/2012:09:13:55 -0600] POST /wp-content/plugins/wp-phpmyadmin/phpmyadmin/scripts/setup.php HTTP/1.1
    POST /img/syelgp.php HTTP/1.1

    This is all I’ve been able to find after the file syelgp.php was uploaded to my IMG folder, and contained the code:

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    I checked the setup.php and config files and compared them to previous backups and saw no changes. Were these files accessed at all? How was syelgp.php able to be uploaded at all? I’m able to remove the virus’ no problem, but can never stop it at the source. I’ve followed generic “secure wordpress” lists and it has made no change.

    Any ideas?

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Help locating source of intrusion’ is closed to new replies.