pclzip.php: error_log being written by WP at a pace of 1 Gb per minute

  • Torgut

    (@torgut)


    10 years ago

    Now, this is a problem. Every 24 hours or so, my error_log is written apparently by WP until the space of my hard disk is fully taken.

    It starts like this and goes on without variations:

    [Sat Nov 15 13:39:55 2014] [error] [client 93.103.21.231] PHP Warning: opendir(): SAFE MODE Restriction in effect. The script whose uid is 10007 is not allowed to access / owned by uid 0 in Command line code(1) : eval()’d code on line 34
    [Sat Nov 15 13:39:55 2014] [error] [client 93.103.21.231] PHP Warning: opendir(/): failed to open dir: No such file or directory in Command line code(1) : eval()’d code on line 34 [Sat Nov 15 13:39:55 2014] [error] [client 93.103.21.231] PHP Warning: readdir() expects parameter 1 to be resource, boolean given in Command line code(1) : eval()’d code on line 35
    [Sat Nov 15 13:39:55 2014] [error] [client 93.103.21.231] PHP Warning: readdir() expects parameter 1 to be resource, boolean given in Command line code(1) : eval()’d code on line 35 [Sat Nov 15 13:39:55 2014] [error] [client 93.103.21.231] PHP Warning: readdir() expects parameter 1 to be resource, boolean given in Command line code(1) : eval()’d code on line 35

    Support of Hostgator tried to diagnose this and they came out with this conclusion:

    The error log entry also implies that the “readdir()” function is used because of the “eval()” function, so we can assume the scripts responsible make a mention of both. We looked for this, and this cut down the potentially responsible scripts considerably: ######################################################
    [root@tor httpdocs]# for file in $(find -type f -name “*.php” -exec grep -ls “eval(” {} \;); do grep -ls “readdir(” $file ;done ./xxx/wp-admin/includes/class-pclzip.php ./wp-admin/includes/class-pclzip.php
    [root@rat httpdocs]# ######################################################
    Either (or both) of those two scripts are likely responsible for this.

    What can be the problem?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Matt Knowles

    (@aestheticdesign)

    The IP 93.103.21.231 is from Slovenia. Unless you’re expecting wp-admin users from Slovenia, I would be suspicious of it.

    Are all of the entries in the error_log file the same IP address? If so then you might be getting a DOS attack and you should block that IP address, or have your host block it upstream.

    I would also look at your access log file so see the activity for 93.103.21.231 and see if the URLs they’re typing are normal WordPress URLs or if they are trying to do some type of PHP or SQL injection.

    The pclzip.php file handles the processing of .zip files. It’s only use should be by an admin, so the fact you’re getting enough hits on it to cause a huge error_log makes me very suspicious you’re getting hit by either a DOS attack or they’re trying to hack into your site.

    Matt Knowles

    (@aestheticdesign)

    Googling “hacker pclzip.php” does show this is a file that hackers attempt to exploit.

    I would first suggest moving your WordPress installation into a sub-directory rather than in your root directory.

    I would also install the rename wp-admin plugin as a security measure.

    Thread Starter Torgut

    (@torgut)

    Matt, great advice! To be honest the IP caused me a raised eyebrow but as the tech man didn’t mention it I kept the thought to myself. I will follow this hint and research a bit more. Thanks a lot!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘pclzip.php: error_log being written by WP at a pace of 1 Gb per minute’ is closed to new replies.