WordPress 3.4.1 hacked ?

  • Hi,
    Yesterday I saw some strange log entries in my postfix log:

    Jul 22 07:39:13 sd-30878 postfix/pickup[28325]: 2EBA9A3068: uid=33 from=<www-data>
Jul 22 07:39:13 sd-30878 postfix/qmgr[21483]: CCAA5A35CB: from=<[email protected]>, size=807, nrcpt=1 (queue active)
Jul 22 07:39:13 sd-30878 postfix/cleanup[24144]: D73F8A3707: message-id=<2928924585971f30e79da599f635aacf@>
Jul 22 07:39:13 sd-30878 postfix/qmgr[21483]: D73F8A3707: from=<[email protected]>, size=803, nrcpt=1 (queue active)
Jul 22 07:39:13 sd-30878 postfix/cleanup[24145]: E10C0A379D: message-id=<da6d149bb8e7c0aaa02e16af6ce0d50b@>

    Almost 80k messages / night were about to be sent by my postfix daemon !

    So I started to look for my Apache logs and I found these kind of events :
    201.52.255.61 - - [20/Jul/2012:06:55:11 +0200] "GET /phpmail.php HTTP/1.0" 200 1317 "-" "Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1"

    And in my wordpress directory these files were added :

    -rw-r--r--  1 www-data www-data  46992 juil. 20 06:55 class.phpmailer.php
-rw-r--r--  1 www-data www-data  34571 juil. 20 06:55 class.smtp.php
-rw-r--r--  1 www-data www-data   7289 juil. 20 06:55 phpmail.php
-rw-r--r--  1 www-data www-data 191601 juil. 20 06:41 wp-index.php
-rw-r--r--  1 www-data www-data   3149 juil. 20 06:41 x.txt

    Apparently there was no other file compromised but I have probably to reiinstall all from scratch to avoid any backdoor implemented on my server. What I don’t understand is how they put these files, as I have an up to date WordPress (3.4.1) !

    Any idea or investigation tracks ?

    L.

Viewing 1 replies (of 1 total)
  • Thread Starter Looic

    (@looic)

    OK i Got it. One of my hosted sites installed a wordpress theme from an unstrusted source, with a nice backdoor in it !

    Sorry for the false alert and have a nice day ! ??

Viewing 1 replies (of 1 total)
  • The topic ‘WordPress 3.4.1 hacked ?’ is closed to new replies.