baa912

Does anybody know what that code above does?

I am not a programmer, so I can’t translate it. Nor can I look at log files and tell you what happened. I deleted the 2 plugins using FTP before I even noticed that they and been activated. When I went back into wp, it said it could not find them, so they were deactivated by wp.

I DO THINK wp 2.7.1 – I’m positive of it. It’s pretty obvious.

I allowed anyone to register and they could enter posts and comments. All posts and comments had to be approved by an administrator first.

When they registered with that code in their user profile (or sql use db), they showed up as a contributor when listed, but I think they actually had administrator priviledges. They did not do anything else that was malicious like change my passwords, delete files, etc.

ALL SOFTWARE is supposed to be hack proof!!!!! If you believe anything else, you are WRONG.

Bill

Why do I say 2.7.1 is hackable? Because I deleted the user in question and about 12 hours later another user had registered and had done the same thing. Somehow they are able to register and insert the code that makes them an administrator. They were able to install 2 activated plugins and change my index file to include some links. I deleted all this stuff and reinstalled a new copy so I don’t know exactly what they did. Also… I am not the only one to have this happen to me.

All I have is 1 plugin which is an ad rotator – it displays/rotates graphic ads – no form input.

Seems like they would have to have FTP access to do this?

I did allow anybody to register, but all posts and comments had to be approved first. Now I don’t allow registrations at all. I’ll do all the posting from now on.

Bill

BTW… I fixed this problem by deleting ALL users. Now my blog is set up to not allow registrations – real good huh?

What kind of blog is that?

Bill

OK… I seemed to have fixed this. I had just upgraded from 2.7 to 2.7.1 when this started. To see if it was a plugin that was causing it, I deactivated all plugins and reactivated them. This fixed the problem.

Bill

Well… like I said, I’m not an expert on these things. The hack seemed to happen in Sept 08 and I just now am noticing it. I first noticed that my posts were no longer being indexed by google and started out to figure out why. Just by accident, I noticed when I pressed the back button, some strange site was trying to load that I did not recognize. Keep in mind that I never noticed anything strange going on on my blog to date. Upon further investigation, I found some encrypted code within several of the php files. Also some new php files altogether like a remv.php file in the wp-content/themes folder.

I still do not know exactly what these hacks were doing, but google obviously recognized it. Don’t know if the hack is still in one of the comments in my database or not.

IMPORTANT UPDATE: I just tested putting javascript into a post or comment while logged on as a contributor and it did not work as it does when you are logged in as administrator. Seems like administrator allows javascript and contributor does not. Also under settings/discussion, there are moderation and blacklist filters that may be useful.

So… in order to do the hack, the person would have to be logged in as administrator? Since it happened back in Sept 08, maybe I was using a more vulnerable version? Maybe one of my plugins or theme is hackable? Don’t know!