czhannes

Ipstenu, I get like 500 comments a day so manually checking all comments with links is not an option. i just need to print literally what users enter.

i know what tinyurl does. i know what spam is. this is nothing like that, these comments are manually added, very intentional, misusing some “feature” in wordpress. all i need to do is disable comment structure mentioned above.

i rather moved back to 0.6.8 which seems to work fine…

okey i found the remote shell.

i did it by using this useful command which searches for term c99. there are basically two remote shell coming from russian hackers, r57 and c99. i scanned the machine for both of them and there were 2 c99 shells uploaded in folders of other wordpress blogs.

find /path/to/www/ -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq

i hope the attacks will stop now

i sent an email to wordpress security. i went through hundreds of megabytes of logs but didnt find anything (how they managed to upload the file there, just various ips accessing the file). i updated all software on the server but it still continues…

hm… now when you have proof… noone?

i just found an exploit uploaded to my server, it was in /wp-content/uploads.

here’s the code: https://paste2.org/p/67510

okey, it happened again this night with someone completely changing the frontpage and uploading a different file with redirect there.

i noticed two things:
1) few minutes prior the hack, i received an email that password of one of my users has been changed. i guess the hack is directly linked to that, possible some vulnerability in users table
2) prior to hack, the url was changed in wordpress settings (removed www.) and title and description of the blog was completely removed.

i still think there may be a private/unknown exploit. the second option is some vulnerability on the server (kernel, apache, sql or any other software), although this doesn’t seem that realistic.

that was a different blog on a different host which has been hacked before. this one was always fine and secure.

i am on my own dedicated server, i dont plan moving anywhere else. i tried to enable safe mode but some plugins like wp super cache dont work with safe mode being turned on. i at least added some functions to disabled functions in php settings.

ok i checked FTP log and saw everything there, someone somehow cracked my ftp account and connected there, rewrited file and disappeared – all of this under 3 different IPs… shit

I’m not sure if this is the good choice, it’s purposed for something slightly different and the website of it is also dead

thanks i will give it a try