dbsmoke

Thanks to ‘amcjoe’ for mentioning that Network Solutions changed peoples database passwords this morning. I changed the database username & password on my friends WP blog last night as well as changing all the table prefixes and getting the blog running again this morning to be greeted by a database error this afternoon. It turns out that NetSol changed the wp-config database password but did NOT update the db password.

But the main reason I’m posting this is to mention that I believe ‘woodja’ hit the nail on the head in his post 2 days ago. My friends blog is not even public yet, and the XML-RPC option is turned off in WP. After the first attack I turned on the Raw logging function and saw the same IP ‘woodja’ mentioned and access of the xmlrpc.php file at the time of the second attack. I then compared the xmlrpc.php file to a fresh copy and they were identical which indicates to me that a backdoor exploit exists within the file.

It might be possible to simply tighten up the file permissions for the file, but I’ve gone ahead and deleted the xmlrpc.php file. If you’d like to try this fix, first ensure the XML-RPC option is turned off
(It’s in Settings > Writing under Remote Publishing) then delete the xmlrpc.php file from your WP installation either via FTP or using the File Manager.