kdelayed

This is very weird. I was trying to figure out how to disable plug-ins from the command line and found this page:
https://brakertech.com/disable-enable-wordpress-plugin-command-line/

After looking at the php file, I followed the instructions and downloaded & ran it

# php wp_disable_plugins.php

<Files *.php>
deny from all
</Files>
Active plugins:
- CustomQueryStringUTW/custom-query-string-utw.php
- SK2/spam_karma_2_plugin.php
- WP-SEO-Master/wp-seo-master.php
- aizattos_related_posts.php
- akismet/akismet.php
- all-in-one-seo-pack/all_in_one_seo_pack.php
- dd-formmailer/dd-formmailer.php
- google-sitemap-generator/sitemap.php
- homepage_excerpts.php

The lines

<Files *.php>
deny from all
</Files>

dont appear in the example on the site I downloaded the script from,
and when I run
cat wp_disable_plugins.php
and look at the script on the server those lines aren’t in it.
Is that supposed to be there?
(entirely possible I am on the wrong track with this line of inquiry)

Rajesh Soni:
I am not logged in & cannot get to a page where I would be able to disable the plug-ins. I would like to try disabling them.

Seacoast Web Design:
I renamed the .htaccess files in both root and wp-admin (I didnt want to completely delete them because I will need to copy some of the info from it to a new one. I’m assuming that renaming would be as effective as deleting the file for this purpose but maybe I am wrong).
I emailed my webhost for confirmation and have not heard back yet but it is a dedicated server, they have never made any changes to it before (even when asked).

The site scanner check came back clean. (sucuri, unmaskparasites, isithacked)

Thanks for the suggestions folks.

Since I’m just working with these people temporarily (yet the problem comes up often for me), I need a more portable solution than managewp.com. But I can suggest it to web developer.

I’ve been working on this on and off all weekend and have come up with a few helpful things, but no total solution. Since I have ssh access to the server:

This finds all the php files that have been changed in the last 1 day
find -mtime -1 -print | grep *.php

This prints out the version for each WordPress installation in the directory:
find . -name ‘version.php’ -path ‘*wp-includes/*’ -print -exec grep ‘$wp_version =’ {} \; -exec echo ” \;

This was the best search line I found for finding timthumb:
find . | grep php | xargs grep -s timthumb

As far a hacker tools and things that work from outside the server, I gave up on metasploit and am currently playing with wpscan:
https://code.google.com/p/wpscan/
It still does more than I need but is way more focused than the other programs I’ve tried. I need to mess around with it some more, but I havent gotten the most important feature (to me) working
Plugin vulnerability enumeration (based on plugin name)
I also havent figured out how to give it a list of sites. Giving it 17 sites one at a time is possible but a pain. I want it to either take a list of sites as input or (if i.p. addresses work this way, I’m not sure if all the sites would have the same address) 1 i.p. and find all the sites host there.

Anyway, I’m still up for suggestions and maybe these partial ideas will help someone dealing with many WordPress installs.

That is absolutely bizarre that it can’t be changed. But also kind of makes me feel better since I have been trying/failing all afternoon.

Why: He’s got some outside company that wrote him a custom script. They keep the script on their servers and just give you a link to it.

Thanks but I really did read both of those and still dont see it. I just want to set the form action and as far as I can tell every other form element is mentioned except the form tag itself.

oops, its not the horse photo blog, its the wedding photo blog:

https://www.photographybybilal.com/

however, i still know they are not sending this spam on purpose. i’m assuming it was hacked. i’ve run the site through some online site scanners like urlvoid and sucuri.net but both say the site is clean. I’ve been manually looking at .php files for suspicious code in the sites home directory but thats not efficient and i dont even know if i’d know a malicious script if i saw it.

this may be unrelated or taking off on a tangent, but in my googling on this issue, i came across info about the timthumb exploit. (https://www.exploit-db.com/wordpress-timthumb-exploitation/). I ran the suggested find command on this specific site’s directory:
find . | grep php | xargs grep -s timthumb
and didn’t find anything. But when I moved up to the /home directory, I found 3 other sites with timthumb. Running those 3 through sucuri.net confirmed they contained infected code. I deleted the infected images and changed the permissions on the upload directory so no one can use it. I dont know if this could be related to the fact that a different site on the server is sending spam or a separate problem.

Also, are there more tools/scanners/scripts/whatever that can be run on the all the directories on the server to check for issues or am I mostly limited to going through each site site one at a time?
I did a write a little bash script that lists the directory and version of wordpress (and am quite proud of myself too) but this is not really my thing and i would imagine its a common need, but brief searching didnt find anything.

kd