steve-d

Let me clarify it was the original default theme not Twenty Ten that somehow produced this anomaly. My fix was simply to delete the old default theme. Which I do not use anyway.

It was being caused by the WordPress Default Theme.

I’d ask my host to turn it off in the php.ini

They just upgraded php could be it. My other option might be an htaccess tweak of some kind.

A … scan?

An external vendor scan. Basically the main question is how to set display_errors = Off at this point.

Could be a host issue I don’t know.

internal paths

PHP is very good in leaking the internal paths of your system in case of errors. You can find out exactly where the blog is hosted (/var/www, /home/user, etc) and you can 99% of the time guess the user name used for administration.

DavyB

That tells me that both the sidebar-login and antivirus plugins have been updated

Your correct. Finally figured it out.

I’m the only administrator.

I only upgrade a plugin one at a time. I approach everything in standardized checklist like procedures. No seat of the pants flying.
So when something happens, I notice very quickly.

This could be nothing, maybe I’m over reacting.

I’ll have to leave it to the pro’s in Blog Traffic Control and Technical to advise at this point.

I can’t figure it out.

Okay fresh download that folder is in this latest package yet the script.js file in it is reported as “unknown publisher”.

Obviously the next question is why and who added the js folder to this when it was not a part of the original package. Or am I missing something or forgetting something here?

Okay check this out. I just did a SFTP check and here is what I see.

On the left is my known clean backup copy local. The right side is what is on the server today. I notice a js folder added to Antivirus that is not part of my clean backup. Inside it is a script.js file dated 5/29.

Here’s the snip.

https://i80.photobucket.com/albums/j161/aprilette/Develop/CaptureJune8.jpg?t=1276012007

Okay I ran an exploit scan.

Now per the list above I noticed . .

Timestamp: Tue, 08 Jun 2010 02:12:27 +0000
Added:
wp-content/plugins/antivirus/js/script.js

My exploit scan just produced the following . .

/wp-content/plugins/antivirus/js/script.js:1
Could be JavaScript code used to hide code inserted by a hacker.

t){var item=$(‘#av_template_’+id);if(input){input=eval(‘(‘+input+’)’);if(!input.nonce||input.nonce !=av_nonce){return;}item.addClass(‘danger’);var i=0;var lines=input.data;var len=lines.length;for(i;i<len;i=i+3){var nu

e_list’},function(input){if(!input){return;}input=eval(‘(‘+input+’)’);if(!input.nonce||input.nonce !=av_nonce){return;}var parent=$(‘#’+input.data[0]).parent();if(parent.parent().children().length<=1){parent.parent().hide(&

_files’},function(input){if(!input){return;}input=eval(‘(‘+input+’)’);if(!input.nonce||input.nonce !=av_nonce){return;}var output=”;av_files=input.data;av_files_total=av_files.length;av_files_loaded=0;jQuery.each(av_files,fun

[email protected] . .

I did run your scan and everything came up clean. It did occur to me that it could have been some normal and valid plugin upgrade changes. Everything looks normal on the server. Permissions are set properly.

At second glance I am noticing that all this hu_HU.mo – ru_RU.po – lang stuff appears to be part of these plugins architecture.

I’m hoping these plugin authors might be able to confirm and clarify this is normal stuff.

Let me see if I can put some file contents together.

So if this a hack of some sort, the little demon-scumbag is apparently targeting AntiVirus for WordPress and Sidebar Login Plugin wouldn’t that be the bottom line?

Ah. Yeah, I’d check those files ASAP. WordPress doesn’t update files like that without user intervention.

Yip, yup, yep . . That’s kind of what I was thinking.

Guess it time to call the Host Company and say “Guess What?”

Again

My WordPress File Monitor plugin alerted me to these changes. I have it send me an automatic email alert if any changes are made without my knowledge and permissions.

So with this alert I noticed something or someone the next day ahead of me did something.

(Timestamp: Tue, 08 Jun 2010 02:12:27 +0000)

Or am I just going nuts?

You get what you pay for.

Right, but you know not everyone can afford $150,000 a year to host a blog.

So maybe the Big Hosts can just provide decent basic security. Is that asking to much? If I can only afford say a new Ford Escort, I shouldn’t have to keep patching it every day just to keep it running.