wowbagger

I’ve created a new thread, but it’s held for moderation. I hope it’ll pass soon.

Hi Jackie,

thanks a lot for the reply. I’ll repost the thread tommorow. Im posting from Germany and it’s too late for today. I’ll just post some further information:

-I’m not the administrator of the blog.
-As far as I can tell it’s well managed (up-to-date, strong passwords afaik)
-It’s a shared host, but each vhost is running as a different user. It’s not completely but nearly impossible to access another hosts files.
-I’m the administrator of the vhost
-I’ve already fixed the site… not for the first time.
-I always scan the side for:
—php-code hidden in any kinds of files
—eval
—gzinflate
—base64_decode
—include and include_once
—require and require_once
—unwanted code in htaccess-files
as always I found a lot and I fix all of it till there’s nothing more to find. But still it’s always coming back. Sometimes after a month, sometimes after a few days.
-There is also a typo3 running on the same vhost
-I’ve already tried and wrote files into the wordpress-installation when I was logged in at typo3 or over ssh. Those files appear in the logs in a different way then the log-entry I’ve posted.
-I always have lots of very suspicious POST access on xmlrpc.php. I’d like to disallow the access but the wordpress-admin says it’s indispensable for some jetpack-features.
-The log entry posted above was most definitely a backdoor and strangely it was at the typical time the wordpress installation used to update itself. Of course it can be a coincidence but it would be unwise not to look into it. Also it could have a lot of reasons.
-The site is HUGE and I really mean it. It would be a pain to re-setup the user content.

The site is good for now, but of course it’s not over yet. Anyway I’m calling it a day. I’ll read any reply tomorrow. Thanks so far.

kind regards

Hello,

I’d like this thread to be reopened, because the resolve didn’t work for me.

Just this morning I found this entry in the succuri-log:

5. M?rz 2017 00:34 system 127.0.0.1 New file added wp-content/languages/plugins/lang.php (size: 4257)

After checking the file I can confirm it was a backdoor.

I’d say: Changes logged under “System” (127.0.0.1) CAN be a hack and I’d really appreciate some help, in finding out how this happened.

I’m usually not administering WordPress and the person who does is on holiday. I don’t find any remote access for that particular time in the access-logs and it seems as if the time exactly matches the time of some scheduled updates. There are many log entries similar to that on different days but always at the same time. I’ve checked most of them so far, but only this one pointed to a backdoor.

My first question at the moment is: Where would I find the configuration of an update scheduler? I have admin and ssh access but no experience with wordpress at all. I am an experienced server-admin though.

Kind regards, wowbagger

• This reply was modified 8 years ago by wowbagger. Reason: a sentence was confuseable