1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Conditional redirect code injected in wordpress

Discussion in 'Security' started by Fracisc, Dec 13, 2012.

  1. #1
    Hi there!

    I have a few wordpress sites in my hosting account. Some of the got hacked, some not. Basically, two of them are hacked frequently. At one of them I see that there are attempt to login as admin.
    SEMrush
    I have changed the server pass, ftp pass, mysql pass but the problem is still there. How can I find out how they get in? Please help!
     
    Fracisc, Dec 13, 2012 IP
    SEMrush
  2. t0p3a

    t0p3a Member

    Messages:
    89
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    40
    #2
    Probably some backdoor in the theme or poorly configured server.
     
    t0p3a, Dec 14, 2012 IP
  3. Umbra Hosting

    Umbra Hosting Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #3
    Try installing a WordPress plugin called "TimThumb Vulnerability Scanner" and running a scan. If it comes up with outdated TimThumb code, it gives you the option to patch it.

    You may also want to have your web host take a look at your account(s), as they should be able to quickly identify anything that looks out of place, such as shell scripts or an .htaccess file with malicious redirects.
     
    Umbra Hosting, Dec 18, 2012 IP
  4. evuln.com

    evuln.com Greenhorn

    Messages:
    18
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #4
    You may find backdoors by several ways:
    1) get last modofication time of infected file and find this exact date-time in http logs. You should find a query to some file/script which was used to infect files.
    2) check your HTTP logs for POST queries to some strange scripts.
    3) search for most popular webshell functions in php files: base4_decode(), eval(), preg_replace() ..
    4) search for recently modified files
    check logs of all websites at the same server or account.

    this guide may help: evuln.com/hacked/redirect.html
     
    evuln.com, Dec 29, 2012 IP