1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress 3.0 hack on feed url!!

Discussion in 'Black Hat SEO' started by richman, Nov 12, 2010.

  1. richman

    richman BANNED BANNED

    Joined:
    Jan 8, 2009
    Messages:
    321
    Likes Received:
    308
    several of my site have been injected by some one,
    they put the link back to their site ( buggy poker site )


    how to prevent it?
    how to remove it?
    how to scan it?


    thanks
     
  2. BugFixed

    BugFixed Junior Member

    Joined:
    Sep 24, 2010
    Messages:
    130
    Likes Received:
    39
    I suspect it came from plugins.

    Recheck all your plugins to make sure that they don't have any hole. This is not an easy step because we don't know which plugin that has a leak.

    You can scanning and remove it from database using phpMyAdmin.
     
    • Thanks Thanks x 1
  3. richman

    richman BANNED BANNED

    Joined:
    Jan 8, 2009
    Messages:
    321
    Likes Received:
    308
    how to scan an injected file?
    because i just find on myphpmyadmin and get clean
     
  4. bezopravin

    bezopravin BANNED BANNED

    Joined:
    May 11, 2010
    Messages:
    461
    Likes Received:
    3,471
    Install this plugin to find Exploits on Any files stored in your WP Directory

    Code:
    wordpress.org/extend/plugins/exploit-scanner
    Hope this helps...
     
  5. richman

    richman BANNED BANNED

    Joined:
    Jan 8, 2009
    Messages:
    321
    Likes Received:
    308

    But, they only find the updated files ( after this plugin installed ), not the yesterday updated file
     
  6. bezopravin

    bezopravin BANNED BANNED

    Joined:
    May 11, 2010
    Messages:
    461
    Likes Received:
    3,471
    Installed this plugin in an unmaintained blog and ran a test. I can see all the encoded or possible exploit files in report. It scanned around 145 files where most of them were plugins and theme files which are all installed during wordpress installation before 6 months.
     
  7. BugFixed

    BugFixed Junior Member

    Joined:
    Sep 24, 2010
    Messages:
    130
    Likes Received:
    39
    Try running SELECT command from phpMySQL, for example:

    SELECT * FROM `wp_posts` WHERE post_content LIKE '%exam%';

    change '%exam%' to whatever you find on the link back or perhaps its keyword, or any suspecting words.