0

I have a client who has several WordPress 2.9.2 blogs that he hosts. They are getting a deface kind of hack with the Elemento_pcx exploit somehow. It drops these files in the root folder of the blog:

-rw-r--r--  1 userx userx  1459 Apr 16 04:25 default.htm
-rw-r--r--  1 userx userx  1459 Apr 16 04:25 default.php
-rw-r--r--  1 userx userx  1459 Apr 16 04:25 index.asp
-rw-r--r--  1 userx userx  1459 Apr 16 04:25 index.aspx
-rw-r--r--  1 userx userx  1459 Apr 16 04:25 index.htm
-rw-r--r--  1 userx userx  1459 Apr 16 04:25 index.html
-rwxr-xr-x  1 userx userx  1459 Apr 16 04:25 index.php*

It overwrites index.php. A keyword inside each file is "Elemento_pcx". It shows a white fist with a black background and the phrase "HACKED" in bold letters above it.

We cannot determine how it gets in to do what it does. The wp-admin password isn't hard, but it's also not very easy either. I'll change it up a little to show you what the password sort of looks like: wviking10. Do you think it's using an engine to crack the password? If so, how come our server logs aren't flooded with wp-admin requests as it runs down a random password list?

The wp-content folder has no changes inside it, but is run as chmod 777 because wp-cache required it. Also, the wp-content/cache folder is run as chmod 777 too.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
ServerChecker
  • 1,518
  • 2
  • 14
  • 35
  • check your FTP logs. Since wp-cache required you to chmod that folder 777, you probably aren't running php as setuid. Since the files are owned by the user and not www-data (or the username apache is running as), the FTP account is probably compromised. – user6738237482 Jun 08 '10 at 15:29

1 Answers1

0

No u don't need chmod 777 on wp-content to use wp-cache. You need that once when you install. After that you can change back. change that to 755.

I would say scan your computer [the computer you use FTP to upload webpages to server] with an anti-virus like AVG.

Nathan
  • 146
  • 1
  • 1
  • 7