As some of you noticed, this blog keeps on getting hacked. I need help.
- I have the latest version of wordpress. I have changed the password and I did my best to find any backdoor.
- I do not think anyone can modify the PHP files because they are not writeable on the server.
- In the latest hacks, they update the content of my post with hidden spam. That is, the spam appears directly my relational database. It appears that, indeed, the PHP files are not modified. It also appears that they are only able to update the latests posts. Indeed, only 3 posts had spam in them. Surely, if they could have done more, my entire database would be filled with spam right now.
So, what should I be looking for?
I think there must be at least one backdoor left. I have checked that when I write a new post, the spam is not automatically inserted. So, the post must be updated a bit later.
This is very scary and annoying.
Update: My current best guess is that only few blog posts were modified because I changed my password and removed the default admin user just in time. If so, I am very lucky because the spammers could have infected all of my content. Indeed, it appears that none of my recent posts have been spammed. Of course, it could be just a matter of time…
It seems you are having SQL injection problems. If you have logs check when they were “updated” and the PHP requests before.
Good luck!
Luis had the same idea I had: SQL injection. Grepping logs should help narrow down what happened; if you are on the latest WP, this is something a lot of people will want to know / fix.
Also, is your personal machine safe?
I’m no WordPress expert and only have a very the general comment but you may want to install Nessus and inspect your server from the outside.
If it can help against spam. There’s surely something equivalent in php.
http://blog.madskristensen.dk/post/Simple-method-to-avoid-comment-spam.aspx