hacked WordPress, help me understand?

• 

  flintandkey · Member · Sep 17, 2021 at 5:46 am

  • Copy link
  • Add topic to favorites

  So this wordpress installation has been hacked, but there doesn’t seem to have been anything uploaded, the hackers just seem to be using the wordpress itself to try to poke after other wordpress installations with poor passwords, so all of a sudden the wordpress is making a lot of outbound requests.

  I’m really just trying to understand what in wordpress is it that is creating these run/tmp/-files?

  
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:54.082895 +0000 web2 5 redacted.com[24948] 37.188.32.3 - /run/tmp/phpD4QU6C:39 - cURL connected to http://yvonnegisler.com/
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:54.504195 +0000 web2 5 redacted.com[24948] 37.188.32.3 - /run/tmp/phpD4QU6C:39 - cURL connected to https://segelschule-urnersee.ch/
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:56.978962 +0000 web2 5 redacted.com[24948] 37.188.32.3 - /run/tmp/phpD4QU6C:39 - cURL connected to https://sciviscontest2018.org/
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:57.035758 +0000 web2 5 redacted.com[24948] 37.188.32.3 - /run/tmp/phpD4QU6C:39 - cURL connected to http://rges-fvsd-ca.schoolloop.com/
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:57.117995 +0000 web2 5 redacted.com[24948] 37.188.32.3 - /run/tmp/phpD4QU6C:39 - cURL connected to http://maggiegislerphotography.com/
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:57.385245 +0000 web2 5 redacted.com[24948] 37.188.32.3 - /run/tmp/phpD4QU6C:39 - cURL connected to http://kneiwies.ch/
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:57.518059 +0000 web2 5 redacted.com[24948] 37.188.32.3 - /run/tmp/phpD4QU6C:39 - cURL connected to http://glasparent.ch/
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:57.860982 +0000 web2 5 redacted.com24951] 37.188.32.3 - /run/tmp/phpof8mhS:39 - cURL connected to http://serpentcleide.tabako.asia/old/
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:57.923230 +0000 web2 5 redacted.com[24951] 37.188.32.3 - /run/tmp/phpof8mhS:39 - cURL connected to http://groser.foobet66.com/old/
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:58.363246 +0000 web2 5 redacted.com[24951] 37.188.32.3 - /run/tmp/phpof8mhS:39 - cURL connected to http://zacktrammel.com/old/
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:58.592178 +0000 web2 5 redacted.com[24948] 37.188.32.3 - /run/tmp/phpD4QU6C:39 - cURL connected to http://gisler-bob.ch/
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:59.642321 +0000 web2 5 redacted.com[24951] 37.188.32.3 - /run/tmp/phpof8mhS:39 - cURL connected to https://yourhendersonagent.com/old/
  webpod6-cph3/web2.cst.webpod6-cph3.one.com/user-20210912.zst:Sun 12 Sep 2021 23:59:59.822248 +0000 web2 5 redacted.com[24951] 37.188.32.3 - /run/tmp/phpof8mhS:39 - cURL connected to http://washburn-trammel-guttering-company.hub.biz/old/

• 

  justjennifer · Member · Sep 17, 2021 at 5:51 am

  • Copy link

  Hi there, you’ll want to reach out to the open source WordPress community at https://wordpress.org/support/forums for advice.

  We won’t be able to assist you with this here. Just to clarify, this support forum you’ve posted to assists users with free websites hosted on the WordPress.com platform. You can read more about these differences at https://wordpress.org/support/article/wordpress-vs-wordpress-com/

• 

  flintandkey · Member · Sep 17, 2021 at 6:18 am

  • Copy link

  thanks, feel free to delete this topic.