Website Hack

  • Unknown's avatar
    trustedtechnology · Member ·

    Hi,

    I currently don’t own a wordpress website but I have several clients that do. I am currently supporting a client who has asked me if I can help identify a security problem with their website. Being server and network based I am not 100% sure what I am looking for but I believe that I have found the hack taking place within the log files.

    Below is an excerpt from those log files. I will point out that the js.php file referenced below has been removed before only to come back within a couple of hours. They have also removed the .index.php file without affecting the site.

    Thanks,

    139.162.11.182 - - [15/Nov/2015:23:22:29 +1100] "GET / HTTP/1.1" 200 69684 "http://www.geolyse.com/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:Cache39.0) Gecko/20100101 Firefox/39.0"
139.162.11.182 - - [15/Nov/2015:23:22:31 +1100] "GET / HTTP/1.1" 200 69684 "http://www.geolyse.com/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rvcore:39.0) Gecko/20100101 Firefox/39.0 Hijack/1.2"
139.162.11.182 - - [15/Nov/2015:23:22:34 +1100] "GET /wp-includes/js/wp-core.js.php HTTP/1.1" 404 43809 "http://www.geolyse.com/wp-includes/js/wp-core.js.php" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Install/1.2"
139.162.11.182 - - [15/Nov/2015:23:22:37 +1100] "POST /wp-content/themes/.index.php HTTP/1.1" 200 7 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
139.162.11.182 - - [15/Nov/2015:23:22:37 +1100] "POST /wp-content/themes/.index.php HTTP/1.1" 200 7 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
139.162.11.182 - - [15/Nov/2015:23:22:37 +1100] "POST /wp-content/themes/.index.php HTTP/1.1" 200 7 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
139.162.11.182 - - [15/Nov/2015:23:22:39 +1100] "POST /wp-content/themes/.index.php HTTP/1.1" 200 7 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
139.162.11.182 - - [15/Nov/2015:23:22:39 +1100] "POST /wp-content/themes/.index.php HTTP/1.1" 200 7 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
139.162.11.182 - - [15/Nov/2015:23:22:40 +1100] "POST /wp-content/themes/.index.php HTTP/1.1" 200 7 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
  • Unknown's avatar
    trustedtechnology · Member ·

    Anyone know how to edit this post so I can remove the domain :).

  • Unknown's avatar
    auxclass · Member ·

    The site you are asking about does not seem to be hosted on WordPress.COM so you need to make friends over at WordPress.ORG the keepers of the software you are using.

    https://en.forums.wordpress.com/topic/7-things-to-know-before-posting-in-wordpresscom-forums?replies=1

    This site is for support of sites hosted on WordPress.COM. You should address your questions to WordPress.ORG the keepers of the software you are using: http://wordpress.org/support/

    The forum at WordPress.ORG is not connected to WordPress.COM so you will need to open an account at .ORG if you do not already have one. You may use the same email at WordPress.ORG as you do at WordPress.COM.

    For more on the difference: http://support.wordpress.com/com-vs-org/

  • The topic ‘Website Hack’ is closed to new replies.