Skip to content

New WordPress attack floating around…

I use a shell script to back up my web sites each day -- it exports and downloads a SQL file of the database contents, as well as rsync's the actual HTML files. When I was checking the log file for last night's downloads, I noticed something very strange in the output:

  receiving file list ... done
  ./
  html/wp-content/
  html/wp-content/1/
  html/wp-content/1/3c-texas-holdem-poker.html
  html/wp-content/1/american-poker.html
  html/wp-content/1/bonus-code-party-poker.html
  html/wp-content/1/casino-poker-gratis.html
  html/wp-content/1/come-giocare-a-poker.html
  html/wp-content/1/come-giocare-poker.html
  ....
  ....

In total, there were 71 files in the newly-created 1 folder: 70 .html files, and one g.js file. There was also a new oddly-named backup folder, and the index.php file in wp-content (which is just a blank placeholder) had been replaced with basically the same file but with an added line break on the first line.

I googled on some of the .html filenames, and found a number of WordPress sites with the same issue (the "1" folder), but nobody who was talking about the cause of the problem. So I posted about it to the WordPress forums, where someone pointed me to this page, which contains at least a little more background on the issue. I'm also posting some of the html filenames here, in case others are searching for more information on the attack.

As of now, I don't know how they got in (though I suspect via one of the plug-ins), but I don't think it's through any sort of direct site access: none of the site's other files and folders were changed, nor were any posts or comments created. It also doesn't seem to be an automated attack, as the 1 folder hasn't returned after I manually removed it yesterday. But if you run WordPress, keep an eye on your wp-content folder for anything other than what should be there: index.php, plugins, and themes by default. If/when I find out more about this, I'll post a follow-up.

2 thoughts on “New WordPress attack floating around…”

  1. I just checked (thanks for the heads-up!) and I don't have such a file injection. Let me know if you want to compare installed plugins to hopefully find the culprit.

Comments are closed.