1

My system: CentOS 6.2 64bit Apache 2.2.15 PHP 5.3.3 I have WordPress 3.3.1.

I have several domains on my server configured as virtual hosts. The path to website files is the following: /var/www/vhosts/mydomain.com/httpdocs/

Logs file for this domain: /var/www/vhosts/mydomain.com/logs/

So, today I have found an unknown file "index.html" in logs directory. The website itself works fine and I can't see any changes to core files.

This index.html contains the following:

... <META HTTP-EQUIV="Refresh" Content="0; URL=http://173.255.248.137" ...

This URL redirects to some wired chinese language courses on vimeo.com. So, anyone has something similar or knows how does this file was uploaded to my server? Any log files I have to check?

Thank you for help!!!

Improve this question

2 Answers 2

Reset to default
0

Check your website's directories (mostly theme directories, uploads directory, wp-admin subdirectories), and .htaccess files and the code of index.php, 404.php, wp-config.php. if there's something strange, you'll see. In my case, the first time had an cgi-ssh client in my twentyten theme directory, and the second time there was a eval(base64_decode()) code in every php pages.

Improve this answer
5
  • could you find anything? Commented Mar 19, 2012 at 15:27
  • Hello tpaksu! Thanks for reply. Please read my answer above. Commented Mar 19, 2012 at 15:28
  • Didn't find anything. I don't have twentyten theme, my own themes seems fine. index.php wp-config.php are clear. I have searched for "base64_" and "eval" - still nothing suspicious. Actually website works fine. Commented Mar 19, 2012 at 15:29
  • well, they scan for every injectable script and try that.They have a brute force attacker with a lot of exploit definitions I guess. Commented Mar 19, 2012 at 15:35
  • I see, but I need to find out, how that file was uploaded to my server. :) This file was in logs directory with owner "root". So, whether it's apache vulnerability or as I have a VPS, it's an OpenVZ vulnerability. Or I don't know. Commented Mar 19, 2012 at 15:49
0

I have checked WP, and can't see anything suspicious. I have break attempts like this from time to time: WordPress Firewall has detected and blocked a potential attack!

Web Page: www.mydomain.com//wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php

Warning: URL may contain dangerous content!

Offending IP: 178.137.167.112 [ Get IP location ]

Offending Parameter: $_FILE = wp-xml.php

So, they are blocked by WP Firewall and I don't even have 1-flash-gallery plugin.

I think someone has tried to inject this "index.html" to my website, but it was saved to logs directory somehow. And I need to know how!

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.