wp-includes files being randomly deleted and new admin users. Hacked?

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

wp-includes files being randomly deleted and new admin users. Hacked?

MrSavage

8:42 pm on May 28, 2012 (gmt 0)

Hi. I appreciate any advice in this matter. I'm at a bit of a loss here. I have various blogs on a server. Those blogs were all broken as most of them suddenly had 2 files from wp-includes deleted from the server. I've noticed that a couple blogs have a new admin which I never added. Seems like I've been compromised certainly. I'm wondering if anyone has had similar issues in the past. Unfortunately I'm using Woothemes and as you might recall they had a security flaw with timthumb and I was slow (no communication) in fixing this flaw. Now I'm wondering about my entire server. Even my blog installations not using Woothemes were down today because of the missing files. Any possible insights would be greatly appreciated. This feels like cockroaches where once they are in they are a bugger to get rid of. This is the second time I've had this happen in the past month or two. Now I know it's not a password issue.

rocknbil

4:13 pm on May 29, 2012 (gmt 0)

If you're sure it's not your passwords, how about the FTP passwords? How secure is **your** computer, and is the AVG up to date? Sometimes the point of access is your computer.

Most (but not all) Workpress hacks manifest themselves as files (index.php and .js files, specifically) being injected with malicious Javascript leading to a compromised server that installs a malware on the client host. With files being deleted and new admin level users appearing, you may have something more serious on your hands and it's very likely Worpdress itself is not the entry point.