{"id":2593,"date":"2008-08-15T00:40:55","date_gmt":"2008-08-15T04:40:55","guid":{"rendered":"http:\/\/www.prefblog.com\/?p=2593"},"modified":"2008-08-15T00:40:55","modified_gmt":"2008-08-15T04:40:55","slug":"prefblog-hacked","status":"publish","type":"post","link":"https:\/\/prefblog.com\/?p=2593","title":{"rendered":"PrefBlog Hacked!"},"content":{"rendered":"

My query<\/a><\/p>\n

A similar query<\/a><\/p>\n

A good explanation<\/a>. I had one of these. I took the call to “wp_footer()” out of my footer.php file, and that stopped that nonsense. I couldn’t find any of the files noted in this articles example; I can only hope it gets weeded out on a re-install.<\/p>\n

An even better explanation<\/a> … I got one of those “active_ plugins”, but the option value is “a:0:{}”. I have no idea what it means … it looks like a placeholder. What I do have is one with “option_name” equal to “wp_links”, with the “freemacwareDOTcom” address conspicuously highlighted. This was causing popups on closure. I have uploaded the value of the memo field<\/a> for scientific purposes. NOTE: I removed all of the left-angle brackets (“<\") from this file to disable the code.\n\nNot indexed by Technocrati<\/a> … How wonderful! Now I’ll have to reinstall the current version of WordPress and cross my fingers that I can still understand it!<\/p>\n

Capturing $_POST commands<\/a> … I just might try this, you know. PrefBlog has been under heavy attack lately by spam comments.<\/p>\n

So anyway … my apologies to all readers who have been inconvenienced – or simply puzzled – by the recent popups. Please let me know of any odd behavior by PrefBlog (I mean odd behavior that is system-related, of course!) in the future and I’ll be that much quicker tracking things down.<\/p>\n

Update, 2008-8-16<\/b>: The database has a table, wp_postmeta, which tracks attachments. One record in this table has the values: meta_id=8474, post_id=2181, meta_key = ‘_wp_attached_file’, meta_value=’\/services1\/webpages\/p\/r\/prefblog.com
\/public\/\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/tmp\/10bum.txt’<\/p>\n

There is also: meta_id=8472, post_id=2180, meta_key = ‘__wp_attached_file’, meta_value = ‘\/services1\/webpages\/p\/r\/prefblog.com
\/public\/\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/tmp\/2newbum.txt’<\/p>\n

These records have been removed.<\/p>\n

I have also deleted some entries in the wp_posts table. As far as I can make out from the WordPress codex<\/a> the value of ‘post_parent’ should reference a ‘post_id’ in the same table, which are all positive integers.<\/p>\n

After noting some odd entries, I queried the database: ‘select * from wp_posts where post_parent < 0' and came up with seven records. Two have post_parent set to numbers that are large and negative; the 'guid' field indicates that this is stuff that I did, in fact, upload but somehow screwed up.\n\nThe remaining 5 records all have post_parent set to -1, with 'guid' having a variety of values: the first one, with 'post_modifed' = '2008-03-25 05:26:58' has 'guid' = 'http:\/\/www.prefblog.com
\/\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/tmp\/3rbsmag.txt’. The other entries are similar, with filenames 10bum.txt (three times) and 2newbum.txt.<\/p>\n

All these records have been deleted. Note that with these long field values, I have added a HTML line-break to make the full field look nice on this post.<\/p>\n

I note that the first of these highly suspicious entries occurred within a week of my WP 2.3.3 installation! I have requested database validation<\/a> for forthcoming releases of WordPress.<\/p>\n

Update, 2008-8-16<\/b>: Problems with the file 3rbsmag.txt have been discussed on WordPress<\/a>. <\/p>\n","protected":false},"excerpt":{"rendered":"

My query A similar query A good explanation. I had one of these. I took the call to “wp_footer()” out of my footer.php file, and that stopped that nonsense. I couldn’t find any of the …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-2593","post","type-post","status-publish","format-standard","hentry","category-administration"],"_links":{"self":[{"href":"https:\/\/prefblog.com\/index.php?rest_route=\/wp\/v2\/posts\/2593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/prefblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/prefblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/prefblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/prefblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2593"}],"version-history":[{"count":0,"href":"https:\/\/prefblog.com\/index.php?rest_route=\/wp\/v2\/posts\/2593\/revisions"}],"wp:attachment":[{"href":"https:\/\/prefblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/prefblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/prefblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}