[Nottingham] A Google Webmaster Scam?

Roger Light roger at atchoo.org
Thu Dec 20 09:45:30 UTC 2012


On Thu, Dec 20, 2012 at 12:22 AM, Martin <martin at ml1.co.uk> wrote:

> So far, I've moved the auth.php out of the way, and sed has cleaned all
> the .js files

I would suggest much more than that if you aren't going to start from
scratch (including the db contents). Do a fresh install of wordpress -
this will overwrite any compromised files but will still leave behind
any additional files that exist. Install a plugin like Exploit
Scanner, run it and check all of the results. There will likely be a
number of false positives - it'll help if you uninstall any plugins
that you aren't using.

If there are any problems, sort them out then in one quick session
change all of the passwords including the mysql one and add new salt
values to wp-config.php. This will invalidate any existing login
sessions that would still work despite the password having changed.
You can generate salt values at this link:
https://api.wordpress.org/secret-key/1.1/salt/ Just paste the contents
in and replace the old ones.

Cheers,

Roger



More information about the Nottingham mailing list