top | item 37921012

Wordpress.com – Russian malware hidden in home folder

5 points| wyhycu | 2 years ago |pastebin.com | reply

5 comments

[+] wyhycu|2 years ago|reply

In case anyone else is struggling with random Russian casino posts appearing in your wordpress.com website, I found the culprit.

The instance has 2 folders. htdocs & a read-only wordpress folder with sample content with I cannot alter.

The text in the sample matches the spam posts. "./themes/organic-stax/1.4.6.1/demo/default-demo-content.xml: <content:encoded><![CDATA[Имеется множество формальностей, которые приходиться придер..." (see pastebin link for more)

I have shared this with wordpress support and they stopped replying to my emails. Now I have to check and delete any new posts every day.

Will update if wordpress.com finally addresses this.

[+] wyhycu|2 years ago|reply

Update: wordpress.com has removed/replaced the file, it appears. Support case still unaddressed but root problem is solved. No more mystery posts.

[+] stefanos82|2 years ago|reply

I have tried to find this content and could not for some reason.

Can you please try with `curl` command to produce the pastebin output so we can test it from our side?

UPDATE: Never mind, I have found it!

[+] barsxl|2 years ago|reply

Thanks for the heads up. We have removed this file from the platform for now while we review.

[+] aheckler|2 years ago|reply

I work at Automattic (but not on WordPress.com) and I've pinged some folks to take a look at this.