Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About
We are seeing a new batch of the "rebots.php" infections on WordPress and one thing is intriguing us. On many sites we are analysing, WordPress is updated and no suspicious backdoors or plugins were found. All in order, except for the javascript injected inside the theme.

The only thing in common on them is a single login to wp-admin, followed by a visit to wp-admin/theme-editor.php to modify the theme:



So it seems someone was able to steal the wp-admin password and edit the theme. It was done automatically, since no CSS or .JS files were loaded.

Another intereting issue is that on some of these sites, we didn't identify any brute force attack trying to guess the passwords. Just this single login.

Since we don't know how these passwords got stolen, we recommend people to change their wp-admin passwords asap until we have more info (specially if you have been compromised with the rebots.php injection).