Super Scary WordPress Hacker Plugin

Hi friendly WordPress people,

Have you seen or heard of a plugin that, if a malicious hacker is able to upload it to your plugins directory, it allows them to have all kinds of control over your site, even injecting code into your pages?

Our sites have been the victim of this type of attack twice. I’ve uploaded a screenshot of the plugin, as accessible by anyone with a web browser here (no password required):

http://img64.imageshack.us/img64/239/hackerproof.gif

It doesn’t show up in our plugins list and I don’t usually FTP into my plugins folder to check its contents, so the only way I was able to find out about it was that I happened to be viewing source on one of my pages and noticed a bunch of spam links within a div styled content-display:none. So the hacker even checked which WordPress theme I was using (I have a few installed), and added a custom div style to my style.css.

At first glance it would appear that for this to work, it has to be in the plugins folder, because why else would they put it in there? Surely there would be a better place to hide this plugin, like somewhere that users never look like in the wp-includes folder. Though at the same time since that folder might be replaced while the user was upgrading their version of wordpress, perhaps sticking it in plugins was smart after all.

Since the content doesn’t actually display for users, it would appear that the hacker is trying to use this for SEO purposes (as the text in the hidden div is a bunch of keyword rich anchor links). Not exactly a genius move since Google doesn’t index text hidden in display:none.

As for how the hacker was able to upload the files, I don’t know. It may have had to do with our server permissions for that folder (which are now 755 so hopefully it won’t happen again), it may have been a weak password on the admin account (the password has now been changed to a much stronger one).