Hi all,
on september 4th on of my sites got hacked, seems through an infected theme.
The following 2 variants of malware were inserted into all php files
http://pastebin.com/mAWWG1pZ
and the following file wp-thumb-creator.php was placed in /home/...mydirs.../wp-content/uploads/ with also evil content http://pastebin.com/kQY9Y2Kh
A start for fixing your stuff can be found here
http://www.php-beginners.com/solve-wordpress-malware...
and I wrote a regex myself to check the entire machine for bad files left over, if you know what ssh & bash are, this can help you with the search
pcregrep -i -r -n -M --buffer-size=200K --include=.\.php "<\?php\s*\\\$md5\s*=\s*\"[a-z0-9]*\";\s*\\\$wp_salt\s*=\s*array" . > malcheck.log
2 more links I found with additional info
http://forums.oscommerce.com/topic/379540-site-hack-wp-salt-array/
http://www.reddit.com/r/web_design/comments/k9ks4/i_desperately_need_help...
Hope that can help somebody to clean his server.
Good luck,
hquadrat
