OK - the dust has settled and my WordPress site is now clean.
My site was hacked by the Filesman (http://labs.sucuri.net/db/malware/backdoor-phpfilesman02) PHP backdoor which enables a hacker to install, modify and delete nearly ANY file on the WordPress site; PHP and .htaccess files were targeted in my case.
Here's how the hack works:
1. The hacker gained access to my site via one of at least four or maybe five vulnerabilities that have been documented and since fixed over the past 12 months in a variety of plugins, theme (paid, not free) or TimThumb (thumb.php). Because there's no central mechanism or clearinghouse that I'm aware of for receiving notifications of vulnerabilities and fixes across all themes and plugins, my site was exposed for months.
2. Fileman backdoor installed by the hacker. Not in once place, but many. Sometimes it was a new file masquerading as a legitimate file with a similar name, other times new code added to an existing PHP file in WordPress, the theme or plugin.
3. The hacker used the Filesman backdoor to insert the "drive-by download" malware code in a number of WordPress, theme and plugin PHP files. My .htaccess was also modified to allow foreign access. My site was acting as a "Typhoid Mary" (http://en.wikipedia.org/wiki/Typhoid_Mary) vector to infect website visitors.
5. Hopefully, the web site visitor's anti-virus software will block the drive-by trojan to prevent a PC infection. If not, the trojan infects the visitor's computer - which is the ultimate goal - to do any of a number of things such spyware to steal online banking passwords, taking remote control of the PC, distribute spam, etc.
My home desktop was infected by the JS:Kryptik-D. The website malware further was identified as the Backdoor:PHP/Seqangle exploit. McAfee and MalwareBytes missed the Kryptik-D trojan in the drive-by download. Microsoft Security Essentials, Microsoft ForeFront and Avast Internet Security all detected, removed and blocked future downloads of the trojan. This isn't a comment on the anti-virus programs, rather the arms race of constantly updating virus signatures. I am now running Avast Internet Security and really like it.
The difficulty of removing the WordPress site malware is you cannot rely on looking at file dates for changed files because the PHP malware uses programming calls to reset the infected PHP file back to it's original date.
The only way to detect the infected PHP files is to:
A. Manually examine each file if you're an expert and know what to look for. One of the PHP malware infected files had a nicely commented and formatted function to blend in with the standard WordPress code! And that new function did not contain obfuscated code.
B. Compare file checksums (binary equivalents) and file sizes against the known "clean" base release of WordPress, the theme and plugins. Impractical to do without automated tools.
C. Examine the MySQL database for infections - a very cumbersome effort due to the large database size and formatting of a SQL dump. A security expert is needed here.
The solution was multi-layered approach:
1. Hire a security professional to diagnose and clean the WordPress site. An examination of the raw server logs and automated scan tools are essential.
2. Install a WordPress firewall plugin and server-side scanning script to monitor for all changes and block bad IP addresses.
3. The security professionals hardened .htaccess and other items to prevent access to files, execution of PHP in certain directories, obtaining directory listings, etc.
3. Change ALL passwords: CPanel, MySQL, WordPress.
4. Delete any plugins and unused themes that you can do without to reduce the possible set of vulnerabilities and total file count on the server. Reducing the file count makes the "finding the needle in the haystack" situation easier. When I look at some of the plugin PHP code and see URLs to Amazon Web Services (AWS) and remote web sites, it makes me cringe.
5. Check the Security and Firewall logs daily for suspicious activity; changed files, successful & failed logins, etc.
The WordPress firewall constantly blocks access from "bad" IP addresses (hackers, spammers), shows that hackers are constantly trying to guess the Admin WordPress password (delete the Admin user now if you already haven't!), trying to access now-fixed exploits in WordPress and plugins, and execute PHP files remotely (e.g. http://www.mysite.com/wp-includes/somefile.php).
My advice is:
* If you haven't signed up with a WordPress security service and installed a WordPress firewall, then you're either already hacked and don't know it, or it's just a matter of time before you are hacked. The analogy is not running an anti-virus program on your home computer.
* Use plugins very sparingly and check the change logs regularly.
* Check the change log, blog or Twitter feed for your WordPress theme for any notices on a regular basis.
* Make regular full site backups and save these offline for long term storage. My hosting provider's nightly, weekly and monthly backup service (a premium service) was very helpful.
Hope this helps.