I am using wordpress in my server, last version (3.3.1)
A few days ago I noticed that someone created an account in my blog, I received an email, but didn't pay much attention to it. Later I saw the name of the user was root and it had the administrator role
I was then told by a reader of my blog that the browser was notifying that the blog had a malicious script.
I had taken the blog down since then (two days), just got it back now to better analyse and ask for help here.
The URL is:
There is no change to the file system since the day the user was created. I was backing up all DBs in my server, but unfortunately it seems that my backup script called via cron wasn't working properly.
I couldn't find any clue in the source of the malicious call to the malicious java applet. Neither where is is located in the blog. I checked the posts, and couldn't find any change done to them. The java applet shows up in every single page int he blog, main page and post pages.
I already read the help pages on hacking but nothing helped to find the culprit.