My WordPress site got hit by the same malware and I wanted to share details. The infected files were dated May 7, 2011, about the same time as stubbyd's report.
My site was running either WordPress 3.1.1 or 3.1.2 at the time (I believe 3.1.2). User account creation is disabled. The site had these plugins installed at the time:
- Akismet 2.5.3
- Blackbird Pie 0.5.1 (installed but disabled)
- FeedBurner FeedSmith 2.3.1
- Google Analyticator 6.1.3
- Google XML Sitemaps 3.2.4
- Hello Dolly 1.6 (installed but disabled)
There are no CGI scripts or other custom code located on the server - only WordPress. I did have all WordPress files set with ownership by the Apache user (bad practice, I admit).
In addition to creating the Thumbs.db payload file and appending the PHP reference above to the end of .htaccess, the malware also modified most PHP files in the root WordPress folder (notably not wp-config.php or a couple others) to include an
eval() call to its payload wherever it found a
<?php open tag. PHP files in WordPress subfolders fortunately weren't modified. Themes and plugins were not infected.
Even better news is that I can't find any evidence of infection in the WordPress database itself. Simply overwriting all the core WordPress files with stock versions seems to eradicate the malware. I also upgraded WordPress to the latest version (3.1.3) and hardened my file permissions so the Apache user can no longer modify files.
I'm convinced this is an underpublicized exploit in WordPress or one of the above plugins. If anyone else who got bit can post their WP and plugin versions, it would help narrow it down. I also found a description of this malware on this site, posted in the past week:
I only discovered my site was infected when Google Webmaster tools alerted me, so fortunately major browsers and search engines should be aware of this one by now. Good luck to anyone else who gets bit.