Yeah, there are a lot of posts on here about that, including a thread I started yesterday.
http://wordpress.org/support/topic/316011?replies=9
Mine didn’t come from a dirty theme, as I make all my own themes. But yeah, every single php file I had, on all my sites got infected….I’m still waiting to see what permanent damage was done after the cleanup
It’s truly nasty
Why can’t eval scripts be blocked all together on a server? Wouldn’t that solve this problem?
Sure it would force a few javascript plugins to rethink.
Looks like the problem is more serious, as I estimated. My website is closed by the provider. He’ll try to restore the files from a backup and fix the exploited files. Looks like the exploit is downloading a virus to the client PCs and infected some other websites. Anyway take good care before downloading themes from outside wordpress.org.
… every single php file I had, on all my sites got infected.
and THATS a sure sign of malware on a machine that you are using.
Actually, I’m pretty sure it’s not the machine I’m using. I use a laptop that’s freshly formatted and very secure….and I rechecked it last night multiple ways….it’s clean. The only other computer I use is at work, and that’s very secure, also clean.
One thing to check out….I believe I may have tracked the issue down on the simplemachines.org forum, if you are using an install of that software. Anything other than the latest version (1.x or 2.x) of the simplemachines forum was vulnerable to a hack that came in with a certain user. If you use simplemachines, and have a user called krisbarteo, then most likely you got hacked. You can check it out over there, but it results in the same base64_decode problem. Basically a lot of the people over on that forum noticed spammy links hidden on their forum (I never got that), but on further investigation, all their php files on their server for any site had the base64 business on it.
So I can’t even tell where my hack came in at. I noticed it first on my wordpress, but it very well may have come in through my forum.
My site has been hacked three times in the last 2 weeks. I have all the security plugins and have changed multiple settings including chmods, auth keys, .htaccess, and admin user names. I have all the newest versions and multiple forms of protection on my local machine.
Go Figure…
you’ve gone through every folder on your host? It’s a pain…
I think I’ve finally got everything clean. I had a test.php file hidden 3 levels deep in my shop in a different directory.
I just found 2 more whatever.php files in a 2008 uploads folder of a different WP install
Those allowed people to change my main WP install….the only way I found them was by noting the timestamp of an altered file, then checking my server logs for that exact time to see what happened.
What can I do if I suspect that I’ve been hacked? I’m desperately trying to find someone who can help me and who specializes in WordPress Blog viruses. I’ve scanned my blog with all of the online tools and they say that I’m clean, yet I’ve had three people tell me that they couldn’t go to my blog because of a trojan virus warning and all of a sudden, mysterious links and plugins show up on my blog. Please help!
