I think I’ve been hacked, but I’m not sure.
I have found at least 3 files, added to my site on Apr. 15. ad_wp-password.php, and then in plugins ad_hello.php and inside plugins/akismet there was ad_akismet.php.
So – I’ve removed or renamed the files in question. (They all seem to be the same php code with the different names).
I changed my admin password. Deleted all of my subscribers (they are all questionable anyway); checked the user table with PHPMyAdmin and there is only one user which is the admin. I changed the mysql password as well.
I’ve not seen any posts with hidden iframes (guess that’s the next thing to look for);
The thing that made me look for something was the presence of some off the wall incoming links (spammy looking comments from non-existent websites like demoniashoes.yourshoestore.com/2008/04/06/emmaus (the title and the date are appropriate for a post on my site, but host is all wrong – not even in the ballpark).
Is there anywhere else I should look? I think this might be something that is indeed left over from being hacked under 2.3.2 or 2.3.3 a couple of months ago. that one just put a whole hidden folder of pages in wp-content.
I have a copy of the code if anyone should see it in order to figure this out.
- The topic ‘2.5 – maybe hacked’ is closed to new replies.