1. Save your database now.
2. Download everything else.
2. Delete ALL wp- files
3. Delete the themes folder and everything in it.
That should take care of bad files.
Now upload new wp files
CHMOD every single file to 644.
Check it’s all working, then take it from there.
Do NOT upload anything from the old themes directory if you can help it – it’s the most likely way in.
You could tell your host too – but they’ll blame WP…. which it is not.
I personally recommend you change hosts. Or at least ask your current host to put you on a *different server*, and tell them why. You’re not sure how he got in right? Was it through wordpress, an insecure plugin, or through another way entirely? He might have installed something to easily let him in again, which is why I recommend being moved to a new server.
Do you have a backup of your mysql database? That’s the main thing you want, as it’s your ‘content’.
Shoot! And I’m here running an alpha version of WP. =P Just to play it safe, I’d better back up everything as well.. [rolls eyes] Damn hackers!
spencerp
The last time I got hacked, I’m pretty sure they got through an “un-updated” version of the Coppermine Photo Gallery.. then from there, they went “happy”!
Saw this in response: I figured it out. It was a PERL hack related to the MoveableType PluginManager.
Can’t verify yet…
Update:
1. backed everything up
2. deleted everything
3. getting new WP files now
i posted these bastard hackers on digg. i hope it gets on the front page and that they’re caught.
Was “wp-blog-header.php” found on an index page? The theory is that redworm only attacks the index page of your site.
It would look like this on your index page.
<? require(“wp-blog-header.php”); ?>
or
<? require(“header.php”); ?>
It’s trying to call the file from index.php but it can’t be found.