Yesterday I spend the whole day on cleaning my sites and some details came to my attention:
- There was an admin account made: demo (Role: Administrator).
- A lo.php file was uploaded with the Media Uploader with the contents: phpinfo(); to check the server apparently.
We sell WordPress Themes and 70% of the themes was hacked. But no other site on the server so I guess they only had the chance on sites of which they had the URL of. All themes were updated to 3.5 but had some not up to date plugins (not very though).
We did all we can to clean up all attacked installations, Google did a check and no more Malware was found this night. It said it does yesterday.
A weird detail is that I got no email of that Admin account that was created. Normally I get an email about a new user on any of our installations.
Now the question is: how did they access that WP Install?
- A bug in WordPress?
- Through a not updated plugin (i think not because some installs didn't had any third party plugins)
- Or any other way?
Maybe there is one of you who knows this kind of hacking and can inform me about their experience. Because it's all one big question mark for me how they accessed the installs.