Received a malware notification from Google Webmaster tools yesterday for my cycling blog, http://cyclocosm.com, informing me that one post and two index pages (yearly for 2012, monthly for June 2012) were putting malware on visiting computers from 3rd-party URLs.
Reading through the malware report, it became evident that a file called wp-count.php was serving up JS downloads to users on page load. wp-count.php wasn't part of a relatively clean WP install I had on a different site, and reading the contents of the file, it began "This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited"—obviously, something was up.
I Googled "wp-count.php" and found some mentions of malware attacks, but no real fixes. Twitter search just pulled up this post in Japanese: http://twitter.com/strive/status/217218845251870722
The site was still on 3.4, so I updated to 3.4.1 and tried deleting and renaming wp-count.php, but it immediately reappeared. The next step I took was to delete the contents of the file, and replace them with a single "0". So far this seems to have worked. Google has re-scanned the site and given it a clean bill of health.
I don't have complete control over my site hosting, so I'm talking with my admin about reinstalling from a previous version, and then reposting the updates I'd made since then.
Anyone else encountering/encountered a similar issue?