WillyF

Hi everyone,

Sorry to leave you all hanging.

I tried replying to this post on the day that I originally posted it, but it told me that the post didn’t exist. I’d imagine that maybe some of the text in my post got flagged as spam.

Although I don’t have a definitive answer, I do have some more information on how the hack happened.

After doing some more looking through my file structure, I found that every directory that was writable had files that took the form 194255.php. These were mostly in my /wp-content/uploads and folders within those as well as folders within /wp-includes. These files were all uploaded on 10/6/08 which was well before the 2.7 update. The files contained base64 code that was quite obviously malicious. I have 5 WP installs on my site, and these files were in the same directories of all of them. It’s definitely possible that some of these blogs were not updated properly at the time (early October)

These files, however, don’t appear to have been responsible for the malicious code that was inserted. I also found a file called gzmod.php in my plug-ins folder. This file was last edited on 1/6/09 and it also included base64 code. I am not sure when it was initially uploaded, but I’m almost positive that it was some time after I updated to 2.7 on 12/10. I’m not sure if the other malicious files allowed for the upload of this file, but I’m almost positive that this is the file that was responsible for the malicious code.

I don’t have a full file backup (only database backups) from the period between 10/6/08 and 1/6/09 to check when the gzmod.php file was inserted, but I have asked my host to look into it. They have not gotten back to me yet.

I have no proof that the two types of hacks are related, but it would make sense that one enabled the other. Does anyone have insight into this?