Title: WillyF's Replies | WordPress.org

---

# WillyF

  [  ](https://wordpress.org/support/users/willyf/)

 *   [Profile](https://wordpress.org/support/users/willyf/)
 *   [Topics Started](https://wordpress.org/support/users/willyf/topics/)
 *   [Replies Created](https://wordpress.org/support/users/willyf/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/willyf/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/willyf/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/willyf/engagements/)
 *   [Favorites](https://wordpress.org/support/users/willyf/favorites/)

 Search replies:

## Forum Replies Created

Viewing 1 replies (of 1 total)

 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [WP 2.7 Blog Hacked](https://wordpress.org/support/topic/wp-27-blog-hacked/)
 *  Thread Starter [WillyF](https://wordpress.org/support/users/willyf/)
 * (@willyf)
 * [17 years, 4 months ago](https://wordpress.org/support/topic/wp-27-blog-hacked/#post-952435)
 * Hi everyone,
 * Sorry to leave you all hanging.
 * I tried replying to this post on the day that I originally posted it, but it 
   told me that the post didn’t exist. I’d imagine that maybe some of the text in
   my post got flagged as spam.
 * Although I don’t have a definitive answer, I do have some more information on
   how the hack happened.
 * After doing some more looking through my file structure, I found that every directory
   that was writable had files that took the form 194255.php. These were mostly 
   in my /wp-content/uploads and folders within those as well as folders within /
   wp-includes. These files were all uploaded on 10/6/08 which was well before the
   2.7 update. The files contained base64 code that was quite obviously malicious.
   I have 5 WP installs on my site, and these files were in the same directories
   of all of them. It’s definitely possible that some of these blogs were not updated
   properly at the time (early October)
 * These files, however, don’t appear to have been responsible for the malicious
   code that was inserted. I also found a file called gzmod.php in my plug-ins folder.
   This file was last edited on 1/6/09 and it also included base64 code. I am not
   sure when it was initially uploaded, but I’m almost positive that it was some
   time after I updated to 2.7 on 12/10. I’m not sure if the other malicious files
   allowed for the upload of this file, but I’m almost positive that this is the
   file that was responsible for the malicious code.
 * I don’t have a full file backup (only database backups) from the period between
   10/6/08 and 1/6/09 to check when the gzmod.php file was inserted, but I have 
   asked my host to look into it. They have not gotten back to me yet.
 * I have no proof that the two types of hacks are related, but it would make sense
   that one enabled the other. Does anyone have insight into this?

Viewing 1 replies (of 1 total)