Yes, you are.
I don’t believe that – this was clearly a well-executed exploit of some known issue. I may be the only person looking at this thread having this experience, but definitely not the only person. This hack was too well-crafted.
And nobody can look at your code for you. If the functionality exists, then it exists on the site.
I don’t expect anyone to look at my code! I’m just looking for tips on where else to look, since I’ve tried all of the obvious things. That’s what communities are for.
OK, an update: Since I had grepped everything every which way to Sunday, I dropped all Akismet spam, did a mysqldump, and searched that for the terms in question. I found them in a VERY long INSERT INTO wp_options statement, connected with Magpie RSS. The blog in question is using the RSS module for sidebar widgets, so I’m wondering whether there could have been an exploit in that. Anyway, that gave me a clue, so I found every row in the table that mentioned Magpie and deleted them. Was sure that would fix it, but nope – the problem persisted.
Then I thought there must be an RSS cache somewhere, but could not find one.
Finally I backed up the DB, did an XML export, moved the install out of the way, dropped the db, and started over. After importing the XML into a fresh copy of WP, the problem went away. This means one of two things: A) The problem was in a file that the 2.3 upgrade didn’t touch (and that was grep resistant) or B) the problem data was still in the database, but obfuscated so as to not be searchable. And it must have been some data that the XML exporter didn’t export.
So now the blog is clean again. I’ve changed the mysql password, and am not using the RSS sidebar widgets until I find out more. But I’m having trouble finding out more – just can’t find a reference to this problem anywhere. Very weird.
Scot
