Barneyntd

@jprice: I wiped everything, installed the latest WP, plugins & theme, and imported the database from a month ago, which I was certain was clean (it’s not a high traffic site). Then I changed all the admin passwords, which are in the database. The few posts this lost I imported one by one, checking all the data. I’ve not had any repeats so far.

I haven’t found any hacks to the files at all (though I might have missed something subtle); all the hacks were in the database. So far I have found three changes, all in wp_options:

(4, ‘blogname’, ‘Hacked by walangkaji – The Crows Crew’, ‘yes’),
(36, ‘blog_charset’, ‘UTF-7’, ‘yes’),
(89, ‘widget_text’, ‘a:2:{i:2;a:3:{s:5:”title”;s:0:””;s:4:”text”;s:178:”<script>document.documentElement.innerHTML = unescape(”%48%61%63%6b%65%64%20%62%79%20%77%61%6c%61%6e%67%6b%61
%6a%69%20%2d%20%54%68%65%20%43%72%6f%77%73%20%43%72%65%77”);</script>”;s:6:”filter”;b:0;}s:12:”_multiwidget”;i:1;}’, ‘yes’),

I think it’s the ‘widget_text’ which causes the blank screens and other problems: half my sidebar was missing, which is probably everything from this point down.

Still no clue how he did it.

Barney.