cweb

All of my sites were hit by this, about five hosted on Media Temple. I’m sure the spam-bot went for the popular ISP IP ranges when scanning for WP installations.

If it helps anyone, I did the following per recommendations from this article.

This page was a lifesaver:
http://wordpressphilippines.org/blog/has-your-wordpress-been-hacked-recently/

1. keep searching for wp-info.txt to make sure it’s not around, if so, delete it.

find . -name wp-info*

2. get rid of all _new _old .jpgg .giff and .pngg

find . -name *_old* -exec rm '{}' \;

3. find all instances of the backdoor account looks like

<?php if(md5($_COOKIE['_wp_debugger'])=="randomhash"){

Use grep to find this:

grep -ri _wp_debugger * *.php

Then do a global search and replace (for now) to replace _wp_debugger with ‘unknown’

find . -name '*.php' | xargs perl -pi -e 's/_wp_debugger/unknown/'

4. I upgraded all installations to 2.5

5. I used phpmyadmin to remove the hidden ‘wordpress’ user account from the wp_users table in the database

6. I reset all user passwords by replace the MD5 hash through the database directly.

I don’t trust what files this hack might have tainted. For example, does it know when I’ve used the admin tools to reset passwords.

My questions:

– Does WordPress have any more details about what files this hack has tainted?
– Do we know how the wp-info.txt file would be generated? I didn’t see it in my folders, so I’m a little worried that it created a cron job or something that hasn’t kicked off yet – any ideas?