lostpencil

I too had this occur today. Kaspersky whined at me that I was trying to download a trojan when I went to my blog. Using phpAdmin search I found two ‘wp-stats’ injections and a ‘noscript’ injection as mentioned on this thread. So it seems to me that the injection directs you to a site that wants to download a trojan. I immediately upgraded to wp 2.3.2 (I was previously running 2.2).

Since I don’t get a lot of user comments I did find that the injection seems to correlate to a user making a comment. I received a moderation email from wordpress yesterday which looked really odd (and was the only one):

A new comment on the post #3 "Welcome" is waiting for your approval
http://www.lostpencil.com/wordpress/?p=3

Author : +AFw-')/* (IP: 80.68.6.214 , 80.68.6.214)
E-mail :
URL    : http://ekibastos
Whois  : http://ws.arin.net/cgi-bin/whois.pl?queryinput=80.68.6.214
Comment:
<strong>ekibastos</strong>

ekibastos

So I turned off comments. I suspect that the injection occured through making the comment. Just in case I also renamed the xmlrpc.php file in the wordpress directory… by the way, when is this file used by WordPress and will that break anything important?

Anyway, I hope that helps.

Cheers,
Paul