So you might have noticed I was hacked prettily nastily on this site and a couple of others. I’d taken my eye off the ball and not done a really close inspection of my WordPress¬†installs in a while, as well as being a bit lax in updating the moment a new version was out.

So What Actually Happened?

A couple of files have been snuck into theme and plug-in directories that allowed upload and editing of other files. If you find the files r.php or temp.php anywhere in your WordPress install you might want to check on them.

Through these, a file called function.php was added, full of evals and base_64 encrypted code. The regular WordPress functions.php and load.php had been modified to include the function.php file. This then replaced the normal blog content with all manner of spam.

The Cleanup

With the help of the fine folks at Sucuri, all the corrupted files were put back to normal and the backdoors plugged. I also deleted all unused themes & plugins (unfortunately the otherwise very useful Dreamhost One Click Installs do litter the place with “extras” you might neither want nor need).

For anyone investigating similar hacks, the Linux command to find recently edited files is find . -mtime -1. This will show you anything edited in the last day (replace the 1 with a different number to give different number of days). Though there are ways around the Linux file times, a cron job checking for recently modified files is helpful to keep an eye on things.

Useful Links