[wp-hackers] WP exploit , was Re: [Webmaster Central Help] Site hacked.
harish.mlists at gmail.com
Wed Dec 2 17:28:31 UTC 2009
Mike Little wrote:
> 2009/12/2 Malaiac <malaiac at gmail.com>
>> Ok. The base64 statement was in ./wp-includes/locale.php, at the end
>> of the file. The file seems a legit one to me, so I guess the lien was
>> added by the exploit... ?
>> I removed the lines, and I'm going to check it stays like that.
>> FYI, the lines were :
>> $V210305394="VlE+KSk0..... SNIP
> It won't fix the problem. That line was added by some other code running on
> your sever. Next time it could be added to a different file, with a
> different variable name and a different encoding scheme.
> Did you do the download and compare?
> You should also compare your themes and plugins against the originals too.
In general (I think) it also makes sense to keep your web sites under
revision control. So you can easily see what's been changed and when,
allowing for easily spotting and reverting things like this.
More information about the wp-hackers