What the hack

If you suddenly have a file called kubrickbg_old.jpg in your wordpress installation, your php scripts contain weird eval base64 encoded parts, and the directory ./wp-includes/js/tinymce/themes/advanced/images/xp contains files it shouldn’t, then you, like me, have probably been hacked. Good thing google analytics tells me.

Remember to remove the ‘WordPress’ user, too. It’s not actually part of WordPress. Neither are the postings with an attachment of ro8kbsmage. And uploaded files should go to wp-content/uploads, not to ../../../../tmp

It’s time to update the wordpress installation, anyway.

UPDATE: I was amazed to find another div display:none with the names of lots of drugs I have never tried and probably never will at the end of this article. Seems like the buggers are alive and crawling RIGHT HERE. If this happens again, I’ll have to hire an exterminator. I took this as an additional motivation to update the wordpress installation to 2.5.1. Fortunately the update turned out to be a time consuming but painless process (go, 9600baud!), so here we go again.