I published the following diary on isc.sans.org: “A Bunch of Compromized WordPress Sites“:
A few days ago, one of our readers contacted reported an incident affecting his website based on WordPress. He performed quick checks by himself and found some pieces of evidence:
- The main index.php file was modified and some very obfuscated PHP code was added on top of it.
- A suspicious PHP file was dropped in every sub-directories of the website.
- The wp-config.php was altered and database settings changed to point to a malicious MySQL server.