If you use WordPress or any other website platform that used PHP you should take a look at your files to see if any changes have been made to them in the last month.
A month or so ago I noticed that three of my WP sites suddenly said that they were using version 2.5 … heck they really weren’t even using 2.3.3 yet! Remember I was behind in my updates. So I decided to use my FTP program in order to take a look at the files on my server and much to my amazement I found that a lot of files had the date 10/4/2008 as the last time they were modified. Oddly enough I noticed the change to wp 2.5 on a few of my sites prior to all the file changes on the 10th of April. I wrote a post about it (see link above) on the 8th of April.
In addition to file date changes I found extra files some with PHP extensions, others with pngg and jpgg extensions.
I also found that a line of code had been added to the top of many of my files. Just go to your WordPress theme editor and take a look at each file for the current theme you are using to see if there is code with MD5 and debugger in it at the top. If there is you can remove the code with ends at exit >.
I went to WordPress.org to see if I could find anything about sites getting hacked or attacked and the first time I searched wordpress.org and did a Google search I didn’t find much, but last weekend I found lots of info. You can learn more by reading this WordPress security issue discussion.
Apparently a number of sites have been hit. That’s why I’m urging you to take a good look at your files to see if code has been added or if new files created.
Like I said I discovered changes on my sites shortly after they were hit – maybe April 12th or so, but I didn’t realize how widespread the problem was until I started digging deeper and got more information. I’ve basically spent a good portion of the last two weeks going over EVERY file on my web hosting server – even the /TMP directory.
It took me so long because I’ve got a lot of sites.
I even went through my Joomla CMS sites directories as well as my HTML based websites directories and I found extra and altered files there too, so if you run a few different kinds of sites don’t forget to check everything.
I also changed the passwords on all my sites as well as my server password. Every password for each of my sites is different.