194.110.162.23
At some point in the recent past my site was compromised by Wordpress.net.in spam. I don’t know exactly when the back door was put in place since I haven’t been very active on this site, though I do know that on March 20th 194.110.162.23 hit default-filters.php and uploaded the malicious code to inject spam into the footer of my pages. Unfortunately the attack is for a different version of Wordpress so rather than infect me with ads, it just screwed things up royally. Maybe that’s a good thing as I noticed it.
A great write up of how to clean this mess up can be found here.
To sum it up:
- Remove wp-includes/class-mail.php, its fake.
- Take out the lines hooking into the footer in wp-includes/default-filters.php
- Remove the line from the top of wp-includes/default-filters.php that accepts a file given a random GET variable.
The take away lesson here is: Even if you’re not actively publishing on your blog, you better make sure your software is up to date. I’ve been busy with other stuff and neglected mine, unfortunately.
EDIT: I’ve done some poking. 194.110.162.23 is out of “Extended Host” in New York City. I’ll refrain from scanning it, though I am darn tempted to see what back doors were opened on that box. As it is, I’ll just email the host and inform them of the troubles.