3

I am running a server on Ubuntu 10.04 running a word press website, and recently a virus scan revealed that I have several malicious scripts sitting in the word press folder. In particular they are in the cache and temp folder of a theme that I'm currently using.

I opened them with VIM and read through them, they are certainly bots and spamware, one of them is even called c99 injecktor. I am very interested in how these scripts can be injected into these folders, and what actions I should take upon discovering them. Should I simply delete them?

Also, is the injection caused by security flaw of word press, or should I be worry about anything else other than getting a more up-to-date version of word press in my new server?

Xavier_Ex
  • 183
  • 4

1 Answers1

6

You were most likely compromised through a vulnerable installation or theme, probably through something that is now known and fixed.

First, once you've been compromised a little, it's best to assume you've been compromised a lot and start fresh. Read up on the answers to this question: My server's been hacked EMERGENCY

Second, besides updating to the latest versions, you can take extra steps to help prevent damage when some part of your Wordpress install has a vulnerability. Read up on more from this question: How can I protect a WordPress installation?

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
  • Coolbeans, thanks for the info they are very helpful. Yes I am now working on launching a new instance of my server :) – Xavier_Ex Aug 30 '12 at 16:46