I didn’t see anywhere in the forum or FAQ a list of what your plugin checks. Is it just files or does gotmls pull all the post data from the database to check for suspicious external styles?
I found most of the pharma hack files myself before finding your tool BUT at 4AM it’s very nice to have gotmls find some questionable ones. Sure enough, there was another classic eval decode_base64. PLus these jerks have been back twice in a month (2 different exploits to get in).
Still I’m a bit worried there may be some sneaky styles put directly into posts in the database. See http://wiki.mediatemple.net/w/(gs):Fix_WordPress_redirect_exploit for an older exploit using that trick.
I’ve got a collection of files from the last month of hacks if they’d be useful to you.
Got to love this obfuscation:
$asruhlkjshflj='ba'.'se64_'.'deco'.'de';
eval($asruhlkjshflj,...
Thanks for the plugin. Sent you saturday date money.
Alan,
My plugin just check files right now (mostly looking for malicious htaccess, php, and javascript). I am working on a more support for database hacks but that’s a very different animal and it’s pretty easy for people to find post and widget injections on their own since they are not encoded.
I would love to have a look at your collection of files from the last month of hacks.
If you want to give me WP Admin access to your site I could double check it for you.
Aloha, Eli
P.S. Thanks for your donation!
