I didn’t see anywhere in the forum or FAQ a list of what your plugin checks. Is it just files or does gotmls pull all the post data from the database to check for suspicious external styles?
I found most of the pharma hack files myself before finding your tool BUT at 4AM it’s very nice to have gotmls find some questionable ones. Sure enough, there was another classic eval decode_base64. PLus these jerks have been back twice in a month (2 different exploits to get in).
Still I’m a bit worried there may be some sneaky styles put directly into posts in the database. See http://wiki.mediatemple.net/w/(gs):Fix_WordPress_redirect_exploit for an older exploit using that trick.
I’ve got a collection of files from the last month of hacks if they’d be useful to you.
Got to love this obfuscation:
$asruhlkjshflj='ba'.'se64_'.'deco'.'de';
eval($asruhlkjshflj,...
Thanks for the plugin. Sent you saturday date money.
