Dangerous wp-vars.php !? WARNING!

Hello, I’m using the latest WordPres 2.9.2 and today I noticed a nasty advertisment on my blog. Because my blog normally is free of advertisment I have decided to look for the problem.

I found a place in my “footer.php” (from my template) where a foreign code was inserted. This code included a file file from “/wp-includes/” called “wp-vars.php”. I opened this file in my editor and noticed that the code in there was encrypted with Zend. I also found a file called “wp-version.php” in the same place which has the function of decrypting something with a base64 algorithm. This looked very suspicious to me so I deleted these files. This was really helpful because afterwards the nasty advertisment on my page was removed.

But as I tried to write a new post on my blog I have noticed another terrible thing… I only get a blank page with a WordPress copyright footer if I try to access “/wp-admin/post-new.php”. I searched the web to get some information about this problem and I found some more bloggers who also have this problem. It seems to be a very new problem because all of them had this injection within the last two days and all of them use the latest WordPress version.

You can see the blog-posts about this problem here:
https://www.caracasa.de/2010/03/28/ich-wurde-gehackt-2/
https://www.biggle.de/blog/merkwuerdige-wp-vars-php-im-footer/

Has somebody already noticed this problem, too?

Many Greetings from Germany

Benny