Warning: TinyMCE Exploit

Hey…. I just checked the WordPress files both offline and online and I don’t have that 328.php in my folder?

Is that the actual “hack” file someone put in there, or is that the file that they got in through?

Using 3.2.1

That file is one of three php files that are in that folder. They both contain wp_addfilter references along with obfuscated code. The folder was not world writeable.

Many people have been affected by this hack in September 2011, including me – my whole hosting account was infected.

You can read the full info from my investigation in my blog: https://www.marinbezhanov.com/web-development/6/malware-alert-september-2011-sshell-v.1.0/

Also, these guys have been kind enough to create a script that cleans up your installation files from the malicious code: https://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html

Thanks for replying. Any ideas on whether this is a WordPress or TinyMCE exploit? Sure would like to know how they were able to gain access.

I can’t say for sure, but I think it’s some sort of a tinyMCE exploit. However, the hackers seems to be targetting WordPress sites only. The WP blog that got infected on my server didn’t have TinyMCE anywhere in the front end, so there must be some WordPress weakness that allows the hackers to access tinyMCE and use its exploit…

There is no known issue of this type in the current version of WordPress. If you have hard evidence to the contrary, please do not post it publically but report it appropriately.