WordPress 2.7 Vulnerability?

That’s not necessarily a sign of a 2.7 vulnerability. It’s your host that did get compromised. Moving or removing the file is good, but you need to find and close the door that let that onto your blog.

Check your file and directory permissions for your website. You should read up these links

https://codex.www.ads-software.com/Hardening_WordPress

and

https://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

Check your user table for any new accounts that you don’t recognize. You can use phpMyAdmin or mysql on the command line like so:

USE yourwordpressdb;
SELECT * FROM wp_users;

This is just to see how bad the compromise is. If you are not seeing spammy hidden links in your blogs HTML, and you don’t see any users that you don’t recognize then WordPress may be fine.

If you do find spammy links and new unknown users then get ready to restore your last good backup from before 12/14.

Check your logs for the first occurrence of p.php to see if you can identify when and how it got on your blog.

Read Donncha’s post and also check out https://ocaoimh.ie/2008/06/26/wordpress-exploit-scanner-01/.

Good luck.

CURL is the wordpress vulnerability 2.7+

class WP_Http_Curl {
	function request($url, $args = array()) {
		if ( !ini_get('safe_mode') && !ini_get('open_basedir') )
			curl_setopt( $handle, CURLOPT_FOLLOWLOCATION, true );

function wp_remote_get($url, $args = array()) {
	$objFetchSite = _wp_http_get_object();

	return $objFetchSite->get($url, $args);
}

Read https://antichat.ru/threadedpost1298124.html#post1298124 with google translator, this is why there are so many wordpress trojans. Kill ’em.