Major WordPress vulnerability: comment Spam, changed files & settings

The hacks could be coming from anywhere on the server rather than through WordPress. Have you reviewed:
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Thanks esmi, i knew link one, did all that. I’m over link 2 now…but should be fine…it’s a clean reinstall with changed pws. That’s what I’m worried about.

Check your images. As Otto points out in that second link, hackers can disguise backdoor scripts as images simply by throwing in a .jpg extension etc. Even came across what looked very like a hack yesterday that might have used a Thumbs.db file.

Okay, whole upload dir deleted. Still: to bring a malicious hidden php code in e.g. .jpg extension would mean there has to be code added to wp core files, right? It’s a clean install with changed keys, mysql, wp admin and even ftp wps. Also checked mysql wp_users: just admin. Searched for suspicious code in mysql. No edoced. What happened? New spam 5 minutes ago…Grrrrrrr!

Is this spam within the code (ie a hack)? Or are these spam comments?

Mostly spam comments. But the also changed footer.php and some admin settings (no admin review of comments eg).

The attackers may have your FTP credentials. Check your system for malware.

Try using some anti-spam plugins such as Akismet and Bad Behaviour. Other than that, there are no security issues with 3.1.2 that I am aware of, so the prime suspect still remains your server itself.

See above: we changed the ftp, mysql und wpadmin pws…twice before and after clean reinstall. and we’ve been using si captcha, which did a good job so far on 20 of my blogs for years. System is definitely clean.

Problem is still the same. About 50 Pingback Spams a day, though activated captcha and disabled pingbacks for every single post and generally in discussion options.