mrcupp

@mickeyroush, it’s a known exploit that has been popping up on a lot of WP based sites (which are probably not up to date on security releases). I don’t think it really is WP related though. I’ve found a few friends who have been affected by this same exploit on servers w/out WP installed. It is more than likely an exploit tied back to phpMyAdmin or a server out-of-date on it’s security releases. (i know mine is out of date for a few apps).

the Thumbs.DB exploit was talked about here a few months back actually. here is the link to that forum entry: https://www.ads-software.com/support/topic/where-to-start-on-this-htaccess-issue

here’s is the ta”offical” release about the “Tim Thumb” 0day exploit: https://www.hackersbay.in/2011/08/tim-thumb-wordpress-exploit.html

here is the link to the pastebin I just made for this as well: https://wordpress.pastebin.ca/2090298

the first time the exploit occurred for me was back in sept, and was a hijacked .htaccess file that was including a “Thumbs.DB” file, which was in the root of the wordpress install. It contained the same line of code that is included at the end of all the infected .php files.

I have a copy of the most recent hack, and can put it up on a hackpad if needed. I however don’t have the original Thumbs.DB file since I purged it after the last cleanup.

@diegazo, exactly the same on my primary site (running MU) that got hit in sept as well. totally forgot about the cache in the themes ?? 600 files to clean up…wpmu site had about 50 themes on it, and around 25 plugins.

i’ve got it on 2 sites; second time in a month since installing/upgrading to 3.2.1

@diegazo, easy fix yes; total pain when one site is over 500 instances of the exploit ??

i’ve found it in the following places in my sites:

*home.php
  *index.php
  *default.php