scottop

I reverted to 2.5.0 and it works again. Waiting for a fix.

I had many plugin files that were also suffering from this problem. Perhaps they are not causing problems right now, but I’ll bet they can be activated.

To find your infected files, if you have shell access, you can run this command:
grep -r -l gzinflate .

This will give you the list of infected files, and ones that legitimately have “gzinflate” in them. The bad ones are easy to spot, they have that some text tacked on to the top.

Here is my list of infected files:
[daxter]$ grep -r -l gzinflate .
./audio/2007/05/pbpost15.mp3
./wp-admin/includes/class-pclzip.php
./wp-content/plugins/akismet/akismet.php
./wp-content/plugins/organizer/plugin_hook.php
./wp-content/plugins/podpress/getid3/module.archive.gzip.php
./wp-content/plugins/podpress/podpress.php
./wp-content/plugins/preach/preach.php
./wp-content/plugins/runPHP/runPHP.php
./wp-content/plugins/simple-tags/simple-tags.php
./wp-content/plugins/tagthis/pclzip.lib.php
./wp-content/plugins/tagthis/tagthis.php
./wp-content/plugins/future-post.php
./wp-includes/class-simplepie.php
./wp-includes/http.php

Interestingly, this is the list of my active plugins, less WP Super Cache. WP Super Cache might have been infected, but I updated when I was trying to fix the problem.

Since it was the active plugins and not the inactive ones, the hack did not reach the plugin files directly through the file system. It must have some connection to the database or attached when the plugins were accessed.

Yes, that was it. Thank you!

Someone hacked my top level index.php file and put that stuff in it. Problem solved. Back in business.

>It’s “ideeenmedia” all over the place

Sorry, I don’t understand. The word “ideeenmedia”is not in the codebase. I downloaded it and searched it.