smjohnson

@zarathustra01: I took a look into my logs and found that I had the Mailpoet cron turned on. Although I use this plugin only on rare occasions the cron job was quite active. I have no idea whether this has something to do with the hack.

Also, right before the site was unreachable last night I have this in the log:

[22/Jul/2014:00:12:54 +0200] “POST /wp-cron.php?doing_wp_cron=1405980774.2559781074523925781250 HTTP/1.0” 200 17

Does anyone have an idea what this job is for?
I have lots of these POSTs in the log.

@zarathustra01: Yes I am

You are right. This must be it.
Yesterday my site was completely gone. I restored from backup and installed the iThemes security plugin. Renamed my login-URL and turned the login off during the night. Maybe this helped. This morning everything seems to be alright.

It has happened again
This time it starts with

<?php $kbcsbfmaqp = 'c%x7825

and I can no longer login.

@femmefm: The Code on my site started with

<?php $qnedbrboae =

About 350 files were infected.
I only noticed because WP deactivated the plugins.
But the core files were infected too.
I have no idea why the site was still working.

The Wordfence plugin was infeted and deactiovated, too, by the way (free version).

An interesting observation: A few days before the accident my provider showed me a ‘red light’ indicating heavy load on the server, to the extend that the website was unreachable so to say. Could have been a brute force attack? Will try to analyse the logs to find out.

MacManX and esmi, thank you for the hints. Read some of them and am in doubt whether this is manageable for a non-IT-expert. But let’s see.

Hi again,

trying to solve the issue I reinstalled the Wordfence plugin and did a scan. The plugin found that hundreds of cor files have been modified. Atz first glance they seem to have been added the following code right after the initail <?php.

Sounds familiar to anyone?

[Large chunk of obfuscated code moderated. Please do not post such code here.]