15 May 2012
Wordpress Users Beware!!!
Ok, if you're a wordpress user you need to do the following things right now:
A: look for this file:
wp-content/plugins/helo/helo.phpB: Check if you have two "Hello Dolly" plugins
If either of these are true you've probably been hacked. The extra helo.php file contains a malicious exploit which rewrites your php.ini file and allows root access.
We're working with our ISP to figure out what's been compromised.
You WILL need to change your database password and likely all your wordpress passwords.
UPDATE: We finally tracked down the problem and it wasn't at all what we thought. On a neglected site in a forgotten part of the VPS was a WooTheme with an old copy of the TimThumb image resizing library which contained a well-known (we caught it on all our other sites) vulnerability.
Through that TimThumb vulnerability the evil robot was able to put the exploited "Hello dolly" plugin on several of our sites, rewriting our php.ini files and planting their nefarious code.
It could have been a lot worse. Read the whole saga here.