I've been hacked

I’ve got a single DH account, which has several users, and most of these users host several sites.

Today I’ve found lots of nasty stuff hosted on these sites, stuff that shouldn’t be there.

I have, variously, some hacked WordPress (2.6.3, now upgraded) installations which were serving up pages of links to Google (and only Google) via a rogue line included in wp-rdf.php or wp-blog-header.php, a file called “.users.php” in the root of some sites which seems to contain a rootkit, a directory called ‘new’ in the root which contains a few php files (blog.php, map.php, locate.js and a couple more) and further text files and directories numbered 1 to 10.

Most of the affected sites were running WordPress, but some weren’t running anything more complicated than a php index page and a link to DH’s own formmail script.

I think I’ve cleaned it all up now but I’d love to know how it got there – and if it is able to come back (I’ve changed all my passwords – anything else I should do?).

Anyway, you may just want to have a look round your own sites just in case…

Mike :expressionless: