Hey folks -
A few weeks ago someone noticed that my blog had been replaced with a "ci al is"* ad. It didn't show that way to me, but for people who came from Google it did. Also Google had marked my site as "possibly compromised."
Sure enough after spelunking around most of my DH sites I cam eacross these various strange PHP files that were long base64 enocded text with various PHP commands embedded in them. They always have short names like "solt.php", "mara.php" etc & they sometimes come embedded in a series of numbered folders.
I trashed all of these that I found (I saved them off if anyone wants to take a look) & upgraded my WordPress - but the files keep coming back & I fear the worst. Any advice on how to proceed?
I have a large blog on DreamHost in WordPress & I guess I'll need to somehow back it up & then reconstitute it? Is that as painful as it sounds? And how do I keep this from happening agin?
*I reformatted this word to not set off SPAM filters.