WordPress MU

2.7 or 2.71, don't know. I have someone who has hacked in to the servers and is running a delete all routine on all the folders. I went in through cpanel and changed my ftp password and they did it again. I do not know if it is through wordpress or not, but I am ready to kill if I find the ^$%.

Any help is welcome, you can even call me at 503 550 774 for a better explanation. I approached wingsix and they said site security was my problem.

Bill

Here is the index.html they leave behind.

<!-- FUCK OFF THE SOURCE CODE -->
<!-- ~greXTC pwn3d this page! -->

<html>

<head>

<meta http-equiv="refresh" content="20; URL=http://google.ru/">

<title>~XTC pwn3d this page!</title>

</head>

<body bgcolor="black">

<center>

<img src="xtc.png">

</center>

</body>

</html>

<!-- ____ _______________________
\ \/ /\__ ___/\_ ___ \
______ \ / | | / \ \/ ______
/_____/ / \ | | \ \____ /_____/
/___/\ \ |____| \______ /
\_/ \/ -->

<!-- ~greXTC pwn3d this page! -->
<!-- FUCK OFF THE SOURCE CODE -->

92.241.164.88 is the last ip address that showed up in my gostats account around 7:30 am today.

Yes, older WP/WPMU versions are getting hacked.
http://codex.wordpress.org/FAQ_My_site_was_hacked
There's also http://ocaoimh.ie/exploit-scanner/
- Also, check the options tables of your blogs wp_1_options, wp_2_options, etc. In Active plugins field - look for something like
./../../../../../../../../../../../../../../something/url/files/imagesomething.jpg - delete the injection in that field and delete the image file in server per URL.
After you've cleaned your installation. You will need to upgrade.

Lock it down - change the folder permissions for the main site, take it offline while you track things down.