Yesterday morning I was surprised by an e-mail from our hosting account about over 6000 messages in our webmaster’s mailbox. Turns out most of them were “message was not delivered” notifications. Looks like someone was sending spam through our account.

First look at the access logs showed multiple POSTs to a URL in uploads directory. I renamed the file so it became inaccessible and started to search for the rest of the malware. It turned our to be quite a lot of files.

The file through which the spam was funneled looked obfucated, but this helped to search for the files like it:

grep -lr ‘$sF=”PCT’ *

The nice grep snippet above (from the description of a similar exploit – thanks!) made things easier as our hosting provider does not make ‘find’ available for some reason.

Some of the code was actually injected into WordPress files, and had to be cleaned up by editing them:

grep -lr ‘eval(${$s’ *

Several large obfuscated files were easy to find with this:

grep -lr ‘preg_replace(“/.*/e”‘ *

And in the end, I just swept all code with a search by creation date:

ls -ltR|grep “May 21\|May 19\|May 22\|^\./”|more

Look for all files with eval() and other shell functions, in case they look suspicious:

grep -r -P ‘(?<![a-zA-Z_\.>])(eval|exec|shell_exec|system|passthrough)\(‘ –include \*.php *|more

Check all admin users in WordPress install, just in case.

Finally, I ran updates to all WordPress instances and plugins. Next step will be configuring this to run on a periodic basis.