Re: I’ve got a worm.
My hosting company, PSEK, was able to remove the code from each theme. So, as of now, my themes are clean, my passwords are changed, and I’ve got a new install of MU.
I’m still getting memory errors, indicating that the virus is probably still there somewhere. We’ll see.
Within a few hours, we’ll probably know if this is good enough or if there are continued problems.
Per @andrea_r, pulled the access logs and found an 2 IP address – mine and one other. Here’s what I found:
May 9 18:28:52 wpmu pure-ftpd: (?@220.127.116.11) [WARNING] Authentication failed for user [housingstorm] – probably failing because i changed my passwords.
Now, I searched for that IP address and it’s from Brazil. In my google-search, i also found it referenced on several other forums as an attacker and I even found an access log file for another site that showed them gaining access.
One forum mentioned that there were extra files in their database after the attack.
My local computer scan was clean, so i’m not sure how they got access, but i would recommend banning this IP address and monitoring your access logs.