Alright, not really what I wanted to happen on a Monday evening.

I came home, and just before I started to make dinner, I went to check my mail, in there was a mail from an advertiser that an ad was not showing, and naturally I went to the site to check.

Lo and behold, my site was hacked, and the hacker installed the c99madshell v. 2.0 on my domain.

Searching for information I found only vague information, and never really found out how the ‚Ǩ#”%”‚Ǩ# hacker came in.

I started by updating my Wordpress installation to the latest version, and then went hunting. I found the script in my themes folder, where it replaced one the .php files.

The only information I found that gave any clue to where to look was here: http://www.devside.net/blog/smf-exploit-like-phpbb-hack

I included below screenshot, which is from the same blog-entry (credit where credit is due) since I focused on removing the hack instead of documenting it. I hope the owner does not take offence.

Removing it was fairly easy once I knew where to look, but I had to have a serious look around to see where it was hidden.

So, what did I learn from this? To backup, backup often, and to always update my Wordpress installations.

Have you had a visit?

a

A hacker came by with c99madshell v. 2.0 madnet edition