gpg: Signature made Wed Mar 6 10:05:30 2013 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hello,
On Wed, Mar 06, 2013 at 09:45:27AM +0000, Adam Spiers wrote:
> Do we know which version of WordPress was compromised?
> And that it was definitely WordPress not another service?
No; if the customer has no interest in investigating then
unfortunately I can't usually spare the time to do it for them,
beyond the basics needed to resolve the abuse report.
I would find it unusual for an attacker to compromise some other web
app but then decide to put their .htaccess and other files in a
Wordpress that coincidentally happened to be on the same server,
though. These things tend to be straightforward.
I did a quick web search for that .htaccess content and found a few
other people reporting finding it, but with no details as to how it
was put there.
I suspect that it is unrelated to the actual compromise, being more
of a "this is something you can put in someone's web site to turn it
into a stealthy porn redirector" tool, so yes maybe the actual
compromise is not in Wordpress.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
