Jan 16 2008

/tmp/ro8kfbswmag.txt

If you happen to run an older version of WordPress (prior to 2.3.1) on a Unix server, go and check your /tmp directory and see if there’s a file called ro8kfbswmag.txt in there. If yes, most likely a hacker has compromised your server and your WordPress installation is sending hidden spam-links from your site.
Yes, this did happen to me. It took me almost 12 hrs to realize it and another 2 hrs to clean up the mess that was left behind.

“Simple Thoughts” has an excellent post-mortem description of the situation.

I usually wait for new WordPress versions to stabilize, before installing an upgrade – guess I have to rethink that strategy …

Whenever I install a new release of WordPress, I usually take a snapshot of the installation directory, which means I copy all the installed files to another place. Every night a script compares the installation directory with the snapshot directory and if there are differences, those differences are sent in an email to my primary email address.

If you find the above file in your tmp-directory and you’re not sure how to proceed, just send me an email and I’ll try to help.

Leave a Comment

Leave a Reply



This entry was posted on Wednesday, January 16th, 2008 at 9:30 am. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.