Hacked by NamelessesMan and UTF-7 errors

I was already updated to WP431 and then just yesterday I noticed my site was compromised. I reinstalled WP431 in case any files were affected. It didn’t solve anything (that I could tell), and fortunately the compromise was not destructive, but it was a nuisance. From what I can tell it might be a hack-gone-wrong and a script intended to run a set of instructions to alter the site merely flooded itself into the blog title. If you do an Internet search on “Hacked by Namelessesman” you’ll see many other sites that are affected.

In fact, I just now did a search on UTF-7 in the WP forums and found this article from a while back ago.

Suffice it to say, it’s a recycled hack.

Ultimately, I noticed two obvious things about the compromize: 1) A hacker that goes by “NamelessesMan” had his calling card all over this, and 2) I was seeing messages on various admin screens reporting…

“Warning: htmlspecialchars () [function.htmlspecialchars]: charset ‘UTF-7 ‘ not supported, assuming iso-8859-1 in [/path_to/]formatting.php on line [some_#]”

I did two things to resolve:

1) In General settings, change the site title to what it should be and save.
2) In the Reading settings, change from UTF-7 to UTF-8 and save.

I also ran this script from my public_html directory to recursively check within any files that could be compromised and I removed them (after safely ensuring they were no longer needed):

<?php
$command = "grep -ri 'your_search_string_between_these_single_quotes' ./*";
$output = shell_exec($command);
echo "$output";
echo "Grep job over.";
?>

To run this script, create a file on your cPanel enabled site using the cPanel File Manager or an FTP client. Call the file whatever you want and use the php extension. I called my ftif.php (Find Text In File). In your browser, go to https://yoursite.tld/yourfilename.php. Allow it some time to run and after a while it will finish and advise if and where it had found any files with the grep string you are looking for.