camurphy

@kenpeace – the fake link in the dashboard appears via entries in wp_options. I appreciate from your earlier post that “PHP is not an option”, however hopefully my clean up notes here aren’t too technical:

https://www.craigmurphy.com/blog/?p=896

My dashboard is now “normal” after I cleared out the records mentioned in my post.

Apart from looking at new themes, I too had no new plug-ins and have a fairly strict read-only policy on my server folders.

I’m concerned that you noted “no new themes” – I had been checking out around 20 new themes over the last 14-21 days, many of which were for another blog folder on the same folder. I had initially thought that it was a dodgy theme that had got the better of me (assuming it’s possible for a theme to do such things).

HTH

Rgs
–Craig

@whooami – re: wp-admin/index.php – I could pull the 2.5.1 version from a backup, however even after a 2.6.3 upgrade, the dashboard is still showing the injected hack.

I too find it disturbing that the dashboard can be attacked in this way – whilst I’m technically savvy, I’ve not spent a lot of time tracing how this might happen. Lines 112-118 reveal little more than blank lines and closing divs – definitely wp-admin/index.php, yes?

Since the injected content is still there, I’m backing up my install just now.

Heh, I can imagine what us “non-upgraders” get called ??

Sophos have picked up on this as Troj/WPHack-A:

https://www.craigmurphy.com/blog/?p=881

I’m in the same boat, looking at it now.

Some screenshots of the problem and a little investigation so far:

https://www.craigmurphy.com/blog/?p=874

Rgs
–Craig