squidly1

While I was deployed (and did not have access to my blogs to maintain them or update my installations), someone took advantage of my old installs – and thanks to some quirk/vulnerability with PHP uploaded the file you mentioned to some of my blogs. It *is* a bit of malware and it does allow an attacker a fair amount of control over your blog and possibly over your SQL database. Deleting it will not affect your blog. It’s not very sophisticated (so far as I can see atm), so deleting the file do nothing more than minimize control over your blog. But, you will need to update your installations to help minimize a successful re-exploitation.

I am working on researching the limits of the infection and rooting out all the possible changes someone might have done to my accounts. Sadly, my attack occurred in mid and late October 2011 and my host logs only go back two months, so I am at a loss at tracing back who might have done it.

You should know that there are are probably other files that have been uploaded as well – all of them are obfuscated files (.GIFs, .JPGs, other PHPs – and should have the same date as that initial class-wp-theme-edit.php file). None of the legit WordPress files are obfuscated (ie: have large sections of HEX encoding), they are pretty much clear text.

ak40seven: I have been having the same problem as you. I host seven blogs on my website, each using WordPress – but two are experiencing the exact issue you describe. So far, I have not figured out a way to fix the problem other than reverting to an older installation :(.

– Squidly1