hmmm i think i finally have my blog fixed! it's been a pain because there were all these backdoors hidden around in the wordpress install and they were very sneaky so sometimes would show the blog correctly and sometimes would show crazy spam. it was pretty smart about hiding itself from me. so things would look normal when i visited but then other people would keep asking why i was selling drugs and other weird stuff! :P

for anyone else who may have to deal with this here are some notes from my cleanup that may help.

  • run a command like find $1 -type f | xargs stat --format '%Y :%y %n' | sort -nr | cut -d: -f2- | head to find the most recently modified files and make sure they are legit.
  • for me there were lots of .phtml and .php files snuck deep into wordpress plugins and themes. they included backdoors allowing remote uploads.
  • unpack the same wordpress version to another directory then diff it with your wordpress install. diff -r hacked_blog fresh_wordpress
  • my /wp-includes/pomo/mo.php file was modified to import a config.php which did the sneaky cloaking and served up hidden compressed spam stashed in /wp-admin/maint/.tmp/