For the last few days, I’ve been fighting with a worm on my web server. I think my site was infected when my host (Dreamhost) had its FTP passwords compromised, but I didn’t detect it until now. The hack is pretty innocuous; it simply injected some JS that would load a page in a small or hidden IFrame. The purposes, I suppose, is to increase page hits on those pages. I didn’t notice it for a long time because my browser’s AdBlock plugin blocked the IFrames!

This type of hack has been discussed quite extensively on the WordPress forums and the advised solution is to delete everything and re-install WordPress (thankfully, the database is unaffected, so you can re-install on top of your existing installation). After some investigation, the reason for this is because the worm injects JS into every single Javascript file it can find (anything with .js extension). In fact, it’s not restricted to WordPress; it’ll look for anything in the file system!

I’ve cleaned my WordPress several times, but the worm has re-appeared. I think that it placed a .php file somewhere on my host which, when run, will perform the file system scan and add itself to JS files. To combat this, I’ve been systematically going through and deleting files that I no longer use. Fingers crossed that I found the root file!

It’s a bit frustrating to have to combat this. Originally I was annoyed at WordPress for causing this problem, but it turns out that WordPress is just another victim. I can’t even play the mainstream-software-sucks card!