Thanks to Janne, who noted that my blog might have been had. The sign for this was that my permalinks were all weirded out with additions like base64_decode ($_SERVER [HTTP-REFERER] ) (code intentionally munged).
- The quick fix was to edit my permalink settings, removing the funky suffix.
- I also edited sitemap.xml, created by a plugin for Google (and other index engines’) site maps.
- Futhermore, i edited my database manually to remove the base64_decode bits from the GUIDs of my last few posts. Older posts seemed unharmed
- Finally, being very paranoid about the “extra administrators” phenomenon exhibited by this worm, i deleted nearly all of my users. This may include you. So if i did remove you from my system (and i probably did), i’m really sorry and it’s nothing against you. I want you back. It’s all because of that jerk who wrote this Wordpress worm and should be kicked in tar, rolled in feathers and carried around town on a sharp stick.
Oddly enough, i was not able to find more administrators than there should have. Maybe i got lucky. Or maybe i just happened to update my WP just as crap was hitting the fan. Or maybe i just haven’t found the worm lurking inside my code just yet.
In any case, we are back. For now.
