For a few months I’d been using the WooThemes “Mainstream” theme and really liked it. I made a point of always keeping it updated, as I do with everything WordPress. A few minutes ago, however, on a whim I did a
netstat -a
on my webserver, and saw a bunch of connections from my server to setlinks.ru:http. I quickly grepped the wordpress directory for “setlinks” and sure enough it looks like some trojaned code made it in. Under my
/wp-content/themes/mainstream/cache/
dir there are these directories:
drwxr-xr-x 3 apache apache 4096 Dec 16 00:07 setlinks_fa356/ drwxr-xr-x 3 apache apache 4096 Dec 16 00:08 692ad897a15978e7cfd099ace86a56bf/ drwxr-xr-x 2 apache apache 4096 Dec 16 00:08 12483e2d235715e4ad4c76c8cf04f0fd76c8c397/
Under 692ad897a15978e7cfd099ace86a56bf there are a bunch of PHP scripts, including sape.php, which has a bunch of crap in it linking to db.linkfeed.ru.
So anyway, rather than investigate fully right now I’m scrapping the WooTheme altogether. So the site is going to look more boring, but oh well.
Evan Hoffman's Blog 