This is the third time I’ve had to spent serious time “fixing” WordPress. Say what you will about my old “Small Axe” or “Flip” solutions, but I never had a problem. With WordPress, I have found regular issues.
This time, I traced the problem back to wp-lytebox, and I’m ashamed to say I’ve had to fix the same problem before. It all started when I couldn’t load the post page in the backend of firsttube.com. Digging in, I eventually found a file called sys.php in the root of the site, and it listed the contents of my site and had a form that allowed someone to add a page, chmod a page, or delete a page. Killer!
I found that it was defaulting to /path/to/WP/wp-includes/plugins/wp-lytebox, and sure enough, digging into that directory revealed several other fun scripts, all of which gave someone the ability to access all the files on my site. Fun!
I found that I already had replaced this plugin before, so I decided to get rid of it altogether, this now proving it wasn’t a misconfiguration, but rather, a problem with the wp-lytebox itself.
In this process, however, I was unable to fix my issue. Visiting /wp-admin/post-new.php still rendered only a page footer, and nothing more.
So I starting fooling around in my directories looking for files that had been modified more recently than when I did my 2.9.2 upgrade. One of the files? My .htaccess file.
“This be odd,” I thought to myself, “I’ve changed this not, methinks.”
Sure enough, there was a rogue line within: RewriteCond ^/default/$ /wp-admin/includes Huh?
I dug into that folder, and the .htaccess file there was recent too? It’s contents? DefaultIndex users.php
Of course, I immediately opened users.php and found, as you might have guessed, a bunch of Russian crap. Savvy WP hackers will know, it’s not a real file, there is no users.php in the real wp-admin/includes directory.
I also found a folder that had two large files, both named core.XXXX where XXXX was a 4 digit number, and a massive 40 MB error_log. Yikes.
I thought I had everything cleaned out, and I truly believed that the way in was wp-lytebox. Then I found this. And sure enough, all of the listed files were compromised. So I nuked all the files, and replaced them all. D’oh!
So, if you’re arriving via Google or Bing or Yahoo!, do NOT use wp-lytebox.