beajezzazbzii

Feb 17, 2010 Evening, eoanlabs.com was hacked.

I found the culprit code. It was uploaded at a /resource/ public directory (which must be public for the images to be loaded). The criminal was able to upload php scripts which contains some code executed by eval() php function.

filesize :9Kb and 10Kb

it is uploaded in every public directory, along with a .htaccess

Options -MultiViews
ErrorDocument 404 //resources/images/hobby/filename.php

the filename at the end is the same as the filename of the php code above.

Finally it also injects its code inside php scripts which can be found by searching the word ‘beajezzazbzii’

I’ve upgraded the to the latest WordPress 2.9.2 just in case.

So far, I’m able to bring back the site, but I still have to fix other directories affected by this attack.