<p>Dude, don't trust any configuration on it.<br>
Log in to the host control panel, change ALL. Passwords.<br>
Remove all extra users.<br>
Blow out all the data.<br>
Start again using a backup of the content.<br>
Someone. Has got in and is. Intent on staying in.<br>
The only way to be sure you get rid of the nasty stuff is to get rid of everything.</p>
<p>Ask yourself, does someone in China need Access to this host. If not then they shouldn't have it and shouldn't have had it.</p>
<div class="gmail_quote">On Feb 23, 2012 9:11 PM, "James Morris" <<a href="mailto:jwm.art.net@gmail.com">jwm.art.net@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Without being familiar with the host/system should I be worried about<br>
a user with a login named otunnel... with an IP project honeypot<br>
identifies as being from china? The sites are hosted by <a href="http://dreamhost.com" target="_blank">dreamhost.com</a>.<br>
<br>
James.<br>
<br>
<br>
<br>
On 23 February 2012 21:06, David Halliday <<a href="mailto:david.halliday@gmail.com">david.halliday@gmail.com</a>> wrote:<br>
> If the site has been compromised the only way to be sure nothing is left is<br>
> to remove all code etc...<br>
> I'd backup data and reinstall wp.<br>
><br>
> On Feb 23, 2012 8:57 PM, "James Morris" <<a href="mailto:jwm.art.net@gmail.com">jwm.art.net@gmail.com</a>> wrote:<br>
>><br>
>> Hi,<br>
>><br>
>> I've offered to help clean up a word press site which has been<br>
>> targetted by the pharmacy style hacks. Something like this:<br>
>><br>
>> <a href="http://redleg-redleg.blogspot.com/2011/02/pharmacy-hack.html" target="_blank">http://redleg-redleg.blogspot.com/2011/02/pharmacy-hack.html</a><br>
>><br>
>> I've got ssh access and have been removing instances of base64<br>
>> obfuscated code from various files in the site. I think I've tracked<br>
>> it all down but am worried about how it got there (though suspect use<br>
>> of ftp is to blame).<br>
>><br>
>> Anyway, I need a bit of a crash course in mysql (i presume that's<br>
>> what's used) as I want to make sure the database is clean... Can<br>
>> anyone give advice or examples of queries that will help in this task?<br>
>><br>
>> thanks,<br>
>> James.<br>
>><br>
>> _______________________________________________<br>
>> Kent mailing list<br>
>> <a href="mailto:Kent@mailman.lug.org.uk">Kent@mailman.lug.org.uk</a><br>
>> <a href="https://mailman.lug.org.uk/mailman/listinfo/kent" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/kent</a><br>
><br>
><br>
> _______________________________________________<br>
> Kent mailing list<br>
> <a href="mailto:Kent@mailman.lug.org.uk">Kent@mailman.lug.org.uk</a><br>
> <a href="https://mailman.lug.org.uk/mailman/listinfo/kent" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/kent</a><br>
<br>
_______________________________________________<br>
Kent mailing list<br>
<a href="mailto:Kent@mailman.lug.org.uk">Kent@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/kent" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/kent</a><br>
</blockquote></div>