Many websites including Lorelle and Techcrunch are reporting a new kind of attack on WordPress that affects almost all WordPress installations running WordPress software below version 2.6. All those running WordPress version 2.8 are not affected. Users having blogs on wordpress.com have not been affected, although. In this article we will tell four ways which you can use to find out if you have been affected.
Search for keywords in your website
You should look for the presence of four keywords: eval, base64_decode, base64, eval(base64_decode in your website. If any one of these is present then you have been affected. You can search for the keywords using google. Say if you want to search for the keyword "eval" on your site, mysite.com then you need to send the following query in Google: eval site:mysite.com. If Google says no results found then you are safe. You can similarly run a check for all the keywords on your website.
Check your categories permalink structure
According to lorrele if you find strange additions to your permalinks, such as mysite.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. then you are affected.
Run a Anti-Virus scan on your WordPress template files
You can also use the Antivirus for WordPress to run a Scan on the individual files in your templates / themes. If a suspicious code snippet is found then you will be reported accordingly.
Check your Authors & Users page in the admin area
You should check for bogus users in your Authors & Users list inside the WordPress Admin area. The Authors & Users page can be located at: <path-to-wordpress>/wp-admin/users.php. If you see a user called Administrator (2) or a username you do not know then you are possibly affected.
Update: We list 2 more ways in which you can detect the hack on your blog as suggested by our readers.
Search the User Settings page source code
Again navigate to the Authors & Users page which can be located at: <path-to-wordpress>/wp-admin/users.php. Now view the source for this page on your browser. In the source listing search for the keyword: user_superuser. If you find it, then you are possibly affected.
Shell - Directory Search from command line
If your web host provides you direct shell access to your hosting account then log in to your account via SSH and run the following command on the terminal in your web hosting account's home folder:
grep -lr eval > list.txt
This command basically searches for the keyword: eval in all your files and lists the file names in another file called list.txt. You can similarly run checks for the other three keywords as mentioned above.
First and foremost you must upgrade to the latest version of WordPress if you are running it on your website. You can find out the version of wordpress running on your website by going to: <your domain>/<path-to-wp>/readme.html. In case you want to upgrade you can point your browser to <path-to-wp>/wp-admin/upgrade.php. Lorelle has listed various ways that can help you to rescue your blog in case you are affected.